On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote:
> While the FreeBSD security advisories are signed, they
> don't include secure hashes of the patches, rather they just provide
> an insecure FTP link.

Patches are also signed. For example, from the latest advisory:

  ``
  a) Download the relevant patch from the location below, and verify the
  detached PGP signature using your PGP utility.

  # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch
  # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc
  ''

The `.asc' file is the detached signature.

But I agree that packages, et cetera should also be signed.
Many of the tools are already there, but we have processes to work on.

Cheers,

-- 
Jacques A. Vidrine <nectarcelabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrineverio.net     .  nectarFreeBSD.org  .          nectarkth.se
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]