Date: Mon, 13 Jan 2003 08:53:30 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: "Nathan J. Yoder" <njyoder@gummibears.nu> Cc: freebsd-security@FreeBSD.org Subject: Re: digital signatures for downloads Message-ID: <20030113145330.GA78337@madman.nectar.cc> In-Reply-To: <6121584208.20030113005107@gummibears.nu> References: <6121584208.20030113005107@gummibears.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote: > While the FreeBSD security advisories are signed, they > don't include secure hashes of the patches, rather they just provide > an insecure FTP link. Patches are also signed. For example, from the latest advisory: `` a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc '' The `.asc' file is the detached signature. But I agree that packages, et cetera should also be signed. Many of the tools are already there, but we have processes to work on. Cheers, -- Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113145330.GA78337>