Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 29279

Summary: Athlon-XP Live-cd changed md5 sum without timestamp update - compromised?
Product: Gentoo Release Media Reporter: sapienter <novampware>
Component: EverythingAssignee: Bob Johnson (RETIRED) <livewire>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
URL: http://forums.gentoo.org/viewtopic.php?t=87278
Whiteboard:
Package list:
Runtime testing required: ---

Description sapienter 2003-09-21 11:47:13 UTC
Please see forum post for extreem detail.  But the Athlon-XP live-CD 1 changed, 
and its connected md5.txt changed to match the new content, yet it does not 
appear to have been officially updated, either by the filename changing or the 
timestamp changing.  It has been in the forums for over 24 hours without any 
truly informed info being added, and the developer I was able to IRC'd said to 
submit a bug report because: "if it were an update, the name of the ISO should 
have a timestamp reflecting that".  Please check the forum for details about 
the simple explenations I have ruled out.

Reproducible: Always
Steps to Reproduce:
1.Check all the mirrors for current md5 and timestamp
2.Check older download or CD for different md5 on same files with same mod date


Actual Results:  
I only have older txt.md5 files, not any older athlon-XP livec-cd disk 1 isos 
to check.

Expected Results:  
I expected the timestamp and filename to update

The untrusted (AFAIK) livecd appears to function in my sparkgap firewalled box, 
but has it been compromised?  The docs claim only from 9-11, and emerge doesnt 
have the OpenSSH fix, so I don't see any WHITEHAT updates.  I have it as 
blocker because I am not willing to use it untill I can tell it has not been 
compromised.
Comment 1 Benjamin Judas (RETIRED) gentoo-dev 2004-05-11 21:46:15 UTC
I think we can close this as fixed now?