LFS security problem: break-in

Gerard Beekmans gerard at linuxfromscratch.org
Wed Aug 16 17:11:31 PDT 2000

> I agree.  i have checked and nothing was modified.  md5 sums are a good
> idea.  i will implement the md5 sums for the ftp site.
> actually, i am more worried about where we have obtained these
> files from.  have the download addresses been verified?

The download locations in the book are mostly from GNU's ftp site. The
other are the official sites as far as I could determine (from the
README and packagename.lsm files). Where I couldn't find an official
site I used sites like tsx-11.mit.edu, metalab.unc.edu which, to me, are
trusted sites. At least not unkown sites like www.aholeintheground.com

Out of security concern I'll build the archive from scratch.
Linuxfromscratch.org won't be using FTP. I figure downloading via httpd
just should do it. Then again, with ftp it's much easier to select a
bunch of files. With your browser you have to click on every individual
file. Then again, there's a wget file made available which I will put on
linuxfromscratch.org. There are good alternatives to ftp.

By the way, how about implementing some form of anonymous scp without
giving shell access. I'm not sure if that's possible at all, but it's
something worth investigating.

Gerard Beekmans

-*- If Linux doesn't have the solution, you have the wrong problem -*-
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)

More information about the lfs-dev mailing list