On Sat, May 05, 2007 at 12:43:34PM +0200, Justin Smith wrote: > >Just out of curiosity... > > > Is it logical to use an OS for the intense focus on security and > > correctness, yet download the binaries from a random person on a mailing > > list instead of any official source with reasonable file integrity > > checking process in place? > > From: > > http://toolbar.netcraft.com/site_report?url=ftp.openbsd.org > > Site http://ftp.openbsd.org > > Reverse DNS openbsd.sunsite.ualberta.ca > > Netblock Owner IP address OS Web Server Last changed > > University of Alberta 1030 General Services Building Edmonton > CA 129.128.5.191 Solaris Apache/1.3.34 Unix PHP/4.4.2 > mod_perl/1.27 17-Apr-2007 > > What a security!! > > FYI: > > "Trojaned version of OpenSSH package has been found to reside on > ftp.openbsd.org's server." > > http://www.mavetju.org/unix/openssh-trojan.php > http://www.openssh.org/txt/trojan.adv > > Are you remember? > > -- > JS
Yes but it's still an "official" source. It's a static server that has some level of attention by an admin team. Contrast that with whatever guy puts up a torrent tracker and posts on a mailing list. Getting from the solaris box at www. and "hey man download openbsd from me" is not the same thing.
