= helium.ruby-lang.org was cracked
May 29 2004
Thanks for using services at ruby-lang.org.
On Fri May 28, we found that someone cracked helium.ruby-lang.org
via CVS.
Fortunately, the cvs process was running in the chroot environment,
so the affects to other services/contents were not so probable, but
we are confirming it now.
Currently there are no interpolations found out of the chroot
environment.
The most worrisome contents are the CVS repositories, but these
distributions are not affected at least.
5d52c7d0e6a6eb6e3bc68d77e794898e ruby-1.8.1.tar.gz
bf48d49dbd94b5c0eda5f75b3bfbac16 ruby-1.6.8.tar.gz
The mailing list services are restarted, but CVS/WWW/FTP/RSYNC
are stopped yet, sorry.
Further information will be provided on http://www.ruby-lang.org/.
For more information, send mail to admin@ruby-lang.org please.
Shugo Maeda wrote:
-----BEGIN PGP SIGNED MESSAGE-----
[…]
On Fri May 28, we found that someone cracked helium.ruby-lang.org
via CVS.
[…]
The most worrisome contents are the CVS repositories, but these
distributions are not affected at least.
5d52c7d0e6a6eb6e3bc68d77e794898e ruby-1.8.1.tar.gz
bf48d49dbd94b5c0eda5f75b3bfbac16 ruby-1.6.8.tar.gz
[…]
Do we know if the stable-snapshot in CVS was modified?
I noticed when I installed stable-snapshot recently, the version number
was 1.8.2 instead of 1.8.1.
Isn’t the snable-snapshot supposed to be 1.8.1 too until 1.8.2 is
officially released?
Hi,
Randy Lawrence wrote:
Do we know if the stable-snapshot in CVS was modified?
No. We are still working for checking. For now, confirmed versions are
only official releases of 1.6.8 and 1.8.1.
I noticed when I installed stable-snapshot recently, the version number
was 1.8.2 instead of 1.8.1.
Isn’t the snable-snapshot supposed to be 1.8.1 too until 1.8.2 is
officially released?
Stable-snapshots released at ruby-lang.org have a version string “1.8.2”
since 2004-05-14T21:26:15+00:00. In ruby, once matz decided to prepare
an official release, he incremented version.h. And preparing the
official release generally takes a few weeks/months.
Regards,
// NaHi
NAKAMURA, Hiroshi wrote:
Hi,
Randy Lawrence wrote:
Do we know if the stable-snapshot in CVS was modified?
No. We are still working for checking. For now, confirmed versions are
only official releases of 1.6.8 and 1.8.1.
I noticed when I installed stable-snapshot recently, the version
number was 1.8.2 instead of 1.8.1.
Isn’t the snable-snapshot supposed to be 1.8.1 too until 1.8.2 is
officially released?
Stable-snapshots released at ruby-lang.org have a version string “1.8.2”
since 2004-05-14T21:26:15+00:00. In ruby, once matz decided to prepare
an official release, he incremented version.h. And preparing the
official release generally takes a few weeks/months.
Regards,
// NaHi
Thanks.
In general, is stable-snapshot more reliable (bug-free) than the release
version?
Hi,
First of all, you haven’t find any evidence of CVS repository
modification by the crackers after investigation, although we can’t
prove 100%. I think you can trust your stable snapshot.
···
In message “Re: helium.ruby-lang.org was cracked” on 04/05/31, Randy Lawrence jm@zzzzzzzzzzzz.com writes:
In general, is stable-snapshot more reliable (bug-free) than the release
version?
Yes.
matz.