From owner-freebsd-ports-bugs@freebsd.org  Mon Aug  7 20:16:08 2017
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18DCDDC6125
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Mon,  7 Aug 2017 20:16:08 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EF5DE8152C
 for <freebsd-ports-bugs@FreeBSD.org>; Mon,  7 Aug 2017 20:16:07 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v77KG7cp020617
 for <freebsd-ports-bugs@FreeBSD.org>; Mon, 7 Aug 2017 20:16:07 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 221281] sysutils/ezjail should verify downloaded tarballs
 before use
Date: Mon, 07 Aug 2017 20:16:08 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: feature, security
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: rw@nelianur.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-221281-13-qKedZzxkcO@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-221281-13@https.bugs.freebsd.org/bugzilla/>
References: <bug-221281-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 20:16:08 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221281

--- Comment #2 from Rene Wagner <rw@nelianur.org> ---
Thanks for the quick reply! I'm glad to hear you're actively working on ezj=
ail
again!

As for "bsdinstall jail", does it actually check any signatures?

If I read its source code correctly it appears that it first fetches the
MANIFEST file, then the base.txz listed therein as well as any additional
distribution files selected by the user, and finally computes the SHA256
checksums of the downloaded files which are then compared against the check=
sums
from the MANIFEST.

The MANIFEST file is not signed. Thus, this will only prevent accidental
corruption of files in transit. It doesn't provide any protection against
malicious tampering, does it?

--=20
You are receiving this mail because:
You are the assignee for the bug.=