jdow wrote: > Thou art righteously screwed, Mr. Jim. > > 5.0 is not released yet. You MAY have a hacked nasty-tool on your system. MAY is a bit different from the certainty of a righteous screwing. I seriously doubt he should be more worried than you or I on a previous Fedora release. > Poor sucker. (At fedora's site at RedHat.com the FC 5 directory is not > world readable yet.) To be fair, when you install anything you MAY be installing something bad, no matter if you got it from RHAT. They get their sources from other projects and I seriously doubt someone line-by-lines them after download. There continue to be attempts by bad people to backdoor upstream project sources, including the kernel itself, in ways that are hard to detect. We happily assume that every attempt known about is indeed every attempt. It seems to be a bit of a tradition that FCx leaks a little early after it is finalized but while the mirrors are sync'd, and as somebody noted the SHA-1s are signed with a RHAT key. However if it were me I would download the thing but not install it until I checked the SHA-1s after RHAT release, that way you at least optimized out the download time in the most likely case it is genuine. -Andy
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
