Date: Mon, 18 Apr 2016 12:01:23 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: Vsevolod Stakhov <vsevolod@highsecure.ru>, freebsd-pkg@freebsd.org Subject: Re: Intrusion Detection using pkg? Message-ID: <5714BE83.1060909@FreeBSD.org> In-Reply-To: <5714BA56.50704@highsecure.ru> References: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org> <5714BA56.50704@highsecure.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e2uI841a4XCXr9hQs1Kkn6Qk0KRqLtKxS Content-Type: multipart/mixed; boundary="FQdHS3W1c6IwwnGdVbUFak8vkFVg6BpSj" From: Matthew Seaman <matthew@FreeBSD.org> To: Vsevolod Stakhov <vsevolod@highsecure.ru>, freebsd-pkg@freebsd.org Message-ID: <5714BE83.1060909@FreeBSD.org> Subject: Re: Intrusion Detection using pkg? References: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org> <5714BA56.50704@highsecure.ru> In-Reply-To: <5714BA56.50704@highsecure.ru> --FQdHS3W1c6IwwnGdVbUFak8vkFVg6BpSj Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2016/04/18 11:43, Vsevolod Stakhov wrote: > I don't like this idea: if an attacker has enough power to modify files= > on FS why he or she cannot do the same for checksums in pkg database? W= e > need digital signatures and password protected private key. Then a user= > can type something like: Uh, yes. That's pretty much exactly what I'm suggesting. > pkg sign <- enter private key password >=20 > followed by: >=20 > pkg sign --check to verify the existing checksums This user interface would work for me. > Unfortunately, after years of useless discussion we have no sane > signatures scheme in pkg, and I have no desire to continue these > discussions I'm afraid. I believe the current package signature stuff serves its purpose, which is to verify that the package tarball in question originated from an identified and trusted source and hasn't subsequently been tampered with. Which is fine, but there's a definite use-case for going further..= =2E Cheers, Matthew --FQdHS3W1c6IwwnGdVbUFak8vkFVg6BpSj-- --e2uI841a4XCXr9hQs1Kkn6Qk0KRqLtKxS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXFL6KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnhPIQAJZDhMXzemsYxCdxxX2aaN1+ aeMjWCZIYi9VNM7FZ/8jmjwdP+4kVhKd4A+QFmSa3OUb6OdzNaqGeOZaXrhJfaWA pLU4BTYA559A932ja00+6fWN6s0S4QkiFuCKdQrKrm55wovTg90RFs64ZfvXRNUQ +fybFbp5s+q3IWHQK+r45tatwFZsaOe/57NgYOd/K9Od61q6iOrOx3mVPqwgAR8/ 5cXJiKbqVXMCsIFZ2bNtjbihrD438XsvfZ2GnjGmCCpg9pE4WgwxEQhMJaUo7gaK DVD37hHdMhDv8C9YhY2ciF+Dv2Yzd327Y4M3wBJGdfykitqzddsE96dqYu0fb/4e jw2cXsIONAh34KkqCSR/veR9mtQMSfZkLqSdtDsBZLfWN/oypj8UB7tUd7FKbnRS 8fSeiXZGW1xJlRXRywk7Q47Zlql3YnPw+VcaLcWE3gRdF2EbrptYxqb/Qx0felL/ 5P/7SOoAuystvFIjZAhQiR6l0HaBEg2MjBkfQRcTEBh40WnO3qBmB+FvMNCJ6Pe9 305SvQPSeH//L0UFL/zpCjMojYEmbf3hbO7DxCNWDgwRd0gGljKHinxsuYM7LDc9 SOijRIKSIkq5sOt9Vh1QH+YMj0bY14kNGDzfofkE0uXbMGqdrcjqPyZzAkNXIA9g nq062tVNMQNRe9Bq4Wfs =wLgh -----END PGP SIGNATURE----- --e2uI841a4XCXr9hQs1Kkn6Qk0KRqLtKxS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5714BE83.1060909>