aristeu wrote: >> Can you explain what you mean here. Virtually all distfiles needed to >> build a port have MD5 and maybe SHA-256 hashes embedded in the ports >> tree. The only way to easily circumvent these is to subvert the ports >> tree - which gets back to the issue of trusting the FreeBSD distribution. >> I agree that there's currently no integrity checking on packages. >> (And, BTW, tar has no integrity checks). > > Anyone who is between you and freebsd cvsup server can make his own ports > tree repository. That being done, he just need to redirect your connection > and wait 'til your next cvsup sync is done.
This is why I wrote portsnap. Colin Percival _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
