Date: Sun, 24 Mar 2002 03:00:45 -0500 (EST) From: Peter Leftwich <Hostmaster@Video2Video.Com> To: <dill@canada.com> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Security of downloaded binary (packages) Message-ID: <20020324025302.P27780-100000@earl-grey.cloud9.net> In-Reply-To: <20020324072243.3398.cpmta@c009.snv.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Mar 2002 dill@canada.com wrote: > I am trying to do a pkg_add -r "pkg name" but I feel that this really does not protect myself from downloading trojan horses. List, I think I can field this one :) and apparently, there is a limit to how paranoid we can be in life *don't worry, I definitely empathise!* "pkg_add -r" uses your system's ftp binary to go out to a trusted source: ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-[your `uname -a` here]/Latest/[pkg-name here].tgz > If someone poisoned my DNS and put a fake entry instead of ftp.freebsd.org then I could download torjan instead of what I want. Are there MD5 signature of package files that I can verify ?? MD5 IMHO is a very Micro$oftly construct; That is, not necessary to daily [computing] life. If you are concerned about trojans, buy LifeStyles instead. (I am such a comedian this evening!) Seriously, if you are really worried, then read up on sftp (secure ftp) to download the *.tgz file, then gunzip then untar the archive and (check over the security of the current code) then compile (man gcc or umm that other one) custom binary/binaries manually. Open source opens doors. -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020324025302.P27780-100000>