On 5/31/2015 3:29 PM, Nick Mathewson wrote:
> RenÃ, could you be really precise about what urls and signatures and
> checksums you mean?
https://github.com/downloads/libevent/libevent/libevent-2.0.21-stable.tar.gz{,.asc}
current sha1sum: 3e6674772eb77de24908c6267c698146420ab699
Nov 19, 2012 sha1sum: 8a8813b2173b374cb64260245d7094fa81176854
https://sourceforge.net/projects/levent/files/libevent/libevent-2.0/libevent-2.0.22-stable.tar.gz{,.asc}
current sha1sum: a586882bc93a208318c70fc7077ed8fca9862864
last week sha1sum: 3e6674772eb77de24908c6267c698146420ab699
> More likely than a security breach imo is that we messed something up
> when we were trying to move packages off sourceforge. Still, it bears
> investigating.
As I said, my test was indirect: building an app (which was released to
about 3,000 users until I took it down).
I found the original 2.0.21 code (decompressed in my debug sources
directory). Making a tar.gz results in a different checksum, but they
compare as the same.
--
Renà Berber
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature