From owner-freebsd-security Mon Feb 24 12: 0:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA13537B401 for ; Mon, 24 Feb 2003 12:00:40 -0800 (PST) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8A4143F75 for ; Mon, 24 Feb 2003 12:00:35 -0800 (PST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.7/8.12.6) with ESMTP id h1OK0Z4l014940 for ; Mon, 24 Feb 2003 15:00:35 -0500 (EST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.7/8.12.6/Submit) id h1OK0Y4W014937; Mon, 24 Feb 2003 15:00:34 -0500 (EST) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f To: freebsd-security@freebsd.org Subject: Re: md5 checksum on ports.tar.gz References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> <20030223204804.T623@cthulu.compt.com> <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> From: Lowell Gilbert Date: 24 Feb 2003 15:00:34 -0500 In-Reply-To: <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> Message-ID: <44smud1mal.fsf@be-well.ilk.org> Lines: 13 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > You could use one of the packages in the ports tree in your example, though, > > since the build process checks the integrity of the existing sum, and will > > abort unless directed otherwise if there is a mismatch. > > > Thanks. I have done just that in the past which is why I was so surprised > that ports.tar.gz did not have one as well :-) But that doesn't help for security, because you'd be getting the checksum from the same place as the file it was checking. I've occasionally considered adding a checksum anyway as a check against accidental corruption, but it wouldn't change your exposure to *intentional* file changes at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message