From owner-freebsd-questions  Sun Mar 24  0: 0:51 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4])
	by hub.freebsd.org (Postfix) with ESMTP id D5DA537B417
	for <freebsd-questions@FreeBSD.ORG>; Sun, 24 Mar 2002 00:00:45 -0800 (PST)
Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1])
	by russian-caravan.cloud9.net (Postfix) with ESMTP
	id 2121C28EA3; Sun, 24 Mar 2002 03:00:45 -0500 (EST)
Date: Sun, 24 Mar 2002 03:00:45 -0500 (EST)
From: Peter Leftwich <Hostmaster@Video2Video.Com>
X-X-Sender:  <pete@earl-grey.cloud9.net>
To: <dill@canada.com>
Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Security of downloaded binary (packages)
In-Reply-To: <20020324072243.3398.cpmta@c009.snv.cp.net>
Message-ID: <20020324025302.P27780-100000@earl-grey.cloud9.net>
Organization: Video2Video Services - http://Www.Video2Video.Com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 23 Mar 2002 dill@canada.com wrote:
> I am trying to do a pkg_add -r "pkg name" but I feel that this really does not protect myself from downloading trojan horses.

List, I think I can field this one :) and apparently, there is a limit to
how paranoid we can be in life *don't worry, I definitely empathise!*

"pkg_add -r" uses your system's ftp binary to go out to a trusted source:
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-[your `uname -a` here]/Latest/[pkg-name here].tgz

> If someone poisoned my DNS and put a fake entry instead of ftp.freebsd.org then I could download torjan instead of what I want.  Are there MD5 signature of package files that I can verify ??

MD5 IMHO is a very Micro$oftly construct; That is, not necessary to daily
[computing] life.  If you are concerned about trojans, buy LifeStyles
instead.  (I am such a comedian this evening!)

Seriously, if you are really worried, then read up on sftp (secure ftp) to
download the *.tgz file, then gunzip then untar the archive and (check over
the security of the current code) then compile (man gcc or umm that other
one) custom binary/binaries manually.

Open source opens doors.

--
Peter Leftwich
President & Founder
Video2Video Services
Box 13692, La Jolla, CA, 92039 USA
+1-413-403-9555


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message