asterisk users - Nov 2010 - change date

Hi,

why have many files on 
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ the 
change date 18 aug 2009? See:

asterisk-1.2.24-patch.gz	07-Aug-2007 17:10	3.2K
asterisk-1.2.24-patch.gz.asc	07-Aug-2007 17:10	1.1K
asterisk-1.2.24-patch.gz.sha1	07-Aug-2007 17:10	 67
asterisk-1.2.24.tar.gz		18-Aug-2009 16:33	 28M
asterisk-1.2.24.tar.gz.asc	18-Aug-2009 16:33	1.0K
asterisk-1.2.24.tar.gz.sha1	18-Aug-2009 16:33	 65
asterisk-1.2.25-patch.gz	29-Nov-2007 15:59	1.5K
asterisk-1.2.25-patch.gz.asc	29-Nov-2007 15:59	567


I try to repair the openembedded recipes an the recipe have also an 
different checksum.

NOTE: fetch 
http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.2.24.tar.gz
NOTE: The checksums for 
'/home/klaus/development/oe/downloads/asterisk-1.2.24.tar.gz' did not
match.
Expected MD5: '63dc8b7be4cd10375c5fbda893c780bc' and Got: 
'db7bcaaa494804af361157a37c224dfa'
Expected SHA256: 
'9debaf410636fa477e1e1f09fe0b16a1c2814afaf7195f34f29e4ce5b8debbbd' and 
Got: 'eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa'
NOTE: Your checksums:
SRC_URI[md5sum] = "db7bcaaa494804af361157a37c224dfa"
SRC_URI[sha256sum] = 
"eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa"

Greetings

Klaus

On Saturday 27 November 2010 04:52:31 Klaus Schwarzkopf
wrote:
> Hi,
> 
> why have many files on
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ the
> change date 18 aug 2009? See:
> 
> asterisk-1.2.24-patch.gz	07-Aug-2007 17:10	3.2K
> asterisk-1.2.24-patch.gz.asc	07-Aug-2007 17:10	1.1K
> asterisk-1.2.24-patch.gz.sha1	07-Aug-2007 17:10	 67
> asterisk-1.2.24.tar.gz		18-Aug-2009 16:33	 28M
> asterisk-1.2.24.tar.gz.asc	18-Aug-2009 16:33	1.0K
> asterisk-1.2.24.tar.gz.sha1	18-Aug-2009 16:33	 65
> asterisk-1.2.25-patch.gz	29-Nov-2007 15:59	1.5K
> asterisk-1.2.25-patch.gz.asc	29-Nov-2007 15:59	567
> 
> 
> I try to repair the openembedded recipes an the recipe have also an
> different checksum.
> 
> NOTE: fetch
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1
> .2.24.tar.gz NOTE: The checksums for
> '/home/klaus/development/oe/downloads/asterisk-1.2.24.tar.gz' did
not
> match. Expected MD5: '63dc8b7be4cd10375c5fbda893c780bc' and Got:
> 'db7bcaaa494804af361157a37c224dfa'
> Expected SHA256:
> '9debaf410636fa477e1e1f09fe0b16a1c2814afaf7195f34f29e4ce5b8debbbd'
and
> Got:
'eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa'
> NOTE: Your checksums:
> SRC_URI[md5sum] = "db7bcaaa494804af361157a37c224dfa"
> SRC_URI[sha256sum] >
"eed3493b1409d7100e0f983af0486bd7f8965e9e47b7a6d5ab8539b2dd3609aa"
Due to a licensing issue with some of the files we distributed with previous 
tarballs, we removed those files from archived tarballs in order to avoid
continuing to distribute those files in any form.  So yes, the checksums
will have changed, although the checksums we distribute with the tarballs
were also updated at the same time.

Given that most of the changes since 1.2.24 have been security fixes, I
would strongly encourage you to update your packages.  There is no excuse
for distributing vulnerable packages beyond the date that the vulnerability
is disclosed, plus a brief period necessary for releasing updated packages.

Additionally, the 1.2 branch has been EOLed, which means if any additional
security issues are found, we will not be releasing updated packages to
deal with those issues.  For this reason, you would be better off putting
forth the work to release packages based upon 1.4 or 1.8.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org