Both system installer and poudriere jails take images from
http://ftp.freebsd.org/pub/FreeBSD/releases/
But I can't see that there is a signature anywhere there that is
verified during the download.
For example, pkg(8) uses the key fingerprint
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 to verify
downloads. This is the only file under /usr/share/keys/
Does this mean that system images aren't verified and MITM is possible,
or I am missing something?
Yuri
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase
To unsubscribe, send any mail to "[email protected]"
