From owner-freebsd-current@FreeBSD.ORG  Sat Aug 25 23:34:51 2012
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0DAFD106566C;
	Sat, 25 Aug 2012 23:34:51 +0000 (UTC)
	(envelope-from cyberleo@cyberleo.net)
Received: from paka.cyberleo.net (paka.cyberleo.net [66.219.31.21])
	by mx1.freebsd.org (Postfix) with ESMTP id A9D6C8FC08;
	Sat, 25 Aug 2012 23:34:50 +0000 (UTC)
Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130])
	by paka.cyberleo.net (Postfix) with ESMTPSA id 879AC284A5;
	Sat, 25 Aug 2012 19:34:47 -0400 (EDT)
Message-ID: <50396113.3080607@cyberleo.net>
Date: Sat, 25 Aug 2012 18:34:43 -0500
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:10.0.6esrpre) Gecko/20120820 Thunderbird/10.0.6
MIME-Version: 1.0
To: Baptiste Daroussin <bapt@FreeBSD.org>
References: <97612B57-1255-4BB3-A6D3-FC74324C6D67@FreeBSD.org>
	<20120824081543.GB2998@ithaqua.etoilebsd.net>
	<50380269.6020003@FreeBSD.org>
	<20120825000148.GF37867@ithaqua.etoilebsd.net>
In-Reply-To: <20120825000148.GF37867@ithaqua.etoilebsd.net>
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sat, 25 Aug 2012 23:57:19 +0000
Cc: ports@FreeBSD.org, Steve Wills <swills@FreeBSD.org>,
	Doug Barton <dougb@FreeBSD.org>, current@FreeBSD.org
Subject: Re: pkgng suggestion: renaming /usr/sbin/pkg to
	/usr/sbin/pkg-bootstrap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Aug 2012 23:34:51 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/24/2012 07:01 PM, Baptiste Daroussin wrote:
> Can anyone give me he details on the security related problem?

Off the top of my head, it seems to represent a break in the chain of
trust: how does the bootstrapper verify that the tarball it just
downloaded to bootstrap pkg is genuine, and not, for example, a
trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it
cares.

[1]
http://git.cyberleo.net/?p=FreeBSD/releng/9.1.git;a=blob;f=usr.sbin/pkg/pkg.c;hb=b96b623d8debed8fa8fd7df5af01a350344549c9

- -- 
Fuzzy love,
- -CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA5YRMACgkQi7w8kEi1KHLZhwCgrGb8piGeNb07IryWvoc/JdzH
xfAAoNfxm+nLoXU7BUclKqnLGbkxgilX
=o9Br
-----END PGP SIGNATURE-----