-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/24/2012 07:01 PM, Baptiste Daroussin wrote:
> Can anyone give me he details on the security related problem?

Off the top of my head, it seems to represent a break in the chain of
trust: how does the bootstrapper verify that the tarball it just
downloaded to bootstrap pkg is genuine, and not, for example, a
trojan? The source in usr.sbin/pkg/pkg.c[1] doesn't seem to suggest it
cares.

[1]
http://git.cyberleo.net/?p=FreeBSD/releng/9.1.git;a=blob;f=usr.sbin/pkg/pkg.c;hb=b96b623d8debed8fa8fd7df5af01a350344549c9

- -- 
Fuzzy love,
- -CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<cyber...@cyberleo.net>

Furry Peace! - http://wwww.fur.com/peace/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA5YRMACgkQi7w8kEi1KHLZhwCgrGb8piGeNb07IryWvoc/JdzH
xfAAoNfxm+nLoXU7BUclKqnLGbkxgilX
=o9Br
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to