Are signatures of system images verified?

[Colin Percival]

On 06/29/16 16:38, Bryan Drewery wrote:
> Around that time (January 2016), Colin Percival has been maintaining a
> copy of the MANIFESTS in ports-mgmt/poudriere as well.

For the record, I obtained these files by downloading the release ISOs,
verifying their hashes against the signed release announcements, and
then extracting the MANIFEST files from the ISOs, and I intend to do
this for future releases as well.  I think the consensus was that this
was a better option than adding "commit MANIFEST files to the ports
tree" to the already very lengthy release engineering checklist, but
of course I'd have no objection to handing over this task if re@ wanted
it for some reason. :-)

> Those get
> installed with Poudriere and used during jail -c after fetching if
> available, so that relying on https isn't required.  These were missing
> for ports-mgmt/poudriere-devel until just now.  I've moved them to
> misc/freebsd-release-manifests and made both ports depend on it.

Sounds good.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid