From owner-freebsd-chat@FreeBSD.ORG Mon Jun 23 07:20:55 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D462E37B401 for ; Mon, 23 Jun 2003 07:20:55 -0700 (PDT) Received: from tulip.epweb.co.za (tulip.epweb.co.za [196.14.166.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id C155543F75 for ; Mon, 23 Jun 2003 07:20:52 -0700 (PDT) (envelope-from ultraviolet@tulip.epweb.co.za) Received: from tulip.epweb.co.za (localhost.epweb.co.za [127.0.0.1]) by tulip.epweb.co.za (8.12.9/8.12.9) with ESMTP id h5NEL4vD025318 for ; Mon, 23 Jun 2003 16:21:04 +0200 (SAST) (envelope-from ultraviolet@tulip.epweb.co.za) Received: (from ultraviolet@localhost) by tulip.epweb.co.za (8.12.9/8.12.9/Submit) id h5NEKxRr025317 for chat@freebsd.org; Mon, 23 Jun 2003 16:20:59 +0200 (SAST) Date: Mon, 23 Jun 2003 16:20:59 +0200 From: William Fletcher To: chat@freebsd.org Message-ID: <20030623142058.GF24407@tulip.epweb.co.za> References: <20030621163835.GA18653@tulip.epweb.co.za> <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca> <20030621175414.GC18653@tulip.epweb.co.za> <3EF70AEA.9FAC92A9@mindspring.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KIzF6Cje4W/osXrF" Content-Disposition: inline In-Reply-To: <3EF70AEA.9FAC92A9@mindspring.com> User-Agent: Mutt/1.4i Subject: Re: Cryptographically enabled ports tree. X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ultraviolet@epweb.co.za List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2003 14:20:56 -0000 --KIzF6Cje4W/osXrF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable All I really want, is to know that my /usr/src and /usr/ports=20 aren't screwed up, can't be trojaned by somebody on my local lan. I don't trust local networks, especially ones with all sorts of clowns running all sorts of installations.=20 On Mon, Jun 23, 2003 at 07:12:58AM -0700, Terry Lambert wrote: > William Fletcher wrote: > > One other thing while I'm at making a clown of myself. > >=20 > > Wouldn't it be an absolute joke if someone rooted a redhat box on > > your network, dns poisoned for cvsup.*.freebsd.org and promptly > > found a way to create a cvsup-mirror on another machine > > with modified source. > >=20 > > They could then trojan /usr/src and /usr/ports and probably gain > > root on all your machines running FreeBSD, quick and easy. > >=20 > > Just wanted the general publics opinion of that too. > >=20 > > Anyway, home time, expect interesting responses on monday morning. > > (Will sign up to security-general again). > >=20 > > PS. Some people work for companies which inflict redhat on them. :/ >=20 > FWIW: If they did this, they'd just declare themselves a signing > authority, and sign the trojan'ed packages themselves. All you've > done by introducing signatures is add one more hoop for them to > jump through. At the same time, you've made ports quit working > over code changes, which is something that was one of the best > benefits of the ports tree in the first place. >=20 > -- Terry --=20 William Fletcher (ultraviolet) Powered by http://www.FreeBSD.org/ IT Administrator, EPWeb networks. irc at irc.epweb.co.za http://www.epweb.co.za/ http://vision.za.net/irc/ Tel: +27 (041) 395 6800 =20 Fax: +27 (041) 395 6818=09 Support: support@epweb.co.za My new years resolution will be to not get stressed by linux and its users.= =20 --KIzF6Cje4W/osXrF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+9wzKju3fq0dMPxsRAnxXAJ4oi9sY58AfJuMgmhbd5aO8gJB1QQCdHkm7 gCBWp5s1YGpQNDyrFNgsJGU= =eooP -----END PGP SIGNATURE----- --KIzF6Cje4W/osXrF--