From owner-freebsd-security  Sun Jul  8 22:11:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-132.dsl.lsan03.pacbell.net [63.207.60.132])
	by hub.freebsd.org (Postfix) with ESMTP id 7679337B403
	for <freebsd-security@freebsd.org>; Sun,  8 Jul 2001 22:11:42 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 1772C66D72; Sun,  8 Jul 2001 22:11:41 -0700 (PDT)
Date: Sun, 8 Jul 2001 22:11:40 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: steve <steve@clublinux.org>
Cc: freebsd-security@freebsd.org
Subject: Re: cvsup and security
Message-ID: <20010708221140.A35469@xor.obsecurity.org>
References: <3B492672.55E0ADC8@clublinux.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3B492672.55E0ADC8@clublinux.org>; from steve@clublinux.org on Sun, Jul 08, 2001 at 10:35:14PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote:
> Hi,
> 	I've been installing a few ports (great tool btw), and I've noticed
> that typing 'make install' in an app directory will perform an md5
> checksum to verify that the download is legit and not corrupt.  Is there
> anything similar done when using cvsup?  Is there anyway to verify that
> the ports collection update that I'm receiving through cvsup is legit
> and not "trojaned" or altered in some other way?

Not currently.

Note to all on the list: please resist the temptation to offer
suggestions for how cvsup could be improved to achieve this unless
they're in the form of patches.  We all know how to do it, but the
code needs to be written.

Kris

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7ST0LWry0BWjoQKURAvZhAJ9hSoqE/xfmUBF57YqGBtNt9Qa36QCg7QD2
7uvKpS00ci7Ie/FZqt6XToA=
=5Bp3
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message