From owner-freebsd-questions Sun Mar 24 0: 0:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id D5DA537B417 for ; Sun, 24 Mar 2002 00:00:45 -0800 (PST) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id 2121C28EA3; Sun, 24 Mar 2002 03:00:45 -0500 (EST) Date: Sun, 24 Mar 2002 03:00:45 -0500 (EST) From: Peter Leftwich X-X-Sender: To: Cc: FreeBSD Questions Subject: Re: Security of downloaded binary (packages) In-Reply-To: <20020324072243.3398.cpmta@c009.snv.cp.net> Message-ID: <20020324025302.P27780-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 23 Mar 2002 dill@canada.com wrote: > I am trying to do a pkg_add -r "pkg name" but I feel that this really does not protect myself from downloading trojan horses. List, I think I can field this one :) and apparently, there is a limit to how paranoid we can be in life *don't worry, I definitely empathise!* "pkg_add -r" uses your system's ftp binary to go out to a trusted source: ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-[your `uname -a` here]/Latest/[pkg-name here].tgz > If someone poisoned my DNS and put a fake entry instead of ftp.freebsd.org then I could download torjan instead of what I want. Are there MD5 signature of package files that I can verify ?? MD5 IMHO is a very Micro$oftly construct; That is, not necessary to daily [computing] life. If you are concerned about trojans, buy LifeStyles instead. (I am such a comedian this evening!) Seriously, if you are really worried, then read up on sftp (secure ftp) to download the *.tgz file, then gunzip then untar the archive and (check over the security of the current code) then compile (man gcc or umm that other one) custom binary/binaries manually. Open source opens doors. -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message