Date: Wed, 9 Oct 2002 13:35:01 -0700 From: Nicholas Esborn <nick@netdot.net> To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009203501.GA67010@carbon.berkeley.netdot.net> In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org> References: <20021009193436.GF84472@xor.obsecurity.org> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <20021009193602.GG84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 09, 2002 at 01:16:37PM -0700, Claus Assmann wrote: > For sendmail the MD5 sums are in the PGP signed announcements. If > you can verify the PGP signature of the announcements and you can > "trust" the PGP key, then you're as safe as if you do the same check > for the PGP signature of the tar file itself. Sendmail's method is good for hand installations, or for integration by hand into systems like the ports tree, but it doesn't directly provide for automation. A common method for verifying distfiles against seperately administrated checksums would be very useful. I like the checksum server idea. -nick --=20 Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021009203501.GA67010>