Date: Sun, 10 Jan 2016 15:01:30 -0500 From: James Keener <jim@jimkeener.com> To: Dmitry Morozovsky <marck@rinet.ru>, Clint Armstrong <clint@clintarmstrong.net> Cc: freebsd-security@freebsd.org Subject: Re: Signed Checksums for release archives Message-ID: <A1A4E096-547E-4855-B661-55C82BF53CB0@jimkeener.com> In-Reply-To: <alpine.BSF.2.00.1601102251350.68529@woozle.rinet.ru> References: <CAJMTyCFBmpZ7LppyhCik_4JY7YsXmWiX6U%2B5JUrwdHpp8=Ru3w@mail.gmail.com> <alpine.BSF.2.00.1601101716520.68529@woozle.rinet.ru> <CAJMTyCGZSR-zBtihseyodocfo9Yz6O8n=Qy4Xv-7ocSYj%2BMYsw@mail.gmail.com> <alpine.BSF.2.00.1601102251350.68529@woozle.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
That doesn't help if a mirror is compromised or control is lost. Those already downloaded installers can't update their mirror list. Jim On January 10, 2016 2:54:44 PM EST, Dmitry Morozovsky <marck@rinet.ru> wrote: >On Sun, 10 Jan 2016, Clint Armstrong wrote: > >> The signed checksums linked on that page only include checksums for >the >> .img and .iso images. Not for the .txz archives. > >Ah I see. But nevertheless, these .txz's are almost always accessed >from the >installer, which selects only approved mirror from well-defined list, >and >connects to them over TLS... > > >-- >Sincerely, >D.Marck [DM5020, MCK-RIPE, >DM3-RIPN] >[ FreeBSD committer: marck@FreeBSD.org >] >------------------------------------------------------------------------ >*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru >*** >------------------------------------------------------------------------ >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to >"freebsd-security-unsubscribe@freebsd.org" -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From owner-freebsd-security@freebsd.org Sun Jan 10 21:07:42 2016 Return-Path: <owner-freebsd-security@freebsd.org> Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13FBDA6A1BA for <freebsd-security@mailman.ysv.freebsd.org>; Sun, 10 Jan 2016 21:07:42 +0000 (UTC) (envelope-from clint@clintarmstrong.net) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCBF910FB for <freebsd-security@freebsd.org>; Sun, 10 Jan 2016 21:07:41 +0000 (UTC) (envelope-from clint@clintarmstrong.net) Received: by mail-ig0-x235.google.com with SMTP id t15so83751451igr.0 for <freebsd-security@freebsd.org>; Sun, 10 Jan 2016 13:07:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clintarmstrong.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=b14QpoQR1xRyYYbM4Ff47ctB4FYvnbZpFGmLgMZjaU4=; b=IECt4KaXUkBiJ4mgzoi0xxtIyO94WeAGHfCCoajYozNeAZIwpskS1xCEp7qK8UdWpk GGWXP/FFSjgM0vVnSUGjqyYYdnrJiTfih//DJWFBD+frzIohIVwLnrs5ZQDZlIbIqYhx KiCJyjHRsEymAORK2Iyc3VdhvG2wZb5OqBUZs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=b14QpoQR1xRyYYbM4Ff47ctB4FYvnbZpFGmLgMZjaU4=; b=GY5nAvV6TJLc8vNYe79hL+JafHgBL82Az0Nyv1M0e/wuDbrDYwR7WcXak0/yDIZb5t cIEXMz7oevfYWEqGd316dvFLhecVInnPnONtFM4ayaF/HURPdlEQwl1ru2r/l3rcTfGV xGPA8zPABWgy6BDJYHy0NWuAy/vvHfHVwYKSPOQ9tYXCnDAsW/W24zdGtCwCIuzS7jBF X3tUz1v0WmjMe3LujN1ci8eEuU8Iz6rUFoOu6BosObne4YAqZRZeZZEIMxVyOmDi6eZU +gn2tMoU/sUe4x16QXEzCM1ZKYApbP7zUv4TcL5S0vC3R1kiARN/uKgXxvdaTvf5duEe 6jWQ== X-Gm-Message-State: ALoCoQl+r0xRk2577WftDrvAmdplljmWQ+xD7hlcJhgxM67Yqrv6oiGoW2qNx5n5PBRgI+KYlvkJhTLSyVWSF28jwLGquj4CCA== X-Received: by 10.50.73.66 with SMTP id j2mr8862681igv.12.1452460060625; Sun, 10 Jan 2016 13:07:40 -0800 (PST) MIME-Version: 1.0 References: <CAJMTyCFBmpZ7LppyhCik_4JY7YsXmWiX6U+5JUrwdHpp8=Ru3w@mail.gmail.com> <alpine.BSF.2.00.1601101716520.68529@woozle.rinet.ru> <CAJMTyCGZSR-zBtihseyodocfo9Yz6O8n=Qy4Xv-7ocSYj+MYsw@mail.gmail.com> <alpine.BSF.2.00.1601102251350.68529@woozle.rinet.ru> <A1A4E096-547E-4855-B661-55C82BF53CB0@jimkeener.com> In-Reply-To: <A1A4E096-547E-4855-B661-55C82BF53CB0@jimkeener.com> From: Clint Armstrong <clint@clintarmstrong.net> Date: Sun, 10 Jan 2016 21:07:31 +0000 Message-ID: <CAJMTyCGENaExqsEFitzRdGNMtMk3CUUzzyz+x04Z=GM40=mq2w@mail.gmail.com> Subject: Re: Signed Checksums for release archives To: James Keener <jim@jimkeener.com>, Dmitry Morozovsky <marck@rinet.ru> Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>; List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sun, 10 Jan 2016 21:07:42 -0000 My use case is for creating Jails. I'm trying to script downloading and extracting an archive for a jail and would like to be able to verify the download. On Sun, Jan 10, 2016 at 3:01 PM James Keener <jim@jimkeener.com> wrote: > That doesn't help if a mirror is compromised or control is lost. Those > already downloaded installers can't update their mirror list. > > Jim > > > On January 10, 2016 2:54:44 PM EST, Dmitry Morozovsky <marck@rinet.ru> > wrote: >> >> On Sun, 10 Jan 2016, Clint Armstrong wrote: >> >> The signed checksums linked on that page only include checksums for the >>> .img and .iso images. Not for the .txz archives. >>> >> >> Ah I see. But nevertheless, these .txz's are almost always accessed from the >> installer, which selects only approved mirror from well-defined list, and >> connects to them over TLS... >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A1A4E096-547E-4855-B661-55C82BF53CB0>