Re: pkg and root privileges
- In reply to: Baptiste Daroussin : "Re: pkg and root privileges"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 28 Jul 2022 18:05:18 UTC
What about HTTPS? I know the packages are signed, but there are plenty of MitM and replay attacks going on especially with root handling it all. Br. Niko > On 28. Jul 2022, at 18.44, Baptiste Daroussin <bapt@FreeBSD.org> wrote: > > On Thu, Jul 28, 2022 at 06:30:37PM +0300, niko.nastonen@icloud.com wrote: >> The thread on the forum was closed and deleted by moderators due to unsportsmanlike conduct of some very worried about security :-) >> >> pkg indeed needs some review in terms of usage of superuser privileges, in my opinion. Not only fetch, but other parts too, fetch just being probably the most fragile in that sense. >> >> Thanks for your attention. > > I am open to any audit, and of course like for any audit there will be bugs > found. as for usage of superuser privileges, we use capsicum sandbox in most > sensitive cases, like signature verification for example. so while we are > clearly not bullet proof, I don't think the situation is dramatic at all. > > Best regards, > Bapt