From owner-freebsd-security  Wed Oct  9 15: 3: 3 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E557137B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 15:03:01 -0700 (PDT)
Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 42BE643E88
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 15:03:00 -0700 (PDT)
	(envelope-from emechler@radix.cryptio.net)
Received: from radix.cryptio.net (localhost [127.0.0.1])
	by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g99M2upl094948
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Wed, 9 Oct 2002 15:02:56 -0700 (PDT)
	(envelope-from emechler@radix.cryptio.net)
Received: (from emechler@localhost)
	by radix.cryptio.net (8.12.5/8.12.5/Submit) id g99M2uuu094947;
	Wed, 9 Oct 2002 15:02:56 -0700 (PDT)
Date: Wed, 9 Oct 2002 15:02:56 -0700
From: Erick Mechler <emechler@techometer.net>
To: Mike Hoskins <mike@adept.org>
Cc: security@FreeBSD.ORG
Subject: Re: md5 checksum server
Message-ID: <20021009220256.GN10532@techometer.net>
References: <20021009142623.Q88247-100000@fubar.adept.org> <20021009144421.B88247-100000@fubar.adept.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021009144421.B88247-100000@fubar.adept.org>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

:: As an aside, what if someone worked up a standard/RFC detailing accepted
:: naming conventions for md5 sums.  If there was some standardization
:: (I.e. software.version.md5 in the same directory the distfile is retreived
:: from, many follow similar conventions already), then FTP clients
:: (including things like wget) could be modified to automagically compare
:: md5 sums on download when they exist.

Unless I'm misunderstanding what you're proposing, this still doesn't
prevent someone from modifying both the tarball and the MD5 file.  PGP
signatures are an even better method, and harder to spoof.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message