Toby Dickenson wrote That makes me nervous. How will you know that the sources in cvs havent been compromised?
Surely people can compare checkouts of the various branches (2.6, 2.7) against downloaded tarballs? We can't do the same with TRUNK, but that should be still possible to check against, say, a 2.7 beta.
I have checkouts of just about every branch ever + the head in a couple of places - based on those, nothing untoward appears to have happened to the source tree. Everyone with a product or other code in that cvs should do a check to make sure, but given that we caught the intrusion almost immediately and that the attacker's methods were rather unsophisticated, I think the risk is pretty low. Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com