Date: Sun, 23 Feb 2003 20:48:04 -0500 From: Klaus Steden <klaus@compt.com> To: Dru <dlavigne6@cogeco.ca> Cc: security@FreeBSD.ORG Subject: Re: md5 checksum on ports.tar.gz Message-ID: <20030223204804.T623@cthulu.compt.com> In-Reply-To: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Sun, Feb 23, 2003 at 01:22:41PM -0500 References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I admit it's been a while since I downloaded ports.tar.gz as I usually > build from trusted media. I was demonstrating to a student the other day > how to verify an MD5 checksum on a downloaded file and went to use > ports.tar.gz as an example and was dismayed when I couldn't find the > checksum. Is it just well hidden or is there a reason why this file does > not have one? > > I realize that this file changes often, but isn't it worth calculating a > checksum on? Especially after the high profile cases we saw last year of > open source ftp sites getting trojaned? > Isn't it the responsibility of the maintainer of an individual port to provide proper checksums of the software in question? Keeping an MD5 sum of the entire ports tree would prove rather difficult, in my opinion, since it's such a fast-moving target to track. Much easier to let that responsibility rest with those immediately concerned with individual packages. You could use one of the packages in the ports tree in your example, though, since the build process checks the integrity of the existing sum, and will abort unless directed otherwise if there is a mismatch. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030223204804.T623>