From owner-freebsd-security  Sun Feb 23 17:48:16 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0EC537B401
	for <security@FreeBSD.ORG>; Sun, 23 Feb 2003 17:48:13 -0800 (PST)
Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE7E43FB1
	for <security@FreeBSD.ORG>; Sun, 23 Feb 2003 17:48:13 -0800 (PST)
	(envelope-from klaus@kobold.compt.com)
Date: Sun, 23 Feb 2003 20:48:04 -0500
From: Klaus Steden <klaus@compt.com>
To: Dru <dlavigne6@cogeco.ca>
Cc: security@FreeBSD.ORG
Subject: Re: md5 checksum on ports.tar.gz
Message-ID: <20030223204804.T623@cthulu.compt.com>
References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Sun, Feb 23, 2003 at 01:22:41PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> 
> I admit it's been a while since I downloaded ports.tar.gz as I usually
> build from trusted media. I was demonstrating to a student the other day
> how to verify an MD5 checksum on a downloaded file and went to use
> ports.tar.gz as an example and was dismayed when I couldn't find the
> checksum. Is it just well hidden or is there a reason why this file does
> not have one?
> 
> I realize that this file changes often, but isn't it worth calculating a
> checksum on? Especially after the high profile cases we saw last year of
> open source ftp sites getting trojaned?
> 
Isn't it the responsibility of the maintainer of an individual port to provide
proper checksums of the software in question? Keeping an MD5 sum of the entire
ports tree would prove rather difficult, in my opinion, since it's such a
fast-moving target to track. Much easier to let that responsibility rest with
those immediately concerned with individual packages.

You could use one of the packages in the ports tree in your example, though,
since the build process checks the integrity of the existing sum, and will
abort unless directed otherwise if there is a mismatch.

Klaus

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message