Date: Mon, 07 Aug 2017 20:16:08 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 221281] sysutils/ezjail should verify downloaded tarballs before use Message-ID: <bug-221281-13-qKedZzxkcO@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-221281-13@https.bugs.freebsd.org/bugzilla/> References: <bug-221281-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221281 --- Comment #2 from Rene Wagner <rw@nelianur.org> --- Thanks for the quick reply! I'm glad to hear you're actively working on ezj= ail again! As for "bsdinstall jail", does it actually check any signatures? If I read its source code correctly it appears that it first fetches the MANIFEST file, then the base.txz listed therein as well as any additional distribution files selected by the user, and finally computes the SHA256 checksums of the downloaded files which are then compared against the check= sums from the MANIFEST. The MANIFEST file is not signed. Thus, this will only prevent accidental corruption of files in transit. It doesn't provide any protection against malicious tampering, does it? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221281-13-qKedZzxkcO>