From owner-freebsd-security  Wed Oct  9 18:31:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 22A4137B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 18:31:33 -0700 (PDT)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 438CB43E75
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 18:31:32 -0700 (PDT)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g9A1VVIK064607;
	Thu, 10 Oct 2002 14:31:31 +1300 (NZDT)
	(envelope-from andrew@scoop.co.nz)
Date: Thu, 10 Oct 2002 14:31:31 +1300 (NZDT)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: Garrett Wollman <wollman@lcs.mit.edu>
Cc: security@FreeBSD.ORG
Subject: Re: md5 checksum server
In-Reply-To: <200210100114.g9A1EJKZ059028@khavrinen.lcs.mit.edu>
Message-ID: <20021010142806.G63299-100000@a2.scoop.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Wed, 9 Oct 2002, Garrett Wollman wrote:

> <<On Thu, 10 Oct 2002 12:31:24 +1300 (NZDT), Andrew McNaughton <andrew@scoop.co.nz> said:
>
> > be kept, but would it be worthwhile to add PGP signatures to ports?
>
> Most people have no better connection to the PGP Web of Trust than
> they do to the FreeBSD CVS repository, so there is effectively no
> difference.  That is to say, I can make a signature that claims to be
> signed by "Andrew McNaughton <andrew@scoop.co.nz>" almost as easily as
> I can make an unsigned MD5 checksum.  Only people who have already
> been introduced to your real PGP key would know the difference.

Given that the ports are distributed by FreeBSD.org, it would only be
necessary to have one signing key which signs the signatures that are
expected to match the tarballs.  The public master key could be
distributed once, and present on any newly installed system.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message