On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote:
On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote:
I've been installing a few ports (great tool btw), and I've noticed
that typing 'make install' in an app directory will perform an md5
checksum to verify that the download is legit and not corrupt. Is there
anything similar done when using cvsup? Is there anyway to verify that
the ports collection update that I'm receiving through cvsup is legit
and not "trojaned" or altered in some other way?
Note to all on the list: please resist the temptation to offer
suggestions for how cvsup could be improved to achieve this unless
they're in the form of patches. We all know how to do it, but the
code needs to be written.
We do know how to do this? What trusted location would these MD5
checksums come from? If someone has slipped in malicious code on a
cvsupd server, it is relatively easy to change the MD5 sums provided
by that server to match. Or is the idea that you get files from a
random mirror, but get MD5 checksums from a different location?
I'd also like to point out that the ports are checking something
different with the MD5 sum. Since you got the MD5 hashes for the ports
from an cvsupd server, you already are trusting cvsup (unless you are
using old ones from a CD). All the MD5 hashes on ports prove is that
the tarball you download is the same one the maintainer downloaded
when he built the port skeleton. That does NOT mean that the
maintainer audited the code, checked the code, or did not insert
malicious code himself. When an MD5 check fails, the most common
reason is that a developer modified the code without changing the
version number, not that code was tampered with.