Correcting SECURITY warning.

Submitted by:	Kris Kennaway
Reviewed by:	Warner Losh

2 files changed, 32 insertions, 22 deletions

diff --git a/usr.sbin/ctm/ctm/ctm.1 b/usr.sbin/ctm/ctm/ctm.1
index d51bbc2..9e82107 100644
--- a/usr.sbin/ctm/ctm/ctm.1
+++ b/usr.sbin/ctm/ctm/ctm.1
@@ -225,15 +225,12 @@ option.
 .Pp
 .Sh SECURITY
 .Pp
-CTM is an
-.Bf Em 
-INSECURE PROTOCOL
-.Ef
+On its own, CTM is an insecure protocol
 - there is no authentication performed that the
 changes applied to the source code were sent by a
 trusted party, and so care should be taken if the
 CTM deltas are obtained via an unauthenticated
-medium such as email.
+medium such as regular email.
 It is a relatively simple matter for an attacker
 to forge a CTM delta to replace or precede the
 legitimate one and insert malicious code into your
@@ -243,12 +240,20 @@ arriving, this will go unnoticed until a later
 delta attempts to touch the same file, at which
 point the MD5 checksum will fail.
 .Pp
-A future version of
-.Fx
-may solve this problem by authenticating CTM
-deltas using cryptographic signatures, but in the
-mean time it is strongly recommended that you
-obtain the CTM deltas via FTP, and not via email.
+To remedy this insecurity, CTM pieces generated by
+freebsd.org are cryptographically signed in a
+format compatible with the GNU Privacy Guard
+utility, available in /usr/ports/security/gpg, and
+the Pretty Good Privacy v5 utility,
+/usr/ports/security/pgp5.
+The relevant public key can be obtained by
+fingering ctm@freebsd.org.
+.Pp
+CTM deltas which are thus signed cannot be
+undetectably altered by an attacker.
+Therefore it is recommended that you make use of
+GPG or PGP5 to verify the signatures if you
+receive your CTM deltas via email.
 .Sh ENVIRONMENT
 .Ev TMPDIR,
 if set to a pathname, will cause ctm to use that pathname
diff --git a/usr.sbin/ctm/ctm_rmail/ctm_rmail.1 b/usr.sbin/ctm/ctm_rmail/ctm_rmail.1
index 49d60a6..df50f30 100644
--- a/usr.sbin/ctm/ctm_rmail/ctm_rmail.1
+++ b/usr.sbin/ctm/ctm_rmail/ctm_rmail.1
@@ -365,15 +365,12 @@ to execute
 on the (non-FreeBSD) machine that this example was taken from.
 .Sh SECURITY
 .Pp
-CTM is an
-.Bf Em 
-INSECURE PROTOCOL
-.Ef
+On its own, CTM is an insecure protocol
 - there is no authentication performed that the
 changes applied to the source code were sent by a
 trusted party, and so care should be taken if the
 CTM deltas are obtained via an unauthenticated
-medium such as email.
+medium such as regular email.
 It is a relatively simple matter for an attacker
 to forge a CTM delta to replace or precede the
 legitimate one and insert malicious code into your
@@ -383,12 +380,20 @@ arriving, this will go unnoticed until a later
 delta attempts to touch the same file, at which
 point the MD5 checksum will fail.
 .Pp
-A future version of
-.Fx
-may solve this problem by authenticating CTM
-deltas using cryptographic signatures, but in the
-mean time it is strongly recommended that you
-obtain the CTM deltas via FTP, and not via email.
+To remedy this insecurity, CTM delta pieces generated by
+freebsd.org are cryptographically signed in a
+format compatible with the GNU Privacy Guard
+utility, available in /usr/ports/security/gpg, and
+the Pretty Good Privacy v5 utility,
+/usr/ports/security/pgp5.
+The relevant public key can be obtained by
+fingering ctm@freebsd.org.
+.Pp
+CTM deltas which are thus signed cannot be
+undetectably altered by an attacker.
+Therefore it is recommended that you make use of
+GPG or PGP5 to verify the signatures if you
+receive your CTM deltas via email.
 .\" This next request is for sections 1, 6, 7 & 8 only
 .Sh ENVIRONMENT
 If deltas are to be applied then