On Sun, Jul 08, 2001 at 10:11:40PM -0700, Kris Kennaway wrote:
> On Sun, Jul 08, 2001 at 10:35:14PM -0500, steve wrote:
> > Hi,
> > I've been installing a few ports (great tool btw), and I've noticed
> > that typing 'make install' in an app directory will perform an md5
> > checksum to verify that the download is legit and not corrupt. Is there
> > anything similar done when using cvsup? Is there anyway to verify that
> > the ports collection update that I'm receiving through cvsup is legit
> > and not "trojaned" or altered in some other way?
>
> Not currently.
>
> Note to all on the list: please resist the temptation to offer
> suggestions for how cvsup could be improved to achieve this unless
> they're in the form of patches. We all know how to do it, but the
> code needs to be written.

We do know how to do this? What trusted location would these MD5
checksums come from? If someone has slipped in malicious code on a
cvsupd server, it is relatively easy to change the MD5 sums provided
by that server to match. Or is the idea that you get files from a
random mirror, but get MD5 checksums from a different location?

I'd also like to point out that the ports are checking something
different with the MD5 sum. Since you got the MD5 hashes for the ports
from an cvsupd server, you already are trusting cvsup (unless you are
using old ones from a CD). All the MD5 hashes on ports prove is that
the tarball you download is the same one the maintainer downloaded
when he built the port skeleton. That does NOT mean that the
maintainer audited the code, checked the code, or did not insert
malicious code himself. When an MD5 check fails, the most common
reason is that a developer modified the code without changing the
version number, not that code was tampered with.

-- 
Crist J. Clark                           cjclarkalum.mit.edu
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]