Subject: Re: Heads up: suspicious source distribution of OpenSSH 3.4p1 found
To: NetBSD tech-security list <tech-security@netbsd.org>
From: Rogier Krieger <rogier@virgiel.nl>
List: tech-security
Date: 08/02/2002 17:58:43
It seems there is already a third party verification going on: the MD5 (and
SHA1) signatures listed in the pkgsrc makefiles. FreeBSD does a similar
thing in its ports collection.

It might be a nice feature to allow the pkgsrc make process not only detect
checksum mismatches but also automatically (opt-in) report them to the
maintainer, including the version of the package, so false positives can be
weeded out. As David Maxwell pointed out, notifications are important.

At 08/02/2002 07:40:00, sen_ml@eccosys.com wrote:
>I guess you wouldn't really want to do the downloading from a single
>location -- that is, it seems better if multiple parties did the
>downloading and exchanged and compared their verification results
>(e.g. time, digest, etc.). 

I'm no expert on CVS, but I doubt such large projects do the generating of
checksums by hand. I suspect they're batched upon committing the code.
Sifthing through the files and their checksums upon mirroring seems a good
way to detect trouble, but this seems so straightforward that I can hardly
imagine no one already having thought of it. In that case, regardless of
cross-checking files on several mirrors, you still seem to end up with a
single point of failure: a primary distribution site.

As far as I've read on this issue, the files on the distribution server
*did* fail the checksum verification. I haven't seen much (i.e. anything so
far) on how the trojaned files got
on the distribution locations. I wonder where things went wrong, but the
pkgsrc in NetBSD would normally have detected any trouble. Same goes for
the FreeBSD ports collection.

Greets,

Rogier Krieger


--
If you don't know where you're going, any road will get you there.