From owner-freebsd-security@FreeBSD.ORG Wed Nov 21 04:00:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B9E47532; Wed, 21 Nov 2012 04:00:08 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) by mx1.freebsd.org (Postfix) with ESMTP id 64A248FC12; Wed, 21 Nov 2012 04:00:08 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.5/8.14.5) with ESMTP id qAL4076d029882; Tue, 20 Nov 2012 23:00:07 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.5/8.14.4/Submit) id qAL40764029879; Tue, 20 Nov 2012 23:00:07 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20652.20935.513138.382822@hergotha.csail.mit.edu> Date: Tue, 20 Nov 2012 23:00:07 -0500 From: Garrett Wollman To: Matthew Seaman Subject: Re: Recent security announcement and csup/cvsup? In-Reply-To: <50ABA590.5090600@freebsd.org> References: <20121117150556.GE24320@in-addr.com> <20121118180421.GF24320@in-addr.com> <20121120100148.GA93826@roberto-aw.eurocontrol.fr> <50ABA590.5090600@freebsd.org> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 20 Nov 2012 23:00:07 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hergotha.csail.mit.edu X-Mailman-Approved-At: Wed, 21 Nov 2012 04:07:11 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 04:00:08 -0000 < said: > pkgng will have a crypto-signing mechanism for packages with > per-repository public keys and so forth. It's not there yet -- stuff is > awaiting review by security team people, who are (even moreso, given > current events) generally insanely busy. Huh? What's not there yet? I've been signing my local repository since the very beginning. (I'm an unusual case and don't really care about "official" binary packages -- I want/need to control the options things are built with, and pkgng won't be able to handle that case usefully until it has a SAT solver for dependency resolution.) pkgng is the thing that is finally allowing my to manage the FreeBSD machines in our infrastructure as easily as the Debian machines; thankfully we only need about a hundred packages (and no X) rather than the full set. -GAWollman