From owner-freebsd-security Mon Feb 5 12: 5:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id 3B43237B401; Mon, 5 Feb 2001 12:05:33 -0800 (PST) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.2/8.11.2) with ESMTP id f15K50v25676; Mon, 5 Feb 2001 21:05:16 +0100 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian 8.9.3-21) id VAA03847; Mon, 5 Feb 2001 21:05:00 +0100 Date: Mon, 5 Feb 2001 21:05:00 +0100 From: Markus Holmberg To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org Subject: Package integrity check? Message-ID: <20010205210459.A2479@acc.umu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. Is there any way to perform an integrity check on packages that are fetched with "pkg_add -r "? (Similarly to building a package manually with a trusted /usr/ports and checksumming downloaded files) I assume there is no way to do integrity checking on packages, which leads me to the question if the general opinion among the security conscious is that packages (from untrusted parties, like any ftp site on the mirror list) should not be used at all? Markus -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message