On Wednesday, October 9, 2002, at 09:58 AM, Bill Owens wrote:
> At 1:25 -0700 10/9/02, Ben Hines wrote: >> Yep. If a fink package tells you its MD5 is bad, please notify the >> maintainer (or the list) and we will look in to it. >> >> Fink MD5s are stored in the .info files, locally, so a hacker cannot >> change them unless they hack fink CVS AND the site with the tarball. >> :) > > It looks like sendmail is not in fink, so I suppose nobody could have > caught the trojaned version by this mechanism (nor could they be > harmed, of course). But what if the trojan were sufficiently subtle > that it escaped detection for a few weeks or months, the fink > maintainer calculated the MD5 on the trojaned version, and put it into > the system? In an ideal world, the original developer would publish md5sums of their tarballs. I suspect that many fink developers just run md5sum on their downloaded tarball, and stick in the info file. And that's just fine if the purpose of the checksum is to detect corrupted/incomplete downloads. It's not a very security conscious strategy though. It might be nice if the fink program supported public-key signatures, when available. Jeremy ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Fink-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-users
