Are signatures of system images verified?
Glen Barber
gjb at FreeBSD.org
Wed Jun 29 23:57:15 UTC 2016
On Wed, Jun 29, 2016 at 04:50:55PM -0700, Colin Percival wrote:
> On 06/29/16 16:38, Bryan Drewery wrote:
> > Around that time (January 2016), Colin Percival has been maintaining a
> > copy of the MANIFESTS in ports-mgmt/poudriere as well.
>
> For the record, I obtained these files by downloading the release ISOs,
> verifying their hashes against the signed release announcements, and
> then extracting the MANIFEST files from the ISOs, and I intend to do
> this for future releases as well. I think the consensus was that this
> was a better option than adding "commit MANIFEST files to the ports
> tree" to the already very lengthy release engineering checklist, but
> of course I'd have no objection to handing over this task if re@ wanted
> it for some reason. :-)
>
There are other (valid) reasons for having these signed "somewhere".
I'm sure there are more use cases than bootonly.iso and poudriere that
use these files. So, it's on my list, but since we have the MANIFESTs
you already gathered, no immediate plan to make this retroactive.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkgbase/attachments/20160629/92417249/attachment.sig>
More information about the freebsd-pkgbase
mailing list