Marko Cupać
2015-Sep-08 10:38 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
Hi, I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey". Quick search returns: https://github.com/freebsd/pkg/issues/1309 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 I guess it is not hard to switch repo to fingerprints, however I would not expect to lose this functionality by updating to patchlevel. Regards, -- Marko Cupa? https://www.mimar.rs/
Fabian Keil
2015-Sep-08 13:38 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
Marko Cupa? <marko.cupac at mimar.rs> wrote:> I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > with signature_type="pubkey". > > Quick search returns: > https://github.com/freebsd/pkg/issues/1309 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > I guess it is not hard to switch repo to fingerprints, however I would > not expect to lose this functionality by updating to patchlevel.The "functionality" pkg(7) "lost" is silently ignoring unsupported signature types which is dangerous if the network can't be trusted: https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc https://www.fabiankeil.de/gehacktes/hardenedbsd/ If you absolutely want to, you can still bootstrap insecurely by temporarily setting the signature type to none. Fabian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150908/7358ff33/attachment.bin>
Baptiste Daroussin
2015-Sep-08 21:28 UTC
10.2-RELEASE-p2 lost ability to bootstrap pkg with signature_type="pubkey"
On Tue, Sep 08, 2015 at 12:38:38PM +0200, Marko Cupa? wrote:> Hi, > > I just found out that 10.2-RELEASE-p2 lost ability to bootstrap pkg > with signature_type="pubkey". > > Quick search returns: > https://github.com/freebsd/pkg/issues/1309 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202622 > > I guess it is not hard to switch repo to fingerprints, however I would > not expect to lose this functionality by updating to patchlevel. >Implemented in head: r287579 I will MFC it asap. And see if it cannot be added asap to a next patchlevel update. Best regards, Bapt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150908/54573eae/attachment.bin>