Re: [fetchmail-devel] FYI - Berlios compromise

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

>   http://lwn.net/Articles/369633/rss
>  Apparently no code was tampered with.

That would be pretty hard to prove if the only source for
comparison was the code repository itself and it's descendants,
such as backups, mirrors, releases and developer/user copies.
At least the fetchmail releases are signed via OpenPGP.
That's a good thing.
But how many of them, dating back to 2005, were rolled
from, or co mingled with, that repository?
Now if the repository had builtin cryptographic checksums,
as does git-scm.com, it would be quite easy to check and
thus leave off the 'apparently', and say much more
authoritatively: 'no code was tampered with'.
And since releases would include a sig over the hash of the
revision used to create the release, anyone on the planet
could verify their repo copy was also good.
code.google.com offers git repos, etc.

Oh wait, I'm dreaming again, the world will never change :)
Thanks for fetchmail though, been using it daily for years.

Re: [fetchmail-devel] FYI - Berlios compromise

Client daemon to move mail from POP and IMAP to your local computer

Re: [fetchmail-devel] FYI - Berlios compromise