From owner-freebsd-security Mon Jan 13 6:55: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C28F137B401 for ; Mon, 13 Jan 2003 06:55:03 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CA0443F18 for ; Mon, 13 Jan 2003 06:55:03 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 98C9568; Mon, 13 Jan 2003 08:55:02 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id CEC425CF4; Mon, 13 Jan 2003 08:53:30 -0600 (CST) Date: Mon, 13 Jan 2003 08:53:30 -0600 From: "Jacques A. Vidrine" To: "Nathan J. Yoder" Cc: freebsd-security@FreeBSD.org Subject: Re: digital signatures for downloads Message-ID: <20030113145330.GA78337@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , "Nathan J. Yoder" , freebsd-security@FreeBSD.org References: <6121584208.20030113005107@gummibears.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6121584208.20030113005107@gummibears.nu> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote: > While the FreeBSD security advisories are signed, they > don't include secure hashes of the patches, rather they just provide > an insecure FTP link. Patches are also signed. For example, from the latest advisory: `` a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc '' The `.asc' file is the detached signature. But I agree that packages, et cetera should also be signed. Many of the tools are already there, but we have processes to work on. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message