10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Sep 8 13:41:35 UTC 2015
Marko Cupać <marko.cupac at mimar.rs> wrote:
> I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg
> with signature_type="pubkey".
>
> Quick search returns:
> https://github.com/freebsd/pkg/issues/1309
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622
>
> I guess it is not hard to switch repo to fingerprints, however I would
> not expect to lose this functionality by updating to patchlevel.
The "functionality" pkg(7) "lost" is silently ignoring unsupported
signature types which is dangerous if the network can't be trusted:
https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc
https://www.fabiankeil.de/gehacktes/hardenedbsd/
If you absolutely want to, you can still bootstrap insecurely by
temporarily setting the signature type to none.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150908/7358ff33/attachment.bin>
More information about the freebsd-stable
mailing list