On Wed, Sep 08, 2010 at 04:46:47PM -0700, Shawn Walker wrote: > On 09/ 8/10 04:40 PM, Nicolas Williams wrote: > >On Wed, Sep 08, 2010 at 04:34:57PM -0700, Shawn Walker wrote: > >>The original request was about a way to connect remotely to verify > >>the system presumably using the installed system. > > > >Darren's request was for an option to have pkg verify use manifests from > >the repo instead of /var/pkg to verify the installed bits. I think > >that's a good idea. > > But not terribly useful if your goal is to ensure the hacker hasn't > compromised the system. After all, the pkg system is written in > python and if they compromised your system, logically it would be > trivial for them to compromise the pkg system itself.
And now we're going in circles. But you missed the point: you could boot from trusted media, use pkg verify from the trusted media, but still use the manifest data from /var/pkg from the BE to be verified. Why? Because you'd use trust anchors from the trusted media and crypto takes care of the rest. > In other words, it seems odd to me that you would trust the > verification of the system simply because you could supply a trusted > source of data but were still relying on an untrustworthy client to > do the verification. You did not carefully read what I wrote, in its context :) > With that said, if you were going to leverage this functionality in > a "trusted" environment, it seems useful there. Yes, that's the point. > >So, even better than having pkg verify use manifests from the repo, > >would be for pkg verify to use trust anchors from a specified location, > >and for pkg verify to verify that unsigned manifests are also unsigned > >in the repo (or better, disallow unsigned manifests if it's not too late > >to do that). > > Unsigned manifests have to be possible -- not only because some > publishers may choose to not sign theirs, but because signing is not > performed at the same time a package is initially published. Unsigned manifests can be re-downloaded from the repo then. Signed ones can be used from the BE to verify. This is just an optimization, of course. Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
