On Wed, Sep 08, 2010 at 04:34:57PM -0700, Shawn Walker wrote: > The original request was about a way to connect remotely to verify > the system presumably using the installed system.
Darren's request was for an option to have pkg verify use manifests from the repo instead of /var/pkg to verify the installed bits. I think that's a good idea. However, if we always required manifest signatures, the only thing an attacker [who hasn't compromised the repo] can do is replace the trust anchors. So, even better than having pkg verify use manifests from the repo, would be for pkg verify to use trust anchors from a specified location, and for pkg verify to verify that unsigned manifests are also unsigned in the repo (or better, disallow unsigned manifests if it's not too late to do that). > Yes, if you care about it that much, you'll have to use some form of > a "trusted" environment. Yes. That would be boot from media or valex. Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
