SoylentNews is people
SoylentNews
If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.
From Clem:
We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.
The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.
(Score: 2) by Pino P on Monday February 22 2016, @10:29PM
A checksum sounds easier and cheaper.
Who signs the checksum?
(Score: 0) by Anonymous Coward on Monday February 22 2016, @10:58PM
The packager signs the checksum, obviously.
(It would be good if he didn't get his site pwned.)
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by Pino P on Monday February 29 2016, @04:29PM
If the packager signs the checksum, who signs the packager's public key? That's all Authenticode is: a checksum encrypted with the publisher's private key, plus a certificate asserting that the corresponding public key belongs to the publisher.