PKG not quite ready for prime time
scratch65535 at att.net
scratch65535 at att.net
Sat Oct 11 13:23:31 UTC 2014
On Fri, 10 Oct 2014 14:47:27 -0500, you wrote:
>On 10/10/2014 1:12 PM, scratch65535 at att.net wrote:
>> On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
>>
>>> find /usr/share/keys/pkg -exec sha256 {} +
>>
>> No such file
>
>That's your problem. You are missing the signature fingerprints to
>compare against. As such Pkg is refusing to do anything to prevent MITM
>attacks.
>
>You are missing this:
>https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
>
>freebsd-update can provide it.
Thank you for the pointer.
What puzzles me is why the problem wasn't fixed for o/s versions
prior to 10.0 since it was being made mandatory for those
versions. That doesn't seem like good practice.
More information about the freebsd-ports
mailing list