On Thu, Dec 06, 2007 at 04:03:48AM +0100, Linus Sw?las wrote: > Or you pull the MD5s from another source than your packages, > not bloody likely that the two different sites you've selected > for download has both been hacked. > This does not protect against the master site being owned though, > though I guess that'd be noticed and announced.
Having this being the default on ports could be a good thing perhaps. The script would download the package from a FTP and hashes from another one. But the hashes are already stored inside the folder of the package on the ports.. so to what use ? Sources that get downloaded are hashed and the value compared to the one stored by the package maintainer. And you have to trust this person to be serious. And even if he is, if he grabs the latest version of sources for XYZ and those got a hole non published (far, far more easy to use tools to check sources for potential holes to use rather than go hack their repositories...) that won't change anything. Security is a link as Bruce Schneier explained, and it will break at its weakest point. And if it breaks anywhere, the whole thing can go down. Thus, security is a constant process. You select a good quality operating system (a BSD for example) and you don't install anything on it eyes closed. And you do backups. And you store them in a media not connected to anything. And you use various tools to check everything (firewall, rootkit checker, arp tool, etc. etc. ad nauseum). It's really an education. And if you are cautious with backups and make it part of your current life, when shit happens you have solutions. And if shit can happen, it will.. :) -- unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ; yes ; fsck ; umount ; sleep
