Date: Sun, 24 Mar 2002 00:34:57 -0800 From: Kris Kennaway <kris@obsecurity.org> To: dill@canada.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Security of downloaded binary (packages) Message-ID: <20020324003457.A44609@xor.obsecurity.org> In-Reply-To: <20020324072243.3398.cpmta@c009.snv.cp.net>; from dill@canada.com on Sat, Mar 23, 2002 at 11:22:43PM -0800 References: <20020324072243.3398.cpmta@c009.snv.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Mar 23, 2002 at 11:22:43PM -0800, dill@canada.com wrote: > If someone poisoned my DNS and put a fake entry instead of > ftp.freebsd.org then I could download torjan instead of what I want. Correct. You'll have to decide for yourself whether the risk is worth the benefit. Cryptographically signing packages is something we've thought about, and will probably start doing at some point in the future. It will take a bit of work to set up the infrastructure though. > Are there MD5 signature of package files that I can verify ?? If you can't trust your DNS, how can you trust an MD5 signature you download from an untrusted source? MD5 isn't actually a signature, it's a checksum. Kris --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8nY+wWry0BWjoQKURAiUOAJ9GscnKnvUHJkFcQeXxXpf0wQi7GgCfbSiX vo5ca2o4zNHjadqsQS3iXn8= =E+oU -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020324003457.A44609>