[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[Libevent-users] Source packages weirdness; probably a real problem

Hi,

Something weird is going on with libevent source packages:

* Their gpg signatures check, they have always check.
* I'm using MXE which also verifies a (sha1) checksum:
 + Version 2.0.22, downloaded about a week ago, had the checksum of what
2.0.21 has now... that shouldn't happen.
 + Version 2.0.21 currently has a different checksum to what it had
originally, about a year ago... that also shouldn't happen.
* Using those versions results in part of my app not working, the part
that uses libevent to set up a http/RPC server... this proves that at
least version 2.0.21 is not what it was originally (i.e. I've used it
many times over the last year to build my app, and it worked fine).

Any ideas?

I haven't tried to find what the problem is, but from my point of view,
it looks like a security break at your end, and a result that I cannot
trust on my end (not only that it doesn't work, but I can't be sure is
not doing something else).
-- 
Renà Berber

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature