Date: Wed, 09 Oct 2002 13:13:51 -0400 From: Mike Tancsa <mike@sentex.net> To: Erick Mechler <emechler@techometer.net> Cc: security@FreeBSD.ORG Subject: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> In-Reply-To: <20021009170117.GJ10532@techometer.net> References: <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote:
>:: A quick peer over at CVSweb indicates that the import of 8.12.6 was
>:: done well before the sendmail.org folks got their server fooled with.
>
>Additionally, you would have had to explicitly told your build to continue
>after it warned you about a mismatch in the MD5 sums. All the more reason
>you should really trust the MD5 sums in your distinfo files :)
One thing to note about MD5 sums, is that if someone broke into an ftp site
and uploaded a trojaned file, why not upload a new matching MD5 checksum
file as well ? Granted, you can use pgp to sign the file, but how many
people would notice that no one else has 'signed' the key or that a whole
whack of seemingly legit people signed the key ? I mean there is a PGPKEYS
file there, but why not just upload your own PGPKEYS file as well ?
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20021009130608.0655d7f8>