From owner-freebsd-security  Sat Sep 12 20:47:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA16517
          for freebsd-security-outgoing; Sat, 12 Sep 1998 20:47:56 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA16502
          for <freebsd-security@freebsd.org>; Sat, 12 Sep 1998 20:47:51 -0700 (PDT)
          (envelope-from marcs@go2net.com)
Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2)
	id 0zI372-000572-00; Sat, 12 Sep 1998 20:46:08 -0700
Date: Sat, 12 Sep 1998 20:46:08 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@redfish
To: Roger Marquis <marquis@roble.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: sshd 
In-Reply-To: <Pine.SUN.3.96.980912200252.21513B-100000@roble.com>
Message-ID: <Pine.GSO.4.02A.9809122041230.18209-100000@redfish>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 12 Sep 1998, Roger Marquis wrote:

> Secondly, while port A installs under /usr/<newdir>, port B installs to
> /usr/local/etc and port C in /usr/libexec, ...  You can never be sure

Erm... any port that does so (with rare exceptions) is broken and should
be fixed.

> There's also no way to validate all of the source hosts listed in the
> Makefile.  We've downloaded hacked versions of a port and had to
> redownload and recompile when the hack became obvious (through corrupt
> syslogs and attempts to grab /pwd.db).

I don't understand what you mean.  What do you want to validate about the
source host?  That they exist?  There is already a md5 in the port of the
distribution tarball...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message