Backdoor in vsftpd download

"Signatures aside, I also took the liberty of moving most of the vsftpd site and latest download to a hosting provider I have more faith in:"<p>Would be interesting to see <i>how</i> the site was compromised.<p>This is interesting for two reasons:<p>i) I thought he owned the place he hosted<p>ii) This won't help if he had a weak password

Verifying the signature wouldn't have been that helpful. A different attacker might generate a similar key with the same name and sign the archive with that. How many of you check signature fingerprints (and how?) or have a chain of trust that leads to the maintainer?

A pun I cannot resist: the backdoor is in the FTP protocol itself, which is, no matter how secure the deamon serving it is, completely insecure.

Boohoo. FTP is by design an insecure and overly complex protocol, and any firewall-admins nightmare to handle.<p>Anyone using FTP in this time and age should be prepared for pain. That the pain is now related to a bug in a software-implementation instead of a bug in the base protocol-design doesn't really shift the pain that much. It's FTP and FTP is pain. You do get what you asked for.<p>If you want security and something simple to administer, just go for SSH and SCP. Granted, it wont allow anonymous downloads, but if that's all you need, why not just go with HTTP in the first place?