Yesterday, first of May, the new OpenBSD release was made available! Like major big open source projects, to be able to serve all the download requests, the source code is available through mirrors around the world.
I read the following post on the security-announce mailing list today:
“It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. ” (Full message available here).
It’s quite easy to setup a mirror of a well known free application or OS. In this specific case, it looks like a mistake from the local system administrators but malicious people could create a rogue mirror and distribute modified code (with a hidden back-door or any other malicious code).
As the name says, “open source” softwares are easy to modify! Always download files from official mirrors, usually listed in a repository on the primary website and always use hash (md5, sha1) functions to verify the files integrity!