Re: digital signatures for downloads

From: Jacques A. Vidrine (nectar@FreeBSD.org)
Date: 01/13/03

• Next message: Anthony Schneider: "Re: digital signatures for downloads"
• Previous message: Liran Siglat: "Compiling tripwire in FreeBSD"
• In reply to: Nathan J. Yoder: "digital signatures for downloads"
• Next in thread: Anthony Schneider: "Re: digital signatures for downloads"
• Reply: Anthony Schneider: "Re: digital signatures for downloads"
• Reply: Nathan J. Yoder: "Re: digital signatures for downloads"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 13 Jan 2003 08:53:30 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: "Nathan J. Yoder" <njyoder@gummibears.nu>

On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote:
> While the FreeBSD security advisories are signed, they
> don't include secure hashes of the patches, rather they just provide
> an insecure FTP link.

Patches are also signed. For example, from the latest advisory:

  ``
  a) Download the relevant patch from the location below, and verify the
  detached PGP signature using your PGP utility.

  # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch
  # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc
  ''

The `.asc' file is the detached signature.

But I agree that packages, et cetera should also be signed.
Many of the tools are already there, but we have processes to work on.

Cheers,

-- 
Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Anthony Schneider: "Re: digital signatures for downloads"
• Previous message: Liran Siglat: "Compiling tripwire in FreeBSD"
• In reply to: Nathan J. Yoder: "digital signatures for downloads"
• Next in thread: Anthony Schneider: "Re: digital signatures for downloads"
• Reply: Anthony Schneider: "Re: digital signatures for downloads"
• Reply: Nathan J. Yoder: "Re: digital signatures for downloads"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages advisory coordination (Re: SA-02:35) ... We release patches early to make sure ... release of advisory SA-02:25, which referenced patches that didn't yet ... One SO told me that, in the future, patch propagation ... (FreeBSD-Security) Re: [!H] Tcpdump 3.5.2 remote root vulnerability (fwd) ... >> This affects our tcpdump. ... I do recall the advisory which mainly patches some calls from sprintf ... to this list patches two calls to sscanf. ... (FreeBSD-Security) RE: telnetd root exploit ... Until an official advisory is released, does that mean there's no official ... I'm new to patches, and was looking for them on the FTP site, but they are ... > Subject: Re: telnetd root exploit ... > (Yes, I do read the commit messages, but I've been known to miss these ... (FreeBSD-Security) Re: sshd patch ... > version string still doesn't match the one in the advisory. ... patches can be applied to as many different versions of FreeBSD as ... eyeball inspection of the patch. ... This is generally the case with security advisories, ... (freebsd-questions) Re: Another problem with the ipfw patch - even bigger hole in the firewall on 4.0R (was: Re: ipfw se ... > step-by-step instructions provided in the advisory. ... the resulting combination of kernel and ipfw tool did not work! ... > "establised" connection and happily past setup packets in and out. ... I didn't test the patches on 4.0 since that isn't a supported ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint