From owner-freebsd-security  Tue Aug 27 13:30:28 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E47337B401
	for <freebsd-security@freebsd.org>; Tue, 27 Aug 2002 13:30:24 -0700 (PDT)
Received: from mxintern1.kundenserver.de (mxintern1.kundenserver.de [212.227.126.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB9F343E3B
	for <freebsd-security@freebsd.org>; Tue, 27 Aug 2002 13:30:22 -0700 (PDT)
	(envelope-from kiesel@schlund.de)
Received: from [172.17.29.6] (helo=alex.i.schlund.de)
	by mxintern1.kundenserver.de with smtp (Exim 3.35 #1)
	id 17jmyg-00049B-00
	for freebsd-security@FreeBSD.ORG; Tue, 27 Aug 2002 22:30:18 +0200
Received: (qmail 10947 invoked by uid 519); 27 Aug 2002 20:30:16 -0000
Date: Tue, 27 Aug 2002 22:30:16 +0200
From: Alex Kiesel <alex.kiesel@document-root.de>
To: Erick Mechler <emechler@techometer.net>
Cc: David Olbersen <dave@slickness.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Ports are insecure?
Message-ID: <20020827203016.GA10858@schlund.de>
References: <20020827165347.GA12522@slickness.org> <20020827170508.GI90157@techometer.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020827170508.GI90157@techometer.net>
User-Agent: Mutt/1.4i
X-Binford: 6100 (more power)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Aug 27, 2002, Erick Mechler wrote:
> Not just anybody can contribute to a FreeBSD port entry; the commit still
> has to be done by an authorized committer.  However, it's true that just
> about anybody's software package can become a port, so if you just blindly
> start installing ports, you might, on rare occasions, install a piece of
> software that's been trojaned (take the recent OpenSSH trojan for example).

As the ports collection has a checksum for every file that is needed, it
should not be a big problem to avoid installing trojanized software.

IIRC you could not install OpenSSH without ignoring checksum alerts.

Cheers,
Alex

-- 
Alex Kiesel                                     PGP Key: 0x09F4FA11

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message