Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Aug 2012 12:08:48 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Baptiste Daroussin <bapt@FreeBSD.org>
Cc:        CyberLeo Kitsana <cyberleo@cyberleo.net>, ports@FreeBSD.org, current@FreeBSD.org, Jilles Tjoelker <jilles@stack.nl>, Steve Wills <swills@FreeBSD.org>
Subject:   Re: pkgng suggestion: renaming /usr/sbin/pkg to /usr/sbin/pkg-bootstrap
Message-ID:  <503A7440.5050703@FreeBSD.org>
In-Reply-To: <20120826185810.GB42842@ithaqua.etoilebsd.net>
References:  <97612B57-1255-4BB3-A6D3-FC74324C6D67@FreeBSD.org> <20120824081543.GB2998@ithaqua.etoilebsd.net> <50380269.6020003@FreeBSD.org> <20120825000148.GF37867@ithaqua.etoilebsd.net> <50396113.3080607@cyberleo.net> <20120826122649.GA8995@stack.nl> <20120826125846.GD37534@ithaqua.etoilebsd.net> <503A6D4B.9070606@FreeBSD.org> <20120826185810.GB42842@ithaqua.etoilebsd.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 08/26/2012 11:58, Baptiste Daroussin wrote:
> On Sun, Aug 26, 2012 at 11:39:07AM -0700, Doug Barton wrote:
>> On 08/26/2012 05:58, Baptiste Daroussin wrote:
>>
>>> The is the longer plan but this with also true with pkg_add -r, and the pkg
>>> bootstrap may it be pkg-bootstrap or /usr/sbin/pkg. We have been discussing with
>>> Security officers and we are waiting for the plan being written and setup by
>>> them, so we can improved security in both pkgng and the bootstrap. This should
>>> have happen in BSDCan, but lack of time from everyone, didn't made it happen, we
>>> are now aiming at Cambridge DevSummit for that.
>>
>> It would be nice if this were in place before 10-current shifted to pkg
>> by default in order to limit the number of times that we have to start
>> testing over from scratch.
>>
>>> Given that such a security issue is already in with the current pkg_* tools, it
>>> was accepting that we can still go that way until the policy is written, given
>>> that the final goal is to have the pkgng package checked against a signature.
>>
>> This isn't the security issue I was talking about by having sbin/pkg
>> pass every command line to local/sbin/pkg.
>>
>> You keep saying that you have no objections to changing the name. I am
>> asking you to do that. I don't care if it is pkg-bootstrap or something
>> else you like better. But please change the name to not be pkg, and
>> limit the functionality of the tool to bootstrapping the pkg package.
>>
> 
> I received more feedback about keep pkg

As far as I could tell the people who responded that way don't seem to
be aware that every command to /usr/local/sbin/pkg is going to pass
through /usr/sbin/pkg. On its face, that is a bad idea for many reasons,
not the least of which is that it adds complexity where that complexity
does not need to be. The larger problem with that approach is that gives
an attacker 2 places to compromise the package installation process
instead of just 1. This becomes even more important if the pkg bootstrap
tool is the place that the public key for the digital signature is located.

> and changing it to
> pkg-bootstrap, so what should I do, changing it because you are asking for it?

A) You said you had no objections to changing it
B) I'm not the only one asking

Doug

-- 

    I am only one, but I am one.  I cannot do everything, but I can do
    something.  And I will not let what I cannot do interfere with what
    I can do.
			-- Edward Everett Hale, (1822 - 1909)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?503A7440.5050703>