I would hope the web site is some semi-automatic thing. I should also note that since MD5 has an easy hash-collision-generation function against it, the contents of the openssl-0.9.8f file that was available there that didn't match the sha1 should be evaluated and diffed.
I think this should be treated as an attack against the OpenSSL code infrastructure. A file that doesn't match its hashes, signed by a key that isn't on the OpenSSL listed keys list? That has all the earmarks of a hack, and anyone who downloaded the tainted tar needs to know what's in it that shouldn't be there compared to what they should have gotten. On 10/17/07, Lutz Jaenicke via RT <[EMAIL PROTECTED]> wrote: > Grr. The OpenSSL web site is some (semi-)automatic thing that is updated > in a magic way. Probably only Ralf Engelschall fully understands how > this works :-) > I have made sure the correct files are linked now. > > Best regards, > Lutz > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]