From owner-freebsd-security  Wed Oct  9 14:38:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8241937B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:38:10 -0700 (PDT)
Received: from fubar.adept.org (fubar.adept.org [63.147.172.249])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 322D643E6A
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:38:10 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by fubar.adept.org (Postfix, from userid 1001)
	id 97F2A154D5; Wed,  9 Oct 2002 14:34:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by fubar.adept.org (Postfix) with ESMTP id 95AED154D3
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:34:48 -0700 (PDT)
Date: Wed, 9 Oct 2002 14:34:48 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: security@FreeBSD.ORG
Subject: md5 checksum server
In-Reply-To: <20021009203501.GA67010@carbon.berkeley.netdot.net>
Message-ID: <20021009142623.Q88247-100000@fubar.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 9 Oct 2002, Nicholas Esborn wrote:
> A common method for verifying distfiles against seperately administrated
> checksums would be very useful.  I like the checksum server idea.

This wouldn't be hard.  Write a script that grabs the MD5 checksums from
the ports collection (on a server that's trusted and up to date) and turns
the MD5 sums into TXT records in a md5.somedomain.com DNS zone.  Then
people can issue queries like sendmail.a.b.c.md5.somedomain.com and get
the MD5 sum returned for sendmail version a.b.c.  Think portsdb.org, but
for md5 sums instead of TCP and UDP ports.

As for how useful this really is...  Well, is it any harder to grab the
MD5 sum from the vendor and compare yourself vs. doing a DNS lookup?
Probably not.  Also, while the vendor sites/sums can certainly be
compromised, some would argue adding a third-party source for the sums
just creates another attack vector.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message