Date: 24 Feb 2003 15:00:34 -0500 From: Lowell Gilbert <freebsd-security-local@be-well.no-ip.com> To: freebsd-security@freebsd.org Subject: Re: md5 checksum on ports.tar.gz Message-ID: <44smud1mal.fsf@be-well.ilk.org> In-Reply-To: <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca> References: <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> <20030223204804.T623@cthulu.compt.com> <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > You could use one of the packages in the ports tree in your example, though, > > since the build process checks the integrity of the existing sum, and will > > abort unless directed otherwise if there is a mismatch. > > > Thanks. I have done just that in the past which is why I was so surprised > that ports.tar.gz did not have one as well :-) But that doesn't help for security, because you'd be getting the checksum from the same place as the file it was checking. I've occasionally considered adding a checksum anyway as a check against accidental corruption, but it wouldn't change your exposure to *intentional* file changes at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44smud1mal.fsf>