helium.ruby-lang.org was cracked

[Shugo Maeda]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

= helium.ruby-lang.org was cracked

May 29 2004

Thanks for using services at ruby-lang.org.

On Fri May 28, we found that someone cracked helium.ruby-lang.org
via CVS.

Fortunately, the cvs process was running in the chroot environment,
so the affects to other services/contents were not so probable, but
we are confirming it now.
Currently there are no interpolations found out of the chroot
environment.

The most worrisome contents are the CVS repositories, but these
distributions are not affected at least.

5d52c7d0e6a6eb6e3bc68d77e794898e ruby-1.8.1.tar.gz
bf48d49dbd94b5c0eda5f75b3bfbac16 ruby-1.6.8.tar.gz

The mailing list services are restarted, but CVS/WWW/FTP/RSYNC
are stopped yet, sorry.

Further information will be provided on http://www.ruby-lang.org/.
For more information, send mail to (e-mail address removed) please.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAuDstZ3GizHGDKdwRAtgjAKCR84HECIzMmVN7VqQmc5LVMaRAXQCdG3rx
lJTsmUhbEVAPkeWErVEHbig=
=67cw
-----END PGP SIGNATURE-----

 

[Randy Lawrence]

-----BEGIN PGP SIGNED MESSAGE-----
[...]
On Fri May 28, we found that someone cracked helium.ruby-lang.org
via CVS.
[...]
The most worrisome contents are the CVS repositories, but these
distributions are not affected at least.

5d52c7d0e6a6eb6e3bc68d77e794898e ruby-1.8.1.tar.gz
bf48d49dbd94b5c0eda5f75b3bfbac16 ruby-1.6.8.tar.gz
[...]

Do we know if the stable-snapshot in CVS was modified?

I noticed when I installed stable-snapshot recently, the version number
was 1.8.2 instead of 1.8.1.

Isn't the snable-snapshot supposed to be 1.8.1 too until 1.8.2 is
officially released?

 

[NAKAMURA, Hiroshi]

Hi,

Do we know if the stable-snapshot in CVS was modified?

No. We are still working for checking. For now, confirmed versions are
only official releases of 1.6.8 and 1.8.1.

I noticed when I installed stable-snapshot recently, the version number
was 1.8.2 instead of 1.8.1.

Isn't the snable-snapshot supposed to be 1.8.1 too until 1.8.2 is
officially released?

Stable-snapshots released at ruby-lang.org have a version string "1.8.2"
since 2004-05-14T21:26:15+00:00. In ruby, once matz decided to prepare
an official release, he incremented version.h. And preparing the
official release generally takes a few weeks/months.

Regards,
// NaHi

 

[Randy Lawrence]

Hi,




No. We are still working for checking. For now, confirmed versions are
only official releases of 1.6.8 and 1.8.1.



Stable-snapshots released at ruby-lang.org have a version string "1.8.2"
since 2004-05-14T21:26:15+00:00. In ruby, once matz decided to prepare
an official release, he incremented version.h. And preparing the
official release generally takes a few weeks/months.

Regards,
// NaHi

Thanks.

In general, is stable-snapshot more reliable (bug-free) than the release
version?

 

[Yukihiro Matsumoto]

Hi,

First of all, you haven't find any evidence of CVS repository
modification by the crackers after investigation, although we can't
prove 100%. I think you can trust your stable snapshot.

In message "Re: helium.ruby-lang.org was cracked"

|In general, is stable-snapshot more reliable (bug-free) than the release
|version?

Yes.

matz.