Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
From: Mike Tancsa (mike@sentex.net)
Date: 10/09/02
- Next message: Claus Assmann: "Re: Sendmail trojan...?"
- Previous message: William Carrel: "Re: I doubt that this affects FreeBSD, but FYI"
- In reply to: Erick Mechler: "Re: I doubt that this affects FreeBSD, but FYI"
- Next in thread: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Reply: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Maybe reply: Kris Kennaway: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Oct 2002 13:13:51 -0400 To: Erick Mechler <emechler@techometer.net> From: Mike Tancsa <mike@sentex.net>
At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote:
>:: A quick peer over at CVSweb indicates that the import of 8.12.6 was
>:: done well before the sendmail.org folks got their server fooled with.
>
>Additionally, you would have had to explicitly told your build to continue
>after it warned you about a mismatch in the MD5 sums. All the more reason
>you should really trust the MD5 sums in your distinfo files :)
One thing to note about MD5 sums, is that if someone broke into an ftp site
and uploaded a trojaned file, why not upload a new matching MD5 checksum
file as well ? Granted, you can use pgp to sign the file, but how many
people would notice that no one else has 'signed' the key or that a whole
whack of seemingly legit people signed the key ? I mean there is a PGPKEYS
file there, but why not just upload your own PGPKEYS file as well ?
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Claus Assmann: "Re: Sendmail trojan...?"
- Previous message: William Carrel: "Re: I doubt that this affects FreeBSD, but FYI"
- In reply to: Erick Mechler: "Re: I doubt that this affects FreeBSD, but FYI"
- Next in thread: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Reply: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Maybe reply: Kris Kennaway: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
