In message <3.0.5.32.20020802175843.007fb1d0@pop.xs4all.nl>, Rogier Krieger wri
tes:
>It seems there is already a third party verification going on: the MD5 (and
>SHA1) signatures listed in the pkgsrc makefiles. FreeBSD does a similar
>thing in its ports collection.
>
>It might be a nice feature to allow the pkgsrc make process not only detect
>checksum mismatches but also automatically (opt-in) report them to the
>maintainer, including the version of the package, so false positives can be
>weeded out. As David Maxwell pointed out, notifications are important.

No -- the most common cause of checksum failures in pkgsrc is a file 
remaining from a partial or interrupted download.  There would be far 
too many false positives.  A better solution would be a cron job that 
grabbed every file and checked it -- but a clever attacker who knew the 
source IP address of the verifier machine could return different files 
to it than to the rest of the world.

>
>As far as I've read on this issue, the files on the distribution server
>*did* fail the checksum verification. I haven't seen much (i.e. anything so
>far) on how the trojaned files got
>on the distribution locations. I wonder where things went wrong, but the
>pkgsrc in NetBSD would normally have detected any trouble. Same goes for
>the FreeBSD ports collection.
>

Of course, that begs the question of where the checksum information 
comes from.  If it's on the same Web site and not digitally signed, it 
won't do a lot of good.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)