Date: Wed, 9 Oct 2002 13:47:37 +0000 From: Dragos Ruiu <dr@kyx.net> To: security@FreeBSD.ORG, Claus Assmann <freebsd+security@esmtp.org> Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <200210091347.37912.dr@kyx.net> In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org> References: <20021009193436.GF84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On October 9, 2002 08:16 pm, Claus Assmann wrote:
> On Wed, Oct 09, 2002, Mike Tancsa wrote:
> > Sorry, I should have been more clear. I was speaking more to
> > the general issue of a user downloading both the binary and checksum from
> > the same source as is / was the case with ftp.sendmail.org.
>
> For sendmail the MD5 sums are in the PGP signed announcements. If
> you can verify the PGP signature of the announcements and you can
> "trust" the PGP key, then you're as safe as if you do the same check
> for the PGP signature of the tar file itself.
And as long as the announcements that went out were the ones that left
and the checksums mailed were good.
If that server is back to trusted now, another authoritative method would be
code diffs. (find -type f -exec diff -u \{\} ../oldsendmail/\{\} )
--
dr@kyx.net pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210091347.37912.dr>