Summary: | sysutils/ezjail should verify downloaded tarballs before use | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Rene Wagner <rw> |
Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> |
Status: | Closed Feedback Timeout | ||
Severity: | Affects Many People | CC: | erdgeist, joneum, ports-secteam, secteam |
Priority: | --- | Keywords: | feature, security |
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(erdgeist) |
Hardware: | Any | ||
OS: | Any |
Description
Rene Wagner
2017-08-06 14:07:24 UTC
I'm currently working on just using "bsdinstall jail" to do the heavy lifting for me. Your issue should just go away, then. Thanks for the quick reply! I'm glad to hear you're actively working on ezjail again! As for "bsdinstall jail", does it actually check any signatures? If I read its source code correctly it appears that it first fetches the MANIFEST file, then the base.txz listed therein as well as any additional distribution files selected by the user, and finally computes the SHA256 checksums of the downloaded files which are then compared against the checksums from the MANIFEST. The MANIFEST file is not signed. Thus, this will only prevent accidental corruption of files in transit. It doesn't provide any protection against malicious tampering, does it? what is the current status? Does ports-secteam have to be active here? |