On Tue, Feb 11, 2020 at 11:31:32PM +0000, Nathan Dorfman wrote: > > The patch I have at the moment looks for the MANIFEST (rather, the > > <arch>-<target_arch>-<X.Y-RELEASE>) file in the location they are > > installed by the misc/freebsd-release-manifests package. > > This seems reasonable, but I think the checksum script is also used by > the system installer (not just the jail setup script). >
No, they are two different sets of functionality. The system installer *always* uses the MANIFEST from the installation medium, but when fixing that, I did not notice the jail subcommand, nor that it fetches a remote MANIFEST file. > Have you considered the possibility of simply publishing a detached > signature with every MANIFEST, in a similar manner to what is done for > the installer images? > I have not, as a change to the misc/freebsd-release-manifests port will generate an email (or at minimum, a change in the repository), which would be a red flag for nefarious behavior. Glen
signature.asc
Description: PGP signature
