cvs commit: ports/audio/gnump3d Makefile distinfo
ports/devel/bglibs Makefile ports/devel/cppi Makefile ports/devel/cvsd
Makefile ports/dns/walker Makefile distinfo ports/ftp/lftp Makefile distinfo
ports/ftp/twoftpd Makefile ...
cperciva at freebsd.org
Thu Feb 1 00:47:16 UTC 2007
I replied to some people about this privately, but since it's still
being discussed on the list...
Peter Jeremy wrote:
> On Mon, 2007-Jan-29 19:05:07 +0000, Gabor Kovesdan wrote:
>> Our MD5 and SHA256 are good for checking both the sanity and the
>> trustiness of distfiles.
> Except that the MD5 and SHA256 checksums can't be totally trusted.
> There are a variety of MITM attacks which could allow someone to alter
> checksums stored on an end-user hosts. I think it's unfortunate that
> the security team was not involved in this decision.
Short answer: I wasn't involved in the discussion before this option was
removed, but I agree with its removal.
Long answer: I can't think of any circumstances where an attacker who
could play games with the distinfo files would not also be able to play
games with the Makefile logic -- i.e., USE_GPG protects against precisely
zero attackers. The correct place for GPG to be used is to make sure
that ports committers are committing the correct distinfo files in the
first place, and this wasn't what USE_GPG did (or would have done if it
had ever been committed, which it wasn't).
More information about the cvs-ports