Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Jan 2009 01:38:25 +0000
From:      RW <>
Subject:   Re: Foiling MITM attacks on source and ports trees
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 02 Jan 2009 17:30:12 +0000
Vincent Hoffman <> wrote:
> Admittedly this doesn't give a file by file checksum

That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file. 

The more substantial weakness is that the key is verified against a
hash stored on the original installation media. If someone went to the
trouble of diverting dns or routing to create a fake FreeBSD site they
would presumably make it self-consistent down to the ISO checksums.

Want to link to this message? Use this URL: <>