Date: Sun, 26 Aug 2012 14:58:47 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Jilles Tjoelker <jilles@stack.nl> Cc: CyberLeo Kitsana <cyberleo@cyberleo.net>, ports@FreeBSD.org, Doug Barton <dougb@FreeBSD.org>, current@FreeBSD.org, Steve Wills <swills@FreeBSD.org> Subject: Re: pkgng suggestion: renaming /usr/sbin/pkg to /usr/sbin/pkg-bootstrap Message-ID: <20120826125846.GD37534@ithaqua.etoilebsd.net> In-Reply-To: <20120826122649.GA8995@stack.nl> References: <97612B57-1255-4BB3-A6D3-FC74324C6D67@FreeBSD.org> <20120824081543.GB2998@ithaqua.etoilebsd.net> <50380269.6020003@FreeBSD.org> <20120825000148.GF37867@ithaqua.etoilebsd.net> <50396113.3080607@cyberleo.net> <20120826122649.GA8995@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--jL2BoiuKMElzg3CS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 26, 2012 at 02:26:50PM +0200, Jilles Tjoelker wrote: > On Sat, Aug 25, 2012 at 06:34:43PM -0500, CyberLeo Kitsana wrote: > > On 08/24/2012 07:01 PM, Baptiste Daroussin wrote: > > > Can anyone give me he details on the security related problem? >=20 > > Off the top of my head, it seems to represent a break in the chain of > > trust: how does the bootstrapper verify that the tarball it just > > downloaded to bootstrap pkg is genuine, and not, for example, a > > trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it > > cares. >=20 > Indeed it does not care, and the current security features are > insufficient (unless the bootstrapper can use the signed sqlite db to > verify the pkg package). >=20 > I think the fix is to modify 'pkg repo' so it detects the pkg package > and creates a separate signature for it which can be verified by the > bootstrapper, without needing sqlite. >=20 > The public key for this signature will have to be distributed with base > (like the public keys for freebsd-update and portsnap). >=20 The is the longer plan but this with also true with pkg_add -r, and the pkg bootstrap may it be pkg-bootstrap or /usr/sbin/pkg. We have been discussing= with Security officers and we are waiting for the plan being written and setup by them, so we can improved security in both pkgng and the bootstrap. This sho= uld have happen in BSDCan, but lack of time from everyone, didn't made it happe= n, we are now aiming at Cambridge DevSummit for that. Given that such a security issue is already in with the current pkg_* tools= , it was accepting that we can still go that way until the policy is written, gi= ven that the final goal is to have the pkgng package checked against a signatur= e. regards, Bapt --jL2BoiuKMElzg3CS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlA6HYYACgkQ8kTtMUmk6EzvzQCgltM9CLmaMutowIChrWpW5VAV lPoAoLD8owvCwwd5+uYNfA8q6X1ygxbZ =dloA -----END PGP SIGNATURE----- --jL2BoiuKMElzg3CS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120826125846.GD37534>