From owner-freebsd-current@FreeBSD.ORG  Sun Aug 26 12:26:52 2012
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4F48D106564A;
	Sun, 26 Aug 2012 12:26:52 +0000 (UTC) (envelope-from jilles@stack.nl)
Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104])
	by mx1.freebsd.org (Postfix) with ESMTP id D9BF68FC0A;
	Sun, 26 Aug 2012 12:26:51 +0000 (UTC)
Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131])
	by mx1.stack.nl (Postfix) with ESMTP id 3D586358C54;
	Sun, 26 Aug 2012 14:26:50 +0200 (CEST)
Received: by snail.stack.nl (Postfix, from userid 1677)
	id 195382847B; Sun, 26 Aug 2012 14:26:50 +0200 (CEST)
Date: Sun, 26 Aug 2012 14:26:50 +0200
From: Jilles Tjoelker <jilles@stack.nl>
To: CyberLeo Kitsana <cyberleo@cyberleo.net>
Message-ID: <20120826122649.GA8995@stack.nl>
References: <97612B57-1255-4BB3-A6D3-FC74324C6D67@FreeBSD.org>
	<20120824081543.GB2998@ithaqua.etoilebsd.net>
	<50380269.6020003@FreeBSD.org>
	<20120825000148.GF37867@ithaqua.etoilebsd.net>
	<50396113.3080607@cyberleo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <50396113.3080607@cyberleo.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: ports@FreeBSD.org, Steve Wills <swills@FreeBSD.org>,
	Baptiste Daroussin <bapt@FreeBSD.org>,
	Doug Barton <dougb@FreeBSD.org>, current@FreeBSD.org
Subject: Re: pkgng suggestion: renaming /usr/sbin/pkg to
 /usr/sbin/pkg-bootstrap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2012 12:26:52 -0000

On Sat, Aug 25, 2012 at 06:34:43PM -0500, CyberLeo Kitsana wrote:
> On 08/24/2012 07:01 PM, Baptiste Daroussin wrote:
> > Can anyone give me he details on the security related problem?

> Off the top of my head, it seems to represent a break in the chain of
> trust: how does the bootstrapper verify that the tarball it just
> downloaded to bootstrap pkg is genuine, and not, for example, a
> trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it
> cares.

Indeed it does not care, and the current security features are
insufficient (unless the bootstrapper can use the signed sqlite db to
verify the pkg package).

I think the fix is to modify 'pkg repo' so it detects the pkg package
and creates a separate signature for it which can be verified by the
bootstrapper, without needing sqlite.

The public key for this signature will have to be distributed with base
(like the public keys for freebsd-update and portsnap).

-- 
Jilles Tjoelker