pkgng suggestion: renaming /usr/sbin/pkg to
/usr/sbin/pkg-bootstrap
CyberLeo Kitsana
cyberleo at cyberleo.net
Sat Aug 25 23:34:51 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/24/2012 07:01 PM, Baptiste Daroussin wrote:
> Can anyone give me he details on the security related problem?
Off the top of my head, it seems to represent a break in the chain of
trust: how does the bootstrapper verify that the tarball it just
downloaded to bootstrap pkg is genuine, and not, for example, a
trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it
cares.
[1]
http://git.cyberleo.net/?p=FreeBSD/releng/9.1.git;a=blob;f=usr.sbin/pkg/pkg.c;hb=b96b623d8debed8fa8fd7df5af01a350344549c9
- --
Fuzzy love,
- -CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://wwww.fur.com/peace/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlA5YRMACgkQi7w8kEi1KHLZhwCgrGb8piGeNb07IryWvoc/JdzH
xfAAoNfxm+nLoXU7BUclKqnLGbkxgilX
=o9Br
-----END PGP SIGNATURE-----
More information about the freebsd-current
mailing list