Date: Tue, 6 Feb 2001 12:13:57 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: Wes Peters <wes@softweyr.com> Cc: Markus Holmberg <markush@acc.umu.se>, <freebsd-security@freebsd.org>, <freebsd-ports@freebsd.org> Subject: Re: Package integrity check? Message-ID: <Pine.LNX.4.30.0102061213060.9678-100000@jamus.xpert.com> In-Reply-To: <3A7F9AB6.5CAA983B@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 5 Feb 2001, Wes Peters wrote: > Markus Holmberg wrote: > > > > Hello. > > > > Is there any way to perform an integrity check on packages that are fetched > > with "pkg_add -r <packagename>"? > > > > (Similarly to building a package manually with a trusted /usr/ports and > > checksumming downloaded files) > > > > I assume there is no way to do integrity checking on packages, which > > leads me to the question if the general opinion among the security > > conscious is that packages (from untrusted parties, like any ftp site on > > the mirror list) should not be used at all? > > I have package signing tools, integrated into the pkg_ commands, sitting > on Freefall waiting to be committed. They let you sign a package with > an MD5 checksum (this mechanism is a little weird, inherited from the > OpenBSD code), a PGP signature (this code is also inherited from OpenBSD, > uses PGP 2.xx command line tools, and kinda sucks in my opinion) and Hmm.. GnuPG flags suppport would be nice. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0102061213060.9678-100000>