On Wednesday, October 9, 2002, at 09:31 AM, Jeremy Erwin wrote:
> On Wednesday, October 9, 2002, at 09:58 AM, Bill Owens wrote: > >> At 1:25 -0700 10/9/02, Ben Hines wrote: >>> Yep. If a fink package tells you its MD5 is bad, please notify the >>> maintainer (or the list) and we will look in to it. >>> >>> Fink MD5s are stored in the .info files, locally, so a hacker cannot >>> change them unless they hack fink CVS AND the site with the tarball. >>> :) >> >> It looks like sendmail is not in fink, so I suppose nobody could have >> caught the trojaned version by this mechanism (nor could they be >> harmed, of course). But what if the trojan were sufficiently subtle >> that it escaped detection for a few weeks or months, the fink >> maintainer calculated the MD5 on the trojaned version, and put it >> into the system? > In an ideal world, the original developer would publish md5sums of > their tarballs. I suspect that many fink developers just run md5sum on > their downloaded tarball, and stick in the info file. And that's just > fine if the purpose of the checksum is to detect corrupted/incomplete > downloads. It's not a very security conscious strategy though. > Indeed. However we don't really have the resources to make sure every package has no backdoors, obviously. "what if", Bill? Well, theres nothing we can do about that is there. Do you want software or not? Fink already is very careful about unstable/stable trees, etc. Verifying every tarball for no backdoors is a task greater than porting the software to Mac OS X. > It might be nice if the fink program supported public-key signatures, > when available. > Sure. I don't know anything about gpg, etc, so if you can help to implement this we accept patches. :) -Ben ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Fink-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-users
