Date: Mon, 20 Jan 2003 22:23:34 +0100 From: Udo Erdelhoff <ue@nathan.ruhr.de> To: freebsd-doc@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Putting MD5 checksums on the web site Message-ID: <20030120212334.GD173@nathan.ruhr.de> In-Reply-To: <mrd6mrr9hv.6mr@localhost.localdomain> References: <20030120065252.GB173@nathan.ruhr.de> <mrd6mrr9hv.6mr@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Mon, Jan 20, 2003 at 09:55:56AM -0800, Gary W. Swearingen wrote: > I was about to say GREAT IDEA, because my practice has been to get an > ISO from one mirror and its MD5 from a different mirror. same here. > It would be > even better to get the MD5s from a real, non-mirror freebsd.org server, > if there is such a beast. Does www.freebsd.org count? > But the extra security step could be rendered worthless if you happen to > get the "official" MD5 from the same mirror I get my ISO from (so they > could both be tampered versions), as I infer from the last quoted line. > I hope I've misunderstood something. Yes. They idea is to have somebody from the security-officer team collect the MD5s when the ISOs are complete on the building machines, stuff them all into one file, and sign that with the security-officer key. The next step would be to add the file to the CVS repository and to add the neccessary make foo so that the file is available from www.freebsd.org. Afterwards, you could just point your browser to any web mirror and retrieve the file from there. This is already in place for 4.7R, check http://www.freebsd.org/releases/4.7R/CHECKSUM-i386.MD5 Of course, it's pretty easy for me to propose this, because i don't have to do the work ;) /s/Udo -- "God, root, where's the difference?" (http://www.userfriendly.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030120212334.GD173>