classpath
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Savannah update


From: Mark Wielaard
Subject: Re: Savannah update
Date: Mon, 15 Dec 2003 23:59:45 +0100

Hi all,

Attached is the latest savannah update.
They are still checking and setting up the system.
Another update is expected later this week.

We need to check if the person that compromised the system has tried to
change any code on the server.

There are now diffs available to check at:
ftp://ftp.gnu.org/savannah/changesets/classpath-changes.tar.gz
(636K - MD5: f2d0763a5d944610f40d0ca8752efa5b)

Unpacked this becomes 5.4MB of diffs...
So we first need to check the latest available tree against at least
libgcj and kaffe to see what the differences are and if they can be
explained. (I assume that both libgcj and kaffe have audited what they
merged into their own tree.) Then we have a list of files that are
certainly not compromised. Then we only need to check the diffs of the
files not yet merged into libgcj/kaffe.

I don't have a good plan for inetlib though. inetlib is in the same
changeset tarbal and also has seen lots of changes during the
compromise... :{

The following information can help make the "clean-list":

On Wed, 2003-12-10 at 09:11, Mark Wielaard wrote:
> To access the latest CVS tree as it was just before savannah was shut
> down use:
> cvs -d:ext:address@hidden:/cvs-latest/classpath co classpath

Please let me know if you can help check the integrity of the code.

Cheers,

Mark
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                        Sunday 14 December 2003, 06:18 EST

Regular Savannah services, including cvs commit access and Savannah's web
interface, remain down.  We continue to investigate a number of software
vulnerabilities that we believe may have contributed to the crack on
Savannah.  We must be certain that any security problems are addressed
before we put the software back up for public use.  We will also publish
our findings to assist other Free Software sites and to encourage general
improvement of commonly used Free Software infrastructure.

At this time, I am pleased to announce that the results of the automated
comparison between the last trusted CVS trees and the current trees are
available.  You can download yours at:

     ftp://ftp.gnu.org/savannah/changsets/FOO-changes.tar.gz

where "FOO" refers to the name of your package.  GPG signed md5sums of all
the FOO-changes.tar.gz files can be found at
<URL:ftp://ftp.gnu.org/savannah/changesets/md5sums.asc>.


Each package with changes made after the trusted backup has a
corresponding file on ftp.gnu.org.  If a package contains no changes, or
subversions/savannah is not the canonical location of a package's CVS
tree, then the tar file described above will not exist for that package.

Each tar file contains a set of diff files.  Each diff file corresponds to
one CVS branch.  The diffs start from the latest version in a branch and
extend back to the last version of the file verified against a backup.

These difference sets should assist you in auditing your software.  Once
you have audited your packages, please contact
<address@hidden>, and let us know the results.


Some savannah users have noticed some inconsistencies in our backup.  In
some instances, while the tree itself is dated 16 September 2003, some
files might be older because they were not properly copied due to an rsync
bug.  We believe that these problems were introduced by the deflate rsync
bug (documented at
<URL:http://lists.samba.org/archive/rsync/2003-July/006518.html>).  So, we
suggest you focus on the versions themselves, rather than by-date
comparisons.  The difference sets should help in that work.


Finally, we have confirmed that the current tree, when its subversions
are compared to the equivalent subversions in the "16 September" tree,
match completely, or have trivial differences that can be explained.


We continue working as quickly as we can to bring the services back
online.  We will post another update on the evening (EST) of Wednesday 17
December 2003.


Sincerely,

Bradley M. Kuhn
Executive Director, Free Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/3Ece53XjJNtBs4cRAqAtAJ9bAhrFh18lDbuuOiCxfZb/kouskACcCe8E
BDPWQFrZ629Pd3b3SOHe150=
=4O2D
-----END PGP SIGNATURE-----

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]