On Mar 6, Malte Gell <malte.gell@gmx.de> wrote:
On Wednesday 01 March 2006 10:24, Marcus Meissner wrote:
Hello,
Package: gpg,liby2util Announcement ID: SUSE-SA:2006:013 Date: Wed, 01 Mar 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0
the longer I think about this, the more this bug frightens me... For so many years up to now it was possible to foist malicious code with faulty gpg signatures... Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem. This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed. Of course this is not guranteed for other mirrors, but maybe other fou4s users can give you some assurance there as well. Markus [1] http://fou4s.gaugusch.at -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \