[asterisk-users] change date

Tilghman Lesher tlesher at digium.com
Mon Nov 29 01:20:03 CST 2010 

On Saturday 27 November 2010 04:52:31 Klaus Schwarzkopf wrote:
> Hi,
> 
> why have many files on
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ the
> change date 18 aug 2009? See:
> 
> asterisk-1.2.24-patch.gz	07-Aug-2007 17:10	3.2K
> asterisk-1.2.24-patch.gz.asc	07-Aug-2007 17:10	1.1K
> asterisk-1.2.24-patch.gz.sha1	07-Aug-2007 17:10	 67
> asterisk-1.2.24.tar.gz		18-Aug-2009 16:33	 28M
> asterisk-1.2.24.tar.gz.asc	18-Aug-2009 16:33	1.0K
> asterisk-1.2.24.tar.gz.sha1	18-Aug-2009 16:33	 65
> asterisk-1.2.25-patch.gz	29-Nov-2007 15:59	1.5K
> asterisk-1.2.25-patch.gz.asc	29-Nov-2007 15:59	567
> 
> 
> I try to repair the openembedded recipes an the recipe have also an
> different checksum.
> 
> NOTE: fetch
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1
> .2.24.tar.gz NOTE: The checksums for
> '/home/klaus/development/oe/downloads/asterisk-1.2.24.tar.gz' did not
> match. Expected MD5: '63dc8b7be4cd10375c5fbda893c780bc' and Got:
> 'db7bcaaa494804af361157a37c224dfa'
> Expected SHA256:
> '9debaf410636fa477e1e1f09fe0b16a1c2814afaf7195f34f29e4ce5b8debbbd' and
> Got: 'eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa'
> NOTE: Your checksums:
> SRC_URI[md5sum] = "db7bcaaa494804af361157a37c224dfa"
> SRC_URI[sha256sum] =
> "eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa"

Due to a licensing issue with some of the files we distributed with previous 
tarballs, we removed those files from archived tarballs in order to avoid
continuing to distribute those files in any form.  So yes, the checksums
will have changed, although the checksums we distribute with the tarballs
were also updated at the same time.

Given that most of the changes since 1.2.24 have been security fixes, I
would strongly encourage you to update your packages.  There is no excuse
for distributing vulnerable packages beyond the date that the vulnerability
is disclosed, plus a brief period necessary for releasing updated packages.

Additionally, the 1.2 branch has been EOLed, which means if any additional
security issues are found, we will not be releasing updated packages to
deal with those issues.  For this reason, you would be better off putting
forth the work to release packages based upon 1.4 or 1.8.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org

More information about the asterisk-users mailing list