Date: Sun, 8 Jul 2001 23:13:11 -0700 From: Kris Kennaway <kris@obsecurity.org> To: cjclark@alum.mit.edu Cc: Kris Kennaway <kris@obsecurity.org>, steve <steve@clublinux.org>, freebsd-security@FreeBSD.ORG Subject: Re: cvsup and security Message-ID: <20010708231310.A36630@xor.obsecurity.org> In-Reply-To: <20010708223447.F307@blossom.cjclark.org>; from cristjc@earthlink.net on Sun, Jul 08, 2001 at 10:34:47PM -0700 References: <3B492672.55E0ADC8@clublinux.org> <20010708221140.A35469@xor.obsecurity.org> <20010708223447.F307@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 08, 2001 at 10:34:47PM -0700, Crist J. Clark wrote: > On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote: > > On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote: > > > Hi, > > > I've been installing a few ports (great tool btw), and I've noticed > > > that typing 'make install' in an app directory will perform an md5 > > > checksum to verify that the download is legit and not corrupt. Is th= ere > > > anything similar done when using cvsup? Is there anyway to verify th= at > > > the ports collection update that I'm receiving through cvsup is legit > > > and not "trojaned" or altered in some other way? > >=20 > > Not currently. > >=20 > > Note to all on the list: please resist the temptation to offer > > suggestions for how cvsup could be improved to achieve this unless > > they're in the form of patches. We all know how to do it, but the > > code needs to be written. >=20 > We do know how to do this? What trusted location would these MD5 > checksums come from? cvsup-master. It's a straightforward problem to solve, but like I said there's no point wasting time talking about it unless someone is prepared to write the Modula-3 code. Kris --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7SUt1Wry0BWjoQKURAtEZAJ9AAi8BSPZr9WH85iIciK0JTqulswCg/CpH 1ykfo9DrRBGb8FyGCSiRaz4= =Zdj+ -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010708231310.A36630>