From owner-freebsd-security  Wed Oct  9 13:17: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D8B9C37B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:17:02 -0700 (PDT)
Received: from zardoc.esmtp.org (adsl-63-195-85-27.dsl.snfc21.pacbell.net [63.195.85.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3F76843E7B
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:17:02 -0700 (PDT)
	(envelope-from ca@zardoc.esmtp.org)
Received: from zardoc.esmtp.org (localhost [127.0.0.1])
	by zardoc.esmtp.org (8.12.7.Beta1/8.12.4) with ESMTP id g99KGbMN020997
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <security@FreeBSD.ORG>; Wed, 9 Oct 2002 13:16:37 -0700 (PDT)
Received: (from ca@localhost)
	by zardoc.esmtp.org (8.12.7.Beta1/8.12.3/Submit) id g99KGb07006876
	for security@FreeBSD.ORG; Wed, 9 Oct 2002 13:16:37 -0700 (PDT)
Date: Wed, 9 Oct 2002 13:16:37 -0700
From: Claus Assmann <freebsd+security@esmtp.org>
To: security@FreeBSD.ORG
Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
Message-ID: <20021009131637.A15913@zardoc.esmtp.org>
Reply-To: security@FreeBSD.ORG
Mail-Followup-To: security@FreeBSD.ORG
References: <20021009193436.GF84472@xor.obsecurity.org> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <20021009193602.GG84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 03:54:27PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Oct 09, 2002, Mike Tancsa wrote:

>          Sorry, I should have been more clear.  I was speaking more to the 
> general issue of a user downloading both the binary and checksum from the 
> same source as is / was the case with ftp.sendmail.org.

For sendmail the MD5 sums are in the PGP signed announcements.  If
you can verify the PGP signature of the announcements and you can
"trust" the PGP key, then you're as safe as if you do the same check
for the PGP signature of the tar file itself.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message