5 messages in org.freebsd.freebsd-securityRe: cvsup and security| From | Sent On | Attachments |
|---|---|---|
| steve | Jul 8, 2001 8:34 pm | |
| Kris Kennaway | Jul 8, 2001 10:11 pm | |
| Crist J. Clark | Jul 8, 2001 10:34 pm | |
| Kris Kennaway | Jul 8, 2001 11:12 pm | |
| steve | Jul 9, 2001 4:26 pm |
| Subject: | Re: cvsup and security | |
|---|---|---|
| From: | Crist J. Clark (cris...@earthlink.net) | |
| Date: | Jul 8, 2001 10:34:25 pm | |
| List: | org.freebsd.freebsd-security | |
On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote:
On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote:
Hi, I've been installing a few ports (great tool btw), and I've noticed that typing 'make install' in an app directory will perform an md5 checksum to verify that the download is legit and not corrupt. Is there anything similar done when using cvsup? Is there anyway to verify that the ports collection update that I'm receiving through cvsup is legit and not "trojaned" or altered in some other way?
Not currently.
Note to all on the list: please resist the temptation to offer suggestions for how cvsup could be improved to achieve this unless they're in the form of patches. We all know how to do it, but the code needs to be written.
We do know how to do this? What trusted location would these MD5 checksums come from? If someone has slipped in malicious code on a cvsupd server, it is relatively easy to change the MD5 sums provided by that server to match. Or is the idea that you get files from a random mirror, but get MD5 checksums from a different location?
I'd also like to point out that the ports are checking something different with the MD5 sum. Since you got the MD5 hashes for the ports from an cvsupd server, you already are trusting cvsup (unless you are using old ones from a CD). All the MD5 hashes on ports prove is that the tarball you download is the same one the maintainer downloaded when he built the port skeleton. That does NOT mean that the maintainer audited the code, checked the code, or did not insert malicious code himself. When an MD5 check fails, the most common reason is that a developer modified the code without changing the version number, not that code was tampered with.
-- Crist J. Clark cjcl...@alum.mit.edu
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message