Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Jan 2003 10:52:08 -0500
From:      Anthony Schneider <anthony@x-anthony.com>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
Cc:        "Nathan J. Yoder" <njyoder@gummibears.nu>, freebsd-security@FreeBSD.ORG
Subject:   Re: digital signatures for downloads
Message-ID:  <20030113155208.GA20328@x-anthony.com>
In-Reply-To: <20030113145330.GA78337@madman.nectar.cc>
References:  <6121584208.20030113005107@gummibears.nu> <20030113145330.GA78337@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help 
i think his point might be that there is only a link provided, and not
the hash itself, in the advisory.  of course, it's a signature and not
just an md5 hash, so i don't see it as a big problem.

-Anthony.

On Mon, Jan 13, 2003 at 08:53:30AM -0600, Jacques A. Vidrine wrote:
> On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote:
> >              While the FreeBSD security advisories are signed, they
> > don't include secure hashes of the patches, rather they just provide
> > an insecure FTP link. 
> 
> Patches are also signed.  For example, from the latest advisory:
> 
>   ``
>   a) Download the relevant patch from the location below, and verify the
>   detached PGP signature using your PGP utility.
> 
>   # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch
>   # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc
>   ''
> 
> The `.asc' file is the detached signature.
> 
> 
> But I agree that packages, et cetera should also be signed.
> Many of the tools are already there, but we have processes to work on.
> 
> Cheers,
> -- 
> Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
> NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
> jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113155208.GA20328>