[Uim] Don't download tarballs, don't checkout from svn repository
TOKUNAGA Hiroyuki
tkng at xem.jp
Sun Nov 21 22:03:17 EET 2004
Our detailed situation:
There's no svn repository confirmed as 'uncompromised'. So, we need to
check diff of our repository and tarball. (tarball isn't compromised,
this could be confirmed by sha1sum.)
I uploaded uim-0.4.5.tar.gz to my site.
http://xem.jp/~tkng/uim-0.4.5.tar.gz
sh1asum:a7f11c914bb8a6e23190fa9781892d8b3d3267f8 uim-0.4.5.tar.gz
We can get the repository (which may compromised) by
$rsync -a gabe.freedesktop.org::compromised-svn/uim .
I confirmed the diff of uim-0.4.5.tar.gz and tags/uim-0.4.5.
There's no difference. So I can say tags/uim-0.4.5 is uncompromised.
Next, I checked the diff of tags/uim-0.4.5 and trunk/ of revision 1511
by following command. (rev1511 is the revision 0.4.5 released.)
$svn diff file:///home/tkng/tmp/repos/uim-compromised/tags/uim-0.4.5@1511 \
file:///home/tkng/tmp/repos/uim-compromised/trunk@1511
There's some difference, because trunk was changed almost everyday. I
confirmed that there's no suspicious difference by my eyes. I used the
words 'suspicious difference' as 'downloading suspicious file from
somewhere, patching suspicious code, etc'.
I cannot understand all of the differences which committed by other
committers, so possibly the potential security hole was devised. e.g.
buffer over flow, integer over flow. But likelihood of such erosion are
very low, the differences seems reasonable for me.
So, I can say that revision 1511 is uncompromised. The lest work is that
confirming revision 1511 and head.
Regards,
--
TOKUNAGA Hiroyuki
http://kodou.net/
More information about the uim
mailing list