Date: Sat, 3 Jan 2009 01:38:25 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Foiling MITM attacks on source and ports trees Message-ID: <20090103013825.18910bf5@gumby.homeunix.com> In-Reply-To: <495E4F24.80209@unsane.co.uk> References: <20090102164412.GA1258@phenom.cordula.ws> <495E4F24.80209@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 02 Jan 2009 17:30:12 +0000 Vincent Hoffman <vince@unsane.co.uk> wrote: > Admittedly this doesn't give a file by file checksum That's not really a problem, it's no easier to create a collision in a .gz file than a patch file. The more substantial weakness is that the key is verified against a hash stored on the original installation media. If someone went to the trouble of diverting dns or routing to create a fake FreeBSD site they would presumably make it self-consistent down to the ISO checksums.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090103013825.18910bf5>