Cryptographically enabled ports tree.
David Schultz
das at FreeBSD.ORG
Sat Jun 21 18:18:58 PDT 2003
On Sat, Jun 21, 2003, Colin Percival wrote:
> At 19:54 21/06/2003 +0200, William Fletcher wrote:
> >One other thing while I'm at making a clown of myself.
> >
> >Wouldn't it be an absolute joke if someone rooted a redhat box on
> >your network, dns poisoned for cvsup.*.freebsd.org and promptly
> >found a way to create a cvsup-mirror on another machine
> >with modified source.
>
> I'm not sure I'd use the word "joke"... yes, that would definitely be a
> problem.
> Another security problem is FTP installs; sysinstall doesn't have any
> sort of signature verification built in, so anyone doing an FTP install
> could find themselves installing trojans. The only secure distribution,
> AFAIK, is the ISO image, because the MD5 sum of that is announced in a
> (signed) release announcement.
We already have MD5 checksums of each port, so all it takes is to
have so@ sign a MAC for the entire ports tree. Now doing
something more sophistocated and seamless would be a little bit
more effort...
More information about the freebsd-chat
mailing list