Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Feb 2003 20:56:42 -0500 (EST)
From:      Dru <dlavigne6@cogeco.ca>
To:        Klaus Steden <klaus@compt.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: md5 checksum on ports.tar.gz
Message-ID:  <20030223205522.C71353@dhcp-17-14.kico2.on.cogeco.ca>
In-Reply-To: <20030223204804.T623@cthulu.compt.com>
References:  <20030223131402.A71353@dhcp-17-14.kico2.on.cogeco.ca> <20030223204804.T623@cthulu.compt.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Sun, 23 Feb 2003, Klaus Steden wrote:

> >
> > I admit it's been a while since I downloaded ports.tar.gz as I usually
> > build from trusted media. I was demonstrating to a student the other day
> > how to verify an MD5 checksum on a downloaded file and went to use
> > ports.tar.gz as an example and was dismayed when I couldn't find the
> > checksum. Is it just well hidden or is there a reason why this file does
> > not have one?
> >
> > I realize that this file changes often, but isn't it worth calculating a
> > checksum on? Especially after the high profile cases we saw last year of
> > open source ftp sites getting trojaned?
> >
> Isn't it the responsibility of the maintainer of an individual port to provide
> proper checksums of the software in question? Keeping an MD5 sum of the entire
> ports tree would prove rather difficult, in my opinion, since it's such a
> fast-moving target to track. Much easier to let that responsibility rest with
> those immediately concerned with individual packages.
>
> You could use one of the packages in the ports tree in your example, though,
> since the build process checks the integrity of the existing sum, and will
> abort unless directed otherwise if there is a mismatch.


Thanks. I have done just that in the past which is why I was so surprised
that ports.tar.gz did not have one as well :-)

Dru

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030223205522.C71353>