Unreal IRC server carries trojan... on Linux, for 8 months

It’s no good if you are running on PS3 or PC.

I’m posting from my trusty Gentoo box right now–

Gentoo won’t build packages where the source checksum doesn’t match the manifest, unless you override, which is intentionally difficult to do.

If this wasn’t discovered for eight months, chances are it is because no one installed from that archive in that time. Which isn’t that surprising, since there are a dwindling number of Gentoo users and many thousands of packages you can install.

You’re missing the point. The upstream source was corrupted. Gentoo downloaded that package and assumed it was good, and used that as their checksum source. People installing it downloaded the corrupted source and had the checksum check out.