From owner-freebsd-questions@FreeBSD.ORG Fri Jan 2 17:50:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EFED106564A for ; Fri, 2 Jan 2009 17:50:49 +0000 (UTC) (envelope-from datahead4@gmail.com) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by mx1.freebsd.org (Postfix) with ESMTP id D518C8FC1B for ; Fri, 2 Jan 2009 17:50:48 +0000 (UTC) (envelope-from datahead4@gmail.com) Received: by ewy14 with SMTP id 14so7724720ewy.19 for ; Fri, 02 Jan 2009 09:50:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=KwRsVuuYB+RoxLvBsMq/007KgrXfujCBm66ekOSx3SU=; b=NQRHAyluWtGVYXxcM3cQv7WuHgnkUQ8OihTM3a3k2vemW9PCGJJGT/ALrYVrBo+ite WvibEkeBCE1u0GXO2FkcGcG9cYF0m4wrS1LCUEuqcj5NLhm6kN9lyfqiQnIRCbW+QhzF US8XRxVvByhoJLYVJPXtvK7qxztg16EfTZgEU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Zr2u0g/I0M7ScnYVFXcg7QS/YzSSXiJN8xD1xXsIQH0geWLzjxhEF2ZLrh0vxxUYw8 NrelC3EIYpwKr7T/Q5oQI9lvTu3qkxrTtXfr+tElQebqon308rsbkxErXRbV+xDA3Xti vb1ZbmUQyO1dnoWCP8oj+cq5WBWoC10l4b44g= Received: by 10.210.52.15 with SMTP id z15mr3817066ebz.14.1230917205635; Fri, 02 Jan 2009 09:26:45 -0800 (PST) Received: by 10.210.92.4 with HTTP; Fri, 2 Jan 2009 09:26:45 -0800 (PST) Message-ID: Date: Fri, 2 Jan 2009 11:26:45 -0600 From: Matt To: cpghost In-Reply-To: <20090102164412.GA1258@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20090102164412.GA1258@phenom.cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: Foiling MITM attacks on source and ports trees X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2009 17:50:50 -0000 On Fri, Jan 2, 2009 at 10:44 AM, cpghost wrote: > Hello, > > with MITM attacks [1] on the rise, I'm concerned about the integrity > of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup > (and portsnap) from master or mirror servers. > > [1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack > > There's already a small protection against MITM on the distfiles in > ports: distinfo contain md5 and sha256 digests. This is an excellent > idea that could be extended to *all* files in /usr/src, /usr/doc, and > /usr/ports. > Something like this was discussed back in September: http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/026052.html I haven't tried Max's script yet, but it looks like it should do at least some of what you're looking for. Matt