From owner-freebsd-ports  Thu Feb  8  4:21:49 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6C08437B401; Thu,  8 Feb 2001 04:21:28 -0800 (PST)
Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154])
	by kleopatra.acc.umu.se (8.11.2/8.11.2) with ESMTP id f18CLOv23786;
	Thu, 8 Feb 2001 13:21:25 +0100
Received: (from markush@localhost)
	by mao.acc.umu.se (8.9.3/8.9.3/Debian 8.9.3-21) id NAA07539;
	Thu, 8 Feb 2001 13:21:23 +0100
Date: Thu, 8 Feb 2001 13:21:23 +0100
From: Markus Holmberg <markush@acc.umu.se>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: Wes Peters <wes@softweyr.com>, freebsd-security@FreeBSD.ORG,
	freebsd-ports@FreeBSD.ORG
Subject: Re: Package integrity check?
Message-ID: <20010208132123.A4400@acc.umu.se>
References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <200102061802.NAA33086@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3-current-20000511i
In-Reply-To: <200102061802.NAA33086@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Feb 06, 2001 at 01:02:08PM -0500
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Thanks Wes.

I'm running -STABLE (and I was mostly just curious, not in a hurting need
for this functionality right away) so I'm not sure I'm trying it out. But
it's good to know it's available.

On Tue, Feb 06, 2001 at 01:02:08PM -0500, Garrett Wollman wrote:
> 1) Whatever process generates and checksums the packages also makes
> and signs a master list of all the checksums from each package, and
> 
> 2) Whatever process installs software from the package compares its
> checksum against this master list, and verifies the signature of the
> master list.

It was these two things that I was thinking of in first place.. (When
asking if it was possible to check for package integrity). But I realize
it is not conceivable without a good deal of effort, so I was merely
wondering if anyone else thought of it.

> I think that this would be both useful and worthwhile, but again, we
> need to make sure that legally we are not promising anything other
> than ``these packages have not been modified since generation''.

Of course, one could not ask for anything else either (more than to know
that the packages were built by the FreeBSD Project and have not been
modified since, as is the same with building software from the ports
system).

Markus

-- 

Markus Holmberg         |       Give me Unix or give me a typewriter.
markush@acc.umu.se      |       http://www.freebsd.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message