Re: CVS commit: pkgsrc/pkgtools/pkg_install

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Tue, Sep 01, 2015 at 08:18:12PM +0100, Jonathan Perkin wrote:
> * On 2015-09-01 at 16:48 BST, Joerg Sonnenberger wrote:
> 
> > On Tue, Sep 01, 2015 at 12:14:06PM +0000, Jonathan Perkin wrote:
> > > Module Name:      pkgsrc
> > > Committed By:     jperkin
> > > Date:             Tue Sep  1 12:14:06 UTC 2015
> > > 
> > > Modified Files:
> > >   pkgsrc/pkgtools/pkg_install: Makefile
> > >   pkgsrc/pkgtools/pkg_install/files/add: Makefile.in
> > >   pkgsrc/pkgtools/pkg_install/files/admin: Makefile.in
> > >   pkgsrc/pkgtools/pkg_install/files/create: Makefile.in
> > >   pkgsrc/pkgtools/pkg_install/files/delete: Makefile.in
> > >   pkgsrc/pkgtools/pkg_install/files/info: Makefile.in
> > >   pkgsrc/pkgtools/pkg_install/files/lib: Makefile.in gpgsig.c lib.h
> > >       pkg_signature.c version.h vulnerabilities-file.c
> > > 
> > > Log Message:
> > > Implement inline package signature verification.
> > 
> > I still believe the overlap between netpgpverify and OpenSSL should be
> > addressed first.
> 
> I first posted this for review back on February 2nd.  I then posted it
> again on August 17th saying if I heard no feedback for a couple of weeks
> I'd commit.  I didn't receive a single reply to either mail, so it's a bit
> unfair to complain now.

I meanted it on IRC more than once...

> I'm not sure what overlap you mean exactly, but it sounds like something
> that can be work on separately and doesn't negate the functionality that
> has been implemented.

The overlap can result in buffer overflows when using a native
non-NetBSD OpenSSL. That is pretty serious given that this is security
sensitive code. Check the symbol list of sha2.h.

Joerg