UNS: Re: Trust system write-up
    Simon J. Gerraty 
    sjg at juniper.net
       
    Tue Oct 24 05:33:40 UTC 2017
    
    
  
Garrett Wollman <wollman at bimajority.org> wrote:
> Since packages are already distributed with signatures over the entire
> package manifest, it would be nice if you could use the package system
> to feed this.
Yes, that's what we do in Junos.
The Junos package system relies on veriexec to verify packages and their
content, and thus automatically feed manifest contents to the kernel,
which renders the content executable.
Eric's configurable trust store, could allow the above to be more widely
used.
In Junos the trust store is burned into the apps that need to verify
things - which is great for us but not what you want for general
deployment system.
But it's hard to do things like this if they have to be optional.
    
    
More information about the freebsd-security
mailing list