There's something to consider about Chris Evans blog post as of July 3 :
> An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor.
> $ gpg ./vsftpd-2.3.4.tar.gz.asc
> gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C
> gpg: BAD signature from "Chris Evans <email@example.com>"
> The backdoor payload is interesting. In response to a
smiley face in the FTP username, a TCP callback shell is attempted.
> There is no obfuscation.
I have a question: how does that relate to our package building process, and are GPG signatures verified?
Misha Shnurapet, Fedora Project Contributor
Email: shnurapet AT fedoraproject.org, IRC: misha on freenode
https://fedoraproject.org/wiki/shnurapet, GPG: 00217306
devel mailing list