From owner-freebsd-security  Wed Oct  9 13:48:46 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BA8C637B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:48:43 -0700 (PDT)
Received: from post.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5AC0C43E4A
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:48:43 -0700 (PDT)
	(envelope-from dr@kyx.net)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Dragos Ruiu <dr@kyx.net>
Reply-To: dr@kyx.net
Organization: all terrain ninjas
To: security@FreeBSD.ORG, Claus Assmann <freebsd+security@esmtp.org>
Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
Date: Wed, 9 Oct 2002 13:47:37 +0000
X-Mailer: KYX CP/M FNORD 5602
References: <20021009193436.GF84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org>
In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200210091347.37912.dr@kyx.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On October 9, 2002 08:16 pm, Claus Assmann wrote:
> On Wed, Oct 09, 2002, Mike Tancsa wrote:
> >          Sorry, I should have been more clear.  I was speaking more t=
o
> > the general issue of a user downloading both the binary and checksum =
from
> > the same source as is / was the case with ftp.sendmail.org.
>
> For sendmail the MD5 sums are in the PGP signed announcements.  If
> you can verify the PGP signature of the announcements and you can
> "trust" the PGP key, then you're as safe as if you do the same check
> for the PGP signature of the tar file itself.

And as long as the announcements that went out were the ones that left
and the checksums mailed were good.

If that server is back to trusted now, another authoritative method would=
 be
code diffs. (find -type f -exec diff -u \{\} ../oldsendmail/\{\} )

--=20
dr@kyx.net   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message