> -----Original Message----- > From: wozzat_private [mailto:wozzat_private] > To: Eirik Seim > > Of course, verifying checksums does you no good if the checksums > have been replaced along with the binary. Be sure to aquire your > checksums from some other, presumably safe, location. > > On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim > <defaultat_private> wrote: > > > > >Oh, and the guys that inserted the trojan might easily had access to more > >on the same ftp site, and subsequently also its mirrors. If you don't > >usually verify checksums, now is a great time to start doing so. This seems to me to be an important point. A couple weeks ago I did download and install openssh-3.4p1.tar.gz from a mirror. When I examined its GPG signature it checked out fine, I mean fine insofar that GPG considered that the signature hash did correctly match the download file. However, the only assurance I had at that point is that the download had indeed been signed by some unknown key. When I located this key on a public keyserver it claimed to belong to a particular individual, although this person was someone I never heard of before. There were no "web of trust" signatures on the key. I emailed the address indicated by the keyserver and I got a response from this guy like "yes you have a valid tarball, please stop worrying." At that point I had spent too much time on this so I made a judgement on the balance of probabilities, gave up, and installed the thing. But I still don't feel that I understand how to get a trusted (in the cryptographic sense) authoritative signing key for OpenSSH - which ultimately means that it's pointless to check download signatures. Considering that over the last few days we have seen how absolutely crucial it is to do this check I would suggest there is a problem here that needs to be solved. Joe
This archive was generated by hypermail 2b30 : Sat Aug 03 2002 - 02:09:36 PDT