"SquirrelMail Repository Poisoned" (slashdot)

Jeffrey Ollie jeff at ocjtech.us
Wed Dec 19 20:13:04 UTC 2007

On 12/19/07, Paul Vixie <Paul_Vixie at isc.org> wrote:
> could something like this happen in BIND and go unnoticed?
> http://it.slashdot.org/article.pl?sid=07/12/18/1847233

I think that this is more of a social issue than a technical issue -
from what I can tell the squirrelmail folks were doing the "right
things" by publishing GPG signatures of their files.  What needs to
happen next is that people (end users and distribution packagers, not
the project developers) actually need to start checking the GPG
signatures of the files and need to build up the web of trust so that
they know the GPG key that was used to sign the tarball is the right


More information about the bind-workers mailing list