|Subject:||Re: cvsup and security|
|Date:||Jul 9, 2001 4:26:10 pm|
We do know how to do this? What trusted location would these MD5 checksums come from? If someone has slipped in malicious code on a cvsupd server, it is relatively easy to change the MD5 sums provided by that server to match. Or is the idea that you get files from a random mirror, but get MD5 checksums from a different location?
For those that are paranoid about security (like me), perhaps the ports.tar.gz file could be signed so I can download the tar ball and verify it with a signature file (e.g. ports.tar.gz.sign). This still wouldn't allow you to verify when updating via CVSup, but at least I could verify that my ports directory skeleton is legit through alternative means. The same thing could be done with the system source code (src-all.tar.gz and src-all.tar.gz.sign). One of the FreeBSD people could be responsible for the private/public key and creating the signature files.
I'd also like to point out that the ports are checking something different with the MD5 sum. Since you got the MD5 hashes for the ports from an cvsupd server, you already are trusting cvsup (unless you are using old ones from a CD).
Sorry, I should have been more clear about that. I'm am using the original /usr/ports and /usr/src skeletons from the CD and I want to update those skeletons in a secure manner so that I can safely install the latest and greatest (both ports and system software).
All the MD5 hashes on ports prove is that the tarball you download is the same one the maintainer downloaded when he built the port skeleton. That does NOT mean that the maintainer audited the code, checked the code, or did not insert malicious code himself.
If there was a way to make the md5sums in the ports/src skeletons trustworthy, (e.g. signing files, or using the one from the CD) they could be used to verify the authenticity of a port/system program that is being installed. I would personally like a way to verify that the kernel source updates I've downloaded aren't trojaned in some way if I'm going to be updating my kernel with them.
When an MD5 check fails, the most common reason is that a developer modified the code without changing the version number, not that code was tampered with.
This may be true, but I like to know for sure ;-)
What do you think?
P.S. I apologize if I'm using FreeBSD terminology (e.g. ports/src skeleton) incorrectly as I'm new to FreeBSD.
-- Crist J. Clark cjcl...@alum.mit.edu
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message