Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Mar 2001 18:50:26 -0800
From:      "David O'Brien" <TrimYourCc@NUXI.com>
To:        Brooks Davis <brooks@one-eyed-alien.net>
Cc:        freebsd-arch@FreeBSD.ORG
Subject:   Re: [PATCH] add a SITE MD5 command to ftpd
Message-ID:  <20010314185026.C7683@dragon.nuxi.com>
In-Reply-To: <20010314161555.A4984@Odin.AC.HMC.Edu>; from brooks@one-eyed-alien.net on Wed, Mar 14, 2001 at 04:15:55PM -0800
References:  <20010314084651.A23104@ringworld.oblivion.bg> <200103142342.QAA09233@usr08.primenet.com> <20010314161555.A4984@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Mar 14, 2001 at 04:15:55PM -0800, Brooks Davis wrote:
> I'm frankly, completly mystified by the various comments about this not
> being a security feature.  Of course it's not.  That's blindly obvious.

I disagree it is blindly obvious.  It wasn't to some I've talked to.
We've ended up associating a "security nature" to MD5.  Thus when people
see that name, they make assumptions.

> That's not the point.  As long as it's an option I frankly don't see how
> it could possibly hurt things and I can't see any good reason why a
> reasonably implementation wouldn't spread if people started using
> clients that could take advantage of it.

How?? are clients going to take advantage of it?  For the majority of FTP
clients want to fetch the file, so why ask for an MD5 of it?  Are you
thinking about checking the xfer was OK?  That's the only use I can think
of.  The other uses people have mentioned are very, very specific to a
single task done by the FreeBSD Project.

 
> As for the problem that many distfiles are distributed via HTTP, you
> could trivialy build an apache module to add a non-standard HTTP header
> so you could do a "HEAD /file/I/want/to/check HTTP/1.1" and get the MD5
> from that.

Since making a loadable Apache module is so much less intrusive, I call
on those wanting to experiment with this feature to do this thru this
path.  If you can get the Apache people to either bundle the module as a
standard thing, or convince large sites to load it; THEN hack ftpd.

-- 
-- David  (obrien@FreeBSD.org)
          GNU is Not Unix / Linux Is Not UniX

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314185026.C7683>