Date: Sat, 25 Aug 2012 18:34:43 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Baptiste Daroussin <bapt@FreeBSD.org> Cc: ports@FreeBSD.org, Steve Wills <swills@FreeBSD.org>, Doug Barton <dougb@FreeBSD.org>, current@FreeBSD.org Subject: Re: pkgng suggestion: renaming /usr/sbin/pkg to /usr/sbin/pkg-bootstrap Message-ID: <50396113.3080607@cyberleo.net> In-Reply-To: <20120825000148.GF37867@ithaqua.etoilebsd.net> References: <97612B57-1255-4BB3-A6D3-FC74324C6D67@FreeBSD.org> <20120824081543.GB2998@ithaqua.etoilebsd.net> <50380269.6020003@FreeBSD.org> <20120825000148.GF37867@ithaqua.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/24/2012 07:01 PM, Baptiste Daroussin wrote: > Can anyone give me he details on the security related problem? Off the top of my head, it seems to represent a break in the chain of trust: how does the bootstrapper verify that the tarball it just downloaded to bootstrap pkg is genuine, and not, for example, a trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it cares. [1] http://git.cyberleo.net/?p=FreeBSD/releng/9.1.git;a=blob;f=usr.sbin/pkg/pkg.c;hb=b96b623d8debed8fa8fd7df5af01a350344549c9 - -- Fuzzy love, - -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://wwww.fur.com/peace/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA5YRMACgkQi7w8kEi1KHLZhwCgrGb8piGeNb07IryWvoc/JdzH xfAAoNfxm+nLoXU7BUclKqnLGbkxgilX =o9Br -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50396113.3080607>