From owner-freebsd-stable Mon Mar 19 2:26:32 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obsecurity.dyndns.org (ppp-224-156.usc.edu [128.125.224.156]) by hub.freebsd.org (Postfix) with ESMTP id ACF1C37B719 for ; Mon, 19 Mar 2001 02:26:28 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C8C6366BD5; Mon, 19 Mar 2001 02:26:27 -0800 (PST) Date: Mon, 19 Mar 2001 02:26:27 -0800 From: Kris Kennaway To: Markus Holmberg Cc: Kris Kennaway , Eric M Logan , "freebsd-stable@FreeBSD.ORG" Subject: Re: ports vs. packages... Message-ID: <20010319022627.C4782@xor.obsecurity.org> References: <3AB3C1C2.67E1AB9B@yahoo.com> <20010317125349.E22316@mollari.cthul.hu> <20010318194637.A10260@acc.umu.se> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CblX+4bnyfN0pR09" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010318194637.A10260@acc.umu.se>; from markush@acc.umu.se on Sun, Mar 18, 2001 at 07:46:38PM +0100 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --CblX+4bnyfN0pR09 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 18, 2001 at 07:46:38PM +0100, Markus Holmberg wrote: > Isn't there a small security advantage with building from source > (compared to downloading packages from an untrusted party)? >=20 > With source one can be assured that the port is built from unmodified > data since the downloaded distfiles are checked with checksums. > (Assuming the local ports tree can be trusted) >=20 > As opposed to packages where there is no verification at all that you > didn't receive something manipulated. (The possibility of someone setting > up a FreeBSD mirror distributing trojaned packages disturbs me) >=20 > I'm not sure if I overlooked something though.. You overlooked the possibility of a trojaned (intentionally or via a compromise) cvsup server. It would be nice to add integrity protection to cvsup so the user could verify that the copy they receive is the one which was obtained from the master repository, but it requires nontrivial changes to the cvsup code. WRT packages, there is a pkg_sign utility included in 4.3-BETA which we intend to use in the future to sign packages, to allow users to verify that they did indeed come from the FreeBSD package building cluster (but note that this still isn't a guarantee against malicious code which was built by the package cluster, through compromise or through malicious code obtained from the software author) Kris --CblX+4bnyfN0pR09 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6td7TWry0BWjoQKURAgCFAKCmVr8zgX08MJmWis6GXt5KVFscxgCgx/SJ LYn7nUihGGdBojmzjNmrUxA= =pH8f -----END PGP SIGNATURE----- --CblX+4bnyfN0pR09-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message