Date: Mon, 30 Dec 2002 20:30:03 -0800 (PST) From: "Sergey N. Voronkov" <serg@tmn.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/46629: md5 checking is a PITA. Message-ID: <200212310430.gBV4U31t066649@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/46629; it has been noted by GNATS. From: "Sergey N. Voronkov" <serg@tmn.ru> To: Mike Meyer <mwm@mired.org> Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: bin/46629: md5 checking is a PITA. Date: Tue, 31 Dec 2002 09:29:16 +0500 On Mon, Dec 30, 2002 at 08:31:08AM -0000, Mike Meyer wrote: > >Description: > Checking md5 checksums is an error-prone process. > >How-To-Repeat: > Download something that includes the output of md5 as a CHECKSUMS > file. Notice that to confirm the checksum requires verifying the > rather long and unpatterned checksum string by eye. > >Fix: > > md5 should have a "-c file" option, which expects the output of md5 to > be in file, and confirms that the files listed in "file" exist and match > the associated checksums. > > Yes, this requires trusting the mdd5 binary. On the other hand, very few > things one is interested in downloading don't require trusting some > system utility, like the c compiler. So this is at worst a marginal change > in the security given by the md5 checksums to start yes. > > Yes, this is trivial to script. It shouldn't be required of every user. > > Finally, FWIW, I have an Eiffel version of md5 that implements the > -c option, but is missing the standard options of md5. It's available > on request. > #cd /var/ftp/pub/FreeBSD/releases/i386/4.7-RELEASE-p2/bin/ #md5 [a-z]* | diff - CHECKSUM.MD5 Looks like verifying is simple with current version. :-)) Serg N. Voronkov, Sibitex JSC. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212310430.gBV4U31t066649>