Date: Mon, 19 Mar 2001 02:26:27 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Markus Holmberg <markush@acc.umu.se> Cc: Kris Kennaway <kris@obsecurity.org>, Eric M Logan <eric_m_logan@yahoo.com>, "freebsd-stable@FreeBSD.ORG" <freebsd-stable@FreeBSD.ORG> Subject: Re: ports vs. packages... Message-ID: <20010319022627.C4782@xor.obsecurity.org> In-Reply-To: <20010318194637.A10260@acc.umu.se>; from markush@acc.umu.se on Sun, Mar 18, 2001 at 07:46:38PM %2B0100 References: <3AB3C1C2.67E1AB9B@yahoo.com> <20010317125349.E22316@mollari.cthul.hu> <20010318194637.A10260@acc.umu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--CblX+4bnyfN0pR09 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 18, 2001 at 07:46:38PM +0100, Markus Holmberg wrote: > Isn't there a small security advantage with building from source > (compared to downloading packages from an untrusted party)? >=20 > With source one can be assured that the port is built from unmodified > data since the downloaded distfiles are checked with checksums. > (Assuming the local ports tree can be trusted) >=20 > As opposed to packages where there is no verification at all that you > didn't receive something manipulated. (The possibility of someone setting > up a FreeBSD mirror distributing trojaned packages disturbs me) >=20 > I'm not sure if I overlooked something though.. You overlooked the possibility of a trojaned (intentionally or via a compromise) cvsup server. It would be nice to add integrity protection to cvsup so the user could verify that the copy they receive is the one which was obtained from the master repository, but it requires nontrivial changes to the cvsup code. WRT packages, there is a pkg_sign utility included in 4.3-BETA which we intend to use in the future to sign packages, to allow users to verify that they did indeed come from the FreeBSD package building cluster (but note that this still isn't a guarantee against malicious code which was built by the package cluster, through compromise or through malicious code obtained from the software author) Kris --CblX+4bnyfN0pR09 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6td7TWry0BWjoQKURAgCFAKCmVr8zgX08MJmWis6GXt5KVFscxgCgx/SJ LYn7nUihGGdBojmzjNmrUxA= =pH8f -----END PGP SIGNATURE----- --CblX+4bnyfN0pR09-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010319022627.C4782>