From owner-freebsd-security  Wed Oct  9 13:35: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7A1AE37B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:35:02 -0700 (PDT)
Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0DC43E4A
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:35:02 -0700 (PDT)
	(envelope-from nick@netdot.net)
Received: by carbon.berkeley.netdot.net (Postfix, from userid 101)
	id 5C8BBF810; Wed,  9 Oct 2002 13:35:01 -0700 (PDT)
Date: Wed, 9 Oct 2002 13:35:01 -0700
From: Nicholas Esborn <nick@netdot.net>
To: security@FreeBSD.ORG
Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
Message-ID: <20021009203501.GA67010@carbon.berkeley.netdot.net>
References: <20021009193436.GF84472@xor.obsecurity.org> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <20021009193602.GG84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Oct 09, 2002 at 01:16:37PM -0700, Claus Assmann wrote:
> For sendmail the MD5 sums are in the PGP signed announcements.  If
> you can verify the PGP signature of the announcements and you can
> "trust" the PGP key, then you're as safe as if you do the same check
> for the PGP signature of the tar file itself.

Sendmail's method is good for hand installations, or for integration by hand
into systems like the ports tree, but it doesn't directly provide for
automation.

A common method for verifying distfiles against seperately administrated
checksums would be very useful.  I like the checksum server idea.

-nick

--=20
Nicholas Esborn
Unix Systems Administrator
Berkeley, California

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message