Date: Mon, 09 Jul 2001 18:26:32 -0500 From: steve <steve@clublinux.org> To: freebsd-security@freebsd.org Subject: Re: cvsup and security Message-ID: <3B4A3DA8.B04EFC27@clublinux.org> References: <3B492672.55E0ADC8@clublinux.org> <20010708221140.A35469@xor.obsecurity.org> <20010708223447.F307@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > > We do know how to do this? What trusted location would these MD5 > checksums come from? If someone has slipped in malicious code on a > cvsupd server, it is relatively easy to change the MD5 sums provided > by that server to match. Or is the idea that you get files from a > random mirror, but get MD5 checksums from a different location? For those that are paranoid about security (like me), perhaps the ports.tar.gz file could be signed so I can download the tar ball and verify it with a signature file (e.g. ports.tar.gz.sign). This still wouldn't allow you to verify when updating via CVSup, but at least I could verify that my ports directory skeleton is legit through alternative means. The same thing could be done with the system source code (src-all.tar.gz and src-all.tar.gz.sign). One of the FreeBSD people could be responsible for the private/public key and creating the signature files. > > I'd also like to point out that the ports are checking something > different with the MD5 sum. Since you got the MD5 hashes for the ports > from an cvsupd server, you already are trusting cvsup (unless you are > using old ones from a CD). Sorry, I should have been more clear about that. I'm am using the original /usr/ports and /usr/src skeletons from the CD and I want to update those skeletons in a secure manner so that I can safely install the latest and greatest (both ports and system software). > All the MD5 hashes on ports prove is that > the tarball you download is the same one the maintainer downloaded > when he built the port skeleton. That does NOT mean that the > maintainer audited the code, checked the code, or did not insert > malicious code himself. If there was a way to make the md5sums in the ports/src skeletons trustworthy, (e.g. signing files, or using the one from the CD) they could be used to verify the authenticity of a port/system program that is being installed. I would personally like a way to verify that the kernel source updates I've downloaded aren't trojaned in some way if I'm going to be updating my kernel with them. > When an MD5 check fails, the most common > reason is that a developer modified the code without changing the > version number, not that code was tampered with. This may be true, but I like to know for sure ;-) What do you think? Steve P.S. I apologize if I'm using FreeBSD terminology (e.g. ports/src skeleton) incorrectly as I'm new to FreeBSD. > -- > Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B4A3DA8.B04EFC27>