From owner-freebsd-doc Mon Jan 20 13:28:47 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1797537B405 for ; Mon, 20 Jan 2003 13:28:46 -0800 (PST) Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 66C2F43E4A for ; Mon, 20 Jan 2003 13:28:44 -0800 (PST) (envelope-from ue@nathan.ruhr.de) Received: (qmail 26419 invoked by uid 10); 20 Jan 2003 21:28:43 -0000 Received: from nathan.internal (localhost [127.0.0.1]) by nathan.internal (8.12.6/8.12.6) with ESMTP id h0KLNY0B021997; Mon, 20 Jan 2003 22:23:34 +0100 (CET) (envelope-from ue@nathan.internal) Received: (from ue@localhost) by nathan.internal (8.12.6/8.12.6/Submit) id h0KLNYtZ021996; Mon, 20 Jan 2003 22:23:34 +0100 (CET) Date: Mon, 20 Jan 2003 22:23:34 +0100 From: Udo Erdelhoff To: freebsd-doc@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Putting MD5 checksums on the web site Message-ID: <20030120212334.GD173@nathan.ruhr.de> Mail-Followup-To: freebsd-doc@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20030120065252.GB173@nathan.ruhr.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Mon, Jan 20, 2003 at 09:55:56AM -0800, Gary W. Swearingen wrote: > I was about to say GREAT IDEA, because my practice has been to get an > ISO from one mirror and its MD5 from a different mirror. same here. > It would be > even better to get the MD5s from a real, non-mirror freebsd.org server, > if there is such a beast. Does www.freebsd.org count? > But the extra security step could be rendered worthless if you happen to > get the "official" MD5 from the same mirror I get my ISO from (so they > could both be tampered versions), as I infer from the last quoted line. > I hope I've misunderstood something. Yes. They idea is to have somebody from the security-officer team collect the MD5s when the ISOs are complete on the building machines, stuff them all into one file, and sign that with the security-officer key. The next step would be to add the file to the CVS repository and to add the neccessary make foo so that the file is available from www.freebsd.org. Afterwards, you could just point your browser to any web mirror and retrieve the file from there. This is already in place for 4.7R, check http://www.freebsd.org/releases/4.7R/CHECKSUM-i386.MD5 Of course, it's pretty easy for me to propose this, because i don't have to do the work ;) /s/Udo -- "God, root, where's the difference?" (http://www.userfriendly.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message