Date: Sun, 8 Jul 2001 22:34:47 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Kris Kennaway <kris@obsecurity.org> Cc: steve <steve@clublinux.org>, freebsd-security@FreeBSD.ORG Subject: Re: cvsup and security Message-ID: <20010708223447.F307@blossom.cjclark.org> In-Reply-To: <20010708221140.A35469@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Jul 08, 2001 at 10:11:40PM -0700 References: <3B492672.55E0ADC8@clublinux.org> <20010708221140.A35469@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote: > On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote: > > Hi, > > I've been installing a few ports (great tool btw), and I've noticed > > that typing 'make install' in an app directory will perform an md5 > > checksum to verify that the download is legit and not corrupt. Is there > > anything similar done when using cvsup? Is there anyway to verify that > > the ports collection update that I'm receiving through cvsup is legit > > and not "trojaned" or altered in some other way? > > Not currently. > > Note to all on the list: please resist the temptation to offer > suggestions for how cvsup could be improved to achieve this unless > they're in the form of patches. We all know how to do it, but the > code needs to be written. We do know how to do this? What trusted location would these MD5 checksums come from? If someone has slipped in malicious code on a cvsupd server, it is relatively easy to change the MD5 sums provided by that server to match. Or is the idea that you get files from a random mirror, but get MD5 checksums from a different location? I'd also like to point out that the ports are checking something different with the MD5 sum. Since you got the MD5 hashes for the ports from an cvsupd server, you already are trusting cvsup (unless you are using old ones from a CD). All the MD5 hashes on ports prove is that the tarball you download is the same one the maintainer downloaded when he built the port skeleton. That does NOT mean that the maintainer audited the code, checked the code, or did not insert malicious code himself. When an MD5 check fails, the most common reason is that a developer modified the code without changing the version number, not that code was tampered with. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010708223447.F307>