Garrett Wollman <[email protected]> wrote: > Since packages are already distributed with signatures over the entire > package manifest, it would be nice if you could use the package system > to feed this.
Yes, that's what we do in Junos. The Junos package system relies on veriexec to verify packages and their content, and thus automatically feed manifest contents to the kernel, which renders the content executable. Eric's configurable trust store, could allow the above to be more widely used. In Junos the trust store is burned into the apps that need to verify things - which is great for us but not what you want for general deployment system. But it's hard to do things like this if they have to be optional. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
