From nobody@FreeBSD.org  Sun Aug 26 20:42:12 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2D692106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Aug 2012 20:42:12 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1904E8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Aug 2012 20:42:12 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q7QKgBMn029152
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Aug 2012 20:42:11 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q7QKgA46029151;
	Sun, 26 Aug 2012 20:42:10 GMT
	(envelope-from nobody)
Message-Id: <201208262042.q7QKgA46029151@red.freebsd.org>
Date: Sun, 26 Aug 2012 20:42:10 GMT
From: Elmar Stellnberger <estellnb@elstel.rivido.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: provide secure hashes for downloadable isos & ports packages
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         171095
>Category:       misc
>Synopsis:       provide secure hashes for downloadable isos & ports packages
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 26 20:50:03 UTC 2012
>Closed-Date:    Thu Aug 01 18:51:54 UTC 2013
>Last-Modified:  Thu Aug 01 18:51:54 UTC 2013
>Originator:     Elmar Stellnberger
>Release:        packages-9.0-release
>Organization:
>Environment:
>Description:
  It would be very kind of you to provide secure hashes for the ports packages as well as downloadable isos. MD5 is cracked since 2004 and even against  SHA alledged attacks are possible (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html). My wish would be to use the strongest available algorithm: SHA-512. Why not keep the MD5s to verify against download errors and additionally have SHA-512s for security against birthday attacks (afaa).

-> ftp.freebsd.org/pub/FreeBSD/ports/*arch*/packages-X.Y-release/All/CHECKSUM.SHA-512
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam@FreeBSD.org 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Thu Aug 30 14:45:37 UTC 2012 
Responsible-Changed-Why:  
Let secteam@ deal with this request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171095 
Responsible-Changed-From-To: secteam@FreeBSD.org->secteam 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Thu Aug 30 14:58:40 UTC 2012 
Responsible-Changed-Why:  
fix assignment 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171095 
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Thu Aug 1 18:51:52 UTC 2013 
State-Changed-Why:  
Hello , there are SHA-256 hashes available in the release announcement 
for at least 8.4 and 9.1. We currently do not provide hashes for 
packages, though the Ports framework uses sha256 to verify the distfiles 
used to create packages. This current situation might not change soon 
and I believe at this stage it meets most of your points. Thanks for 
using FreeBSD! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171095 
>Unformatted:
