On 09/ 8/10 04:40 PM, Nicolas Williams wrote:
On Wed, Sep 08, 2010 at 04:34:57PM -0700, Shawn Walker wrote:
The original request was about a way to connect remotely to verify
the system presumably using the installed system.
Darren's request was for an option to have pkg verify use manifests from
the repo instead of /var/pkg to verify the installed bits. I think
that's a good idea.
But not terribly useful if your goal is to ensure the hacker hasn't
compromised the system. After all, the pkg system is written in python
and if they compromised your system, logically it would be trivial for
them to compromise the pkg system itself.
In other words, it seems odd to me that you would trust the verification
of the system simply because you could supply a trusted source of data
but were still relying on an untrustworthy client to do the verification.
With that said, if you were going to leverage this functionality in a
"trusted" environment, it seems useful there.
However, if we always required manifest signatures, the only thing an
attacker [who hasn't compromised the repo] can do is replace the trust
anchors.
So, even better than having pkg verify use manifests from the repo,
would be for pkg verify to use trust anchors from a specified location,
and for pkg verify to verify that unsigned manifests are also unsigned
in the repo (or better, disallow unsigned manifests if it's not too late
to do that).
Unsigned manifests have to be possible -- not only because some
publishers may choose to not sign theirs, but because signing is not
performed at the same time a package is initially published.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
