Date: Tue, 1 Oct 2002 19:12:11 -0700 (PDT) From: "f.johan.beisser" <jan@caustic.org> To: Brian Behlendorf <brian@hyperreal.org> Cc: Klaus Steden <klaus@compt.com>, <security@FreeBSD.ORG> Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021001190915.K67581-100000@pogo.caustic.org> In-Reply-To: <20021001183010.E58068-100000@yez.hyperreal.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Oct 2002, Brian Behlendorf wrote: > So, fix the ports system then to include a step whereby someone has to > pause the installation process to review the output of tar before allowing > it to proceed. if you're installing a port, i would tend to assume it's A) from the FreeBSD ports tree, and B) checked out, and using an md5 hash (already in the tree) that's separate/updated by the maintainer. in this case, the port maintainer is directly responsible for the port. of course, you have to trust your port maintainer to not be out to cause harm. trust does have to begin somewhere, after all. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021001190915.K67581-100000>