From owner-freebsd-ports Tue Jan 2 5: 2:49 2001 From owner-freebsd-ports@FreeBSD.ORG Tue Jan 2 05:02:45 2001 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 7F76B37B400; Tue, 2 Jan 2001 05:02:45 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id FAA18478; Tue, 2 Jan 2001 05:03:51 -0800 Date: Tue, 2 Jan 2001 05:03:51 -0800 From: Kris Kennaway To: Wes Peters Cc: Mario Sergio Fujikawa Ferreira , "Michael C . Wu" , ports@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Package signing tools Message-ID: <20010102050351.C18277@citusc.usc.edu> References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <3A4EDCA9.5CEA7114@softweyr.com> <20010101083459.B12422@citusc.usc.edu> <20010101143803.A3416@Fedaykin.here> <3A50C6A8.3E02FAE@softweyr.com> <20010101161001.B3416@Fedaykin.here> <3A50D2B7.5AD86D9E@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3A50D2B7.5AD86D9E@softweyr.com>; from wes@softweyr.com on Mon, Jan 01, 2001 at 11:55:51AM -0700 Sender: kris@citusc.usc.edu Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --S1BNGpv0yoYahz37 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 01, 2001 at 11:55:51AM -0700, Wes Peters wrote: > > > Right. Should checking the signature be the default, with an option = to > > > skip it, or should it be optional to pkg_add? > >=20 > > I think that it should be optional for now. > > We have an awful amount of non-signed packages floating > > around the net. Then, with the next release comes (4.3R or whatever), > > this should become the default. >=20 > I don't see pkg_add refusing to add an unsigned package, since as of yet > no signed packages exist. I can see telling the user the package is > unsigned and asking if you want to continue, unless -f has been specified. Ideally, this is how we would do it. But it has the obvious bootstrapping problems which have already been noted, which we can get around by introducing the warning levels in stages so as not to piss everyone off when there's nothing that can be done about it (i.e. no signed packages). We need to think about how this is going to be used by the project, too. Packages are built automatically, so they'd need to be signed automatically. That puts the signing machine(s) in a (more) dangerous position, since not only can an attacker who gains access insert their own code and have it signed as legit (presently it would just pass unnoted), they can steal the key and make arbitrary signed packages of their own independently (if they just break in and steal the key it's much more likely to go undetected than if they maintain access to do it online). Does this open up legal liability for the FreeBSD Project under the new and future regime of digital signature laws in the US and abroad, etc? Difficult questions. Kris --S1BNGpv0yoYahz37 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6UdG3Wry0BWjoQKURAg+/AKDbZhsCWXEFG2fX4f6rXdxBDlXJ2gCgu1rn E9RUlX4yZ5SgAIu1/iynh+k= =TfwN -----END PGP SIGNATURE----- --S1BNGpv0yoYahz37-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message