v3.8p1 from 02/24/2003
Darren Tucker
dtucker at zip.com.au
Thu Mar 4 13:37:50 EST 2004
Jim Popovitch wrote:
> The www.openssh.org website shows v3.8p1 as being released on February
> 24, 2004, however some (might be all) mirrors show a tarball date of
> 02/24/2003 02:54:00 AM.
I picked one (ftp://ftp.it.net.au/mirrors/OpenBSD/OpenSSH/portable/) and
looked via ncftp:
-r--r--r-- 1 ftpadm staff 826588 Feb 23 19:54 openssh-3.8p1.tar.gz
-r--r--r-- 1 ftpadm staff 187 Feb 23 19:54 openssh-3.8p1.tar.gz.sig
Ditto with vanilla ftp. Also looks OK in Lynx (via a squid proxy):
[FILE] openssh-3.8p1.tar.gz . . . . . . Feb 23 19:54 808k
[FILE] openssh-3.8p1.tar.gz.sig . . . . Feb 23 19:54 1k
However, the same server viewed via Mozilla (via FTP, no proxies) is wrong:
openssh-3.8p1.tar.gz 808 KB 23/02/2003 7:54:00 PM
openssh-3.8p1.tar.gz.sig 1 KB 23/02/2003 7:54:00 PM
but via HTTP (http://ftp.it.net.au/OpenBSD/OpenSSH/portable/) is OK:
openssh-3.8p1.tar.gz 24-Feb-2004 03:54 807k
openssh-3.8p1.tar.gz.sig 24-Feb-2004 03:54 1k
The signature verifies and the md5sum matches. Maybe a date parsing bug
in Mozilla's FTP?
> This may or may not be of concern, but I thought it of enough interest
> to pass along. I'm not sure if anyone else should know about this, but
> I figured that you folks would.
As always, users are encouraged to verify the GPG signature and/or check
the md5sums against the release notes (from one of the mail list
archives, or http://www.openssh.com/txt/release-3.8).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list