From owner-freebsd-security  Wed Oct  9 10:12:48 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 005CC37B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 10:12:46 -0700 (PDT)
Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5FED843E42
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 10:12:45 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18])
	by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99HCg8g037601;
	Wed, 9 Oct 2002 13:12:43 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Date: Wed, 09 Oct 2002 13:13:51 -0400
To: Erick Mechler <emechler@techometer.net>
From: Mike Tancsa <mike@sentex.net>
Subject: Am I downloading what I think I am (was Re: I doubt that this
  affects FreeBSD, but FYI
Cc: security@FreeBSD.ORG
In-Reply-To: <20021009170117.GJ10532@techometer.net>
References: <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com>
 <4.3.2.7.2.20021008174734.029e9e00@localhost>
 <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (obsidian/20020517)
X-Spam-Status: No, hits=-5.4 required=5.0
	tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_01_02
	version=2.41
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote:
>:: A quick peer over at CVSweb indicates that the import of 8.12.6 was
>:: done well before the sendmail.org folks got their server fooled with.
>
>Additionally, you would have had to explicitly told your build to continue
>after it warned you about a mismatch in the MD5 sums.  All the more reason
>you should really trust the MD5 sums in your distinfo files :)


One thing to note about MD5 sums, is that if someone broke into an ftp site 
and uploaded a trojaned file, why not upload a new matching MD5 checksum 
file as well ?  Granted, you can use pgp to sign the file, but how many 
people would notice that no one else has 'signed' the key or that a whole 
whack of seemingly legit people signed the key ? I mean there is a PGPKEYS 
file there, but why not just upload your own PGPKEYS file as well ?

         ---Mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message