Date: Wed, 9 Oct 2002 14:03:57 -0400 From: Zvezdan Petkovic <zvezdan@CS.WM.EDU> To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009140357.A6605@dali.cs.wm.edu> In-Reply-To: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 01:13:51PM -0400 References: <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <20021009170117.GJ10532@techometer.net> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote: > >Additionally, you would have had to explicitly told your build to continue > >after it warned you about a mismatch in the MD5 sums. All the more reason > >you should really trust the MD5 sums in your distinfo files :) > > > One thing to note about MD5 sums, is that if someone broke into an ftp site > and uploaded a trojaned file, why not upload a new matching MD5 checksum > file as well ? Granted, you can use pgp to sign the file, but how many > people would notice that no one else has 'signed' the key or that a whole > whack of seemingly legit people signed the key ? I mean there is a PGPKEYS > file there, but why not just upload your own PGPKEYS file as well ? > > ---Mike > He's talking about md5 sums on _your_ computer, not ftp server. Port system has md5 sum (and some other too) stored with each port in the file named distinfo. When you check out the port, if _that_ md5 sum doesn't correspond to the downloaded tar.gz the port system will refuse to build it. Thus, you put the trust in a FreeBSD maintainer who stored the md5 sum in distinfo file on _your_ computer, instead of sysadmin of the ftp site in question, where md5 sum file could have been changed. The point is that ftp site's md5 sum is not checked; FreeBSD's md5 sum _is_ checked. Best regards, -- Zvezdan Petkovic <zvezdan@cs.wm.edu> http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021009140357.A6605>