[ale] ! Openssh package trojaned...
Danny Cox
danscox at mindspring.com
Thu Aug 1 10:27:52 EDT 2002
John,
On Thu, 2002-08-01 at 11:32, John Wells wrote:
> This brings to mind a question I've had for awhile now.
> Many sites provide md5 files in addition to a tarball so you can run
> md5sum on the tarball and compare the hash. What prevents some hax0r from
> posting a fake md5 file when they compromise a tarball, so the sums will
> match?
>
> >From what little I know about FreeBSD, it seems that ports allowed this
> bogus package to be spotted. I assume this would not be the case on
> linux. So what good is an md5 file anyway? I'm probably missing
> something here...
If it's just the md5 sums, you're entirely correct. RedHat (and
probably others) "sign" their rpm packages with GPG, so you can verify
them with confidence, after you've grabbed their public key. A cracker
wouldn't be able to forge that. Not in my lifetime, anyway.
--
kernel, n.: A part of an operating system that preserves the
medieval traditions of sorcery and black art.
Danny
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list