Date: Mon, 13 Jan 2003 10:52:08 -0500 From: Anthony Schneider <anthony@x-anthony.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Cc: "Nathan J. Yoder" <njyoder@gummibears.nu>, freebsd-security@FreeBSD.ORG Subject: Re: digital signatures for downloads Message-ID: <20030113155208.GA20328@x-anthony.com> In-Reply-To: <20030113145330.GA78337@madman.nectar.cc> References: <6121584208.20030113005107@gummibears.nu> <20030113145330.GA78337@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
i think his point might be that there is only a link provided, and not the hash itself, in the advisory. of course, it's a signature and not just an md5 hash, so i don't see it as a big problem. -Anthony. On Mon, Jan 13, 2003 at 08:53:30AM -0600, Jacques A. Vidrine wrote: > On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote: > > While the FreeBSD security advisories are signed, they > > don't include secure hashes of the patches, rather they just provide > > an insecure FTP link. > > Patches are also signed. For example, from the latest advisory: > > `` > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc > '' > > The `.asc' file is the detached signature. > > > But I agree that packages, et cetera should also be signed. > Many of the tools are already there, but we have processes to work on. > > Cheers, > -- > Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113155208.GA20328>