From owner-freebsd-security Sun Jul 8 23:13:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-132.dsl.lsan03.pacbell.net [63.207.60.132]) by hub.freebsd.org (Postfix) with ESMTP id 7531137B401 for ; Sun, 8 Jul 2001 23:13:13 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A2E7166D72; Sun, 8 Jul 2001 23:13:11 -0700 (PDT) Date: Sun, 8 Jul 2001 23:13:11 -0700 From: Kris Kennaway To: cjclark@alum.mit.edu Cc: Kris Kennaway , steve , freebsd-security@FreeBSD.ORG Subject: Re: cvsup and security Message-ID: <20010708231310.A36630@xor.obsecurity.org> References: <3B492672.55E0ADC8@clublinux.org> <20010708221140.A35469@xor.obsecurity.org> <20010708223447.F307@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010708223447.F307@blossom.cjclark.org>; from cristjc@earthlink.net on Sun, Jul 08, 2001 at 10:34:47PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 08, 2001 at 10:34:47PM -0700, Crist J. Clark wrote: > On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote: > > On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote: > > > Hi, > > > I've been installing a few ports (great tool btw), and I've noticed > > > that typing 'make install' in an app directory will perform an md5 > > > checksum to verify that the download is legit and not corrupt. Is th= ere > > > anything similar done when using cvsup? Is there anyway to verify th= at > > > the ports collection update that I'm receiving through cvsup is legit > > > and not "trojaned" or altered in some other way? > >=20 > > Not currently. > >=20 > > Note to all on the list: please resist the temptation to offer > > suggestions for how cvsup could be improved to achieve this unless > > they're in the form of patches. We all know how to do it, but the > > code needs to be written. >=20 > We do know how to do this? What trusted location would these MD5 > checksums come from? cvsup-master. It's a straightforward problem to solve, but like I said there's no point wasting time talking about it unless someone is prepared to write the Modula-3 code. Kris --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7SUt1Wry0BWjoQKURAtEZAJ9AAi8BSPZr9WH85iIciK0JTqulswCg/CpH 1ykfo9DrRBGb8FyGCSiRaz4= =Zdj+ -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message