Date: Tue, 8 Sep 2015 15:38:02 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Marko =?UTF-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs> Cc: freebsd-stable@freebsd.org Subject: Re: 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey" Message-ID: <71b353bf.343f9c90@fabiankeil.de> In-Reply-To: <20150908123838.238e5e74@efreet> References: <20150908123838.238e5e74@efreet>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Marko Cupać <marko.cupac@mimar.rs> wrote: > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > with signature_type="pubkey". > > Quick search returns: > https://github.com/freebsd/pkg/issues/1309 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > I guess it is not hard to switch repo to fingerprints, however I would > not expect to lose this functionality by updating to patchlevel. The "functionality" pkg(7) "lost" is silently ignoring unsupported signature types which is dangerous if the network can't be trusted: https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc https://www.fabiankeil.de/gehacktes/hardenedbsd/ If you absolutely want to, you can still bootstrap insecurely by temporarily setting the signature type to none. Fabian [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXu5LcACgkQBYqIVf93VJ3BvQCgjDqpvYNfkXMLwPCJADFnMGUt 8HkAn142kVNscD69TSmhh1IQgKI4jqSf =7wtA -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71b353bf.343f9c90>