From owner-freebsd-security Wed Oct 9 11: 4: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1EFB37B407 for ; Wed, 9 Oct 2002 11:03:59 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9F1443E88 for ; Wed, 9 Oct 2002 11:03:58 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g99I0Rr08721 for ; Wed, 9 Oct 2002 14:00:27 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g99I3vs06627 for security@FreeBSD.ORG; Wed, 9 Oct 2002 14:03:57 -0400 Date: Wed, 9 Oct 2002 14:03:57 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009140357.A6605@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.7.2.20021008174734.029e9e00@localhost> <20021009170117.GJ10532@techometer.net> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 01:13:51PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote: > >Additionally, you would have had to explicitly told your build to continue > >after it warned you about a mismatch in the MD5 sums. All the more reason > >you should really trust the MD5 sums in your distinfo files :) > > > One thing to note about MD5 sums, is that if someone broke into an ftp site > and uploaded a trojaned file, why not upload a new matching MD5 checksum > file as well ? Granted, you can use pgp to sign the file, but how many > people would notice that no one else has 'signed' the key or that a whole > whack of seemingly legit people signed the key ? I mean there is a PGPKEYS > file there, but why not just upload your own PGPKEYS file as well ? > > ---Mike > He's talking about md5 sums on _your_ computer, not ftp server. Port system has md5 sum (and some other too) stored with each port in the file named distinfo. When you check out the port, if _that_ md5 sum doesn't correspond to the downloaded tar.gz the port system will refuse to build it. Thus, you put the trust in a FreeBSD maintainer who stored the md5 sum in distinfo file on _your_ computer, instead of sysadmin of the ftp site in question, where md5 sum file could have been changed. The point is that ftp site's md5 sum is not checked; FreeBSD's md5 sum _is_ checked. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message