Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Mar 2001 11:52:26 +0100
From:      Markus Holmberg <markush@acc.umu.se>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        Eric M Logan <eric_m_logan@yahoo.com>, "freebsd-stable@FreeBSD.ORG" <freebsd-stable@FreeBSD.ORG>
Subject:   Re: ports vs. packages...
Message-ID:  <20010319115226.A11740@acc.umu.se>
In-Reply-To: <20010319022627.C4782@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Mar 19, 2001 at 02:26:27AM -0800
References:  <3AB3C1C2.67E1AB9B@yahoo.com> <20010317125349.E22316@mollari.cthul.hu> <20010318194637.A10260@acc.umu.se> <20010319022627.C4782@xor.obsecurity.org>
index | next in thread | previous in thread | raw e-mail 

On Mon, Mar 19, 2001 at 02:26:27AM -0800, Kris Kennaway wrote:
> > (Assuming the local ports tree can be trusted)
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> You overlooked the possibility of a trojaned (intentionally or via a
> compromise) cvsup server.  It would be nice to add integrity
> protection to cvsup so the user could verify that the copy they
> receive is the one which was obtained from the master repository, but
> it requires nontrivial changes to the cvsup code.

(see above)
But since there is no practical way to ensure the integrity of your
local ports tree (at least not when getting it over the network) it is
in practise no more secure than packages; I see that. :(

> WRT packages, there is a pkg_sign utility included in 4.3-BETA which
> we intend to use in the future to sign packages, to allow users to
> verify that they did indeed come from the FreeBSD package building
> cluster (but note that this still isn't a guarantee against malicious
> code which was built by the package cluster, through compromise or
> through malicious code obtained from the software author)

Sounds good!

Regards, Markus.

-- 

Markus Holmberg         |       Give me Unix or give me a typewriter.
markush@acc.umu.se      |       http://www.freebsd.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010319115226.A11740>