Re: pkgng suggestion: renaming /usr/sbin/pkg to
--jL2BoiuKMElzg3CS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Aug 26, 2012 at 02:26:50PM +0200, Jilles Tjoelker wrote:
> On Sat, Aug 25, 2012 at 06:34:43PM -0500, CyberLeo Kitsana wrote:
> > On 08/24/2012 07:01 PM, Baptiste Daroussin wrote:
> > > Can anyone give me he details on the security related problem?
>=20
> > Off the top of my head, it seems to represent a break in the chain of
> > trust: how does the bootstrapper verify that the tarball it just
> > downloaded to bootstrap pkg is genuine, and not, for example, a
> > trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it
> > cares.
>=20
> Indeed it does not care, and the current security features are
> insufficient (unless the bootstrapper can use the signed sqlite db to
> verify the pkg package).
>=20
> I think the fix is to modify 'pkg repo' so it detects the pkg package
> and creates a separate signature for it which can be verified by the
> bootstrapper, without needing sqlite.
>=20
> The public key for this signature will have to be distributed with base
> (like the public keys for freebsd-update and portsnap).
>=20
The is the longer plan but this with also true with pkg_add -r, and the pkg
bootstrap may it be pkg-bootstrap or /usr/sbin/pkg. We have been discussing=
with
Security officers and we are waiting for the plan being written and setup by
them, so we can improved security in both pkgng and the bootstrap. This sho=
uld
have happen in BSDCan, but lack of time from everyone, didn't made it happe=
n, we
are now aiming at Cambridge DevSummit for that.
Given that such a security issue is already in with the current pkg_* tools=
, it
was accepting that we can still go that way until the policy is written, gi=
ven
that the final goal is to have the pkgng package checked against a signatur=
e.
regards,
Bapt
--jL2BoiuKMElzg3CS
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iEYEARECAAYFAlA6HYYACgkQ8kTtMUmk6EzvzQCgltM9CLmaMutowIChrWpW5VAV
lPoAoLD8owvCwwd5+uYNfA8q6X1ygxbZ
=dloA
-----END PGP SIGNATURE-----
--jL2BoiuKMElzg3CS--
討論串 (同標題文章)
完整討論串 (本文為第 32 之 74 篇):