Date: Wed, 9 Oct 2002 14:47:01 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: security@FreeBSD.ORG Subject: Re: md5 checksum server Message-ID: <20021009144421.B88247-100000@fubar.adept.org> In-Reply-To: <20021009142623.Q88247-100000@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Oct 2002, Mike Hoskins wrote: > As for how useful this really is... Well, is it any harder to grab the > MD5 sum from the vendor and compare yourself vs. doing a DNS lookup? > Probably not. Also, while the vendor sites/sums can certainly be > compromised, some would argue adding a third-party source for the sums > just creates another attack vector. As an aside, what if someone worked up a standard/RFC detailing accepted naming conventions for md5 sums. If there was some standardization (I.e. software.version.md5 in the same directory the distfile is retreived from, many follow similar conventions already), then FTP clients (including things like wget) could be modified to automagically compare md5 sums on download when they exist. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021009144421.B88247-100000>