From owner-freebsd-security Wed Oct 9 15:53:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42A7937B401 for ; Wed, 9 Oct 2002 15:53:39 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 016AA43E6A for ; Wed, 9 Oct 2002 15:53:39 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 266D7154D5; Wed, 9 Oct 2002 15:50:17 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 22E42154D3; Wed, 9 Oct 2002 15:50:17 -0700 (PDT) Date: Wed, 9 Oct 2002 15:50:17 -0700 (PDT) From: Mike Hoskins To: Erick Mechler Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <20021009220256.GN10532@techometer.net> Message-ID: <20021009154809.O88571-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Erick Mechler wrote: > Unless I'm misunderstanding what you're proposing, this still doesn't > prevent someone from modifying both the tarball and the MD5 file. PGP > signatures are an even better method, and harder to spoof. Yes, PGP has been preferred to MD5 since its debut... So, how about a similar setup for PGP signatures? :) The main problem is laziness... And how many times have we heard that laziness is a core admin precept? So I don't think these sorts of problems will go away anytime soon. The only way to protect the innocnet then seems to "DTRT" whenever possible w/o requiring manual intervention on the part of the admin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message