"SquirrelMail Repository Poisoned" (slashdot)

Paul Wouters paul at xelerance.com
Wed Dec 19 20:12:09 UTC 2007

On Wed, 19 Dec 2007, Paul Vixie wrote:

> Subject : Re: "SquirrelMail Repository Poisoned" (slashdot)

> could something like this happen in BIND and go unnoticed?
> http://it.slashdot.org/article.pl?sid=07/12/18/1847233

The title "repository poisoned" it a bit confusing. It was not the
"source repository" but the "source distribution" that was
compromised. This could happen to anyone, but people should
fetch the code regularly from their own web/ftp server and verify
it against their local checksum. I am not sure if BIND is doing

As a side note, one of the good features of git is that every commit is
a sha1 hash. In case of a compromise of the source repository (versus
a compromise in source distribution archive files), your first next
'git push' would tell you there is a problem and refuse to commit.

tcpdump and openswan do daily checks on their public web/ftp servers
for source distribution file compromise. Openswan is also using git as
their source repository, ensuring instant detection of source repository
compromise. (I believe tcpdump is still using CVS)

Perhaps it would be an idea to setup a serive where people can submit
a url with a hash, and request daily checks on the integrity of the
distribution files.


More information about the bind-workers mailing list