Cryptographically enabled ports tree.
Terry Lambert
tlambert2 at mindspring.com
Mon Jun 23 07:15:25 PDT 2003
William Fletcher wrote:
> One other thing while I'm at making a clown of myself.
>
> Wouldn't it be an absolute joke if someone rooted a redhat box on
> your network, dns poisoned for cvsup.*.freebsd.org and promptly
> found a way to create a cvsup-mirror on another machine
> with modified source.
>
> They could then trojan /usr/src and /usr/ports and probably gain
> root on all your machines running FreeBSD, quick and easy.
>
> Just wanted the general publics opinion of that too.
>
> Anyway, home time, expect interesting responses on monday morning.
> (Will sign up to security-general again).
>
> PS. Some people work for companies which inflict redhat on them. :/
FWIW: If they did this, they'd just declare themselves a signing
authority, and sign the trojan'ed packages themselves. All you've
done by introducing signatures is add one more hoop for them to
jump through. At the same time, you've made ports quit working
over code changes, which is something that was one of the best
benefits of the ports tree in the first place.
-- Terry
More information about the freebsd-chat
mailing list