pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: pkgsrc/pkgtools/pkg_install



Fixed in {lib,}netpgpverify 20150901

Regards,
Alistair

On 1 September 2015 at 12:52, Joerg Sonnenberger
<joerg%britannica.bec.de@localhost> wrote:
> On Tue, Sep 01, 2015 at 08:18:12PM +0100, Jonathan Perkin wrote:
>> * On 2015-09-01 at 16:48 BST, Joerg Sonnenberger wrote:
>>
>> > On Tue, Sep 01, 2015 at 12:14:06PM +0000, Jonathan Perkin wrote:
>> > > Module Name:      pkgsrc
>> > > Committed By:     jperkin
>> > > Date:             Tue Sep  1 12:14:06 UTC 2015
>> > >
>> > > Modified Files:
>> > >   pkgsrc/pkgtools/pkg_install: Makefile
>> > >   pkgsrc/pkgtools/pkg_install/files/add: Makefile.in
>> > >   pkgsrc/pkgtools/pkg_install/files/admin: Makefile.in
>> > >   pkgsrc/pkgtools/pkg_install/files/create: Makefile.in
>> > >   pkgsrc/pkgtools/pkg_install/files/delete: Makefile.in
>> > >   pkgsrc/pkgtools/pkg_install/files/info: Makefile.in
>> > >   pkgsrc/pkgtools/pkg_install/files/lib: Makefile.in gpgsig.c lib.h
>> > >       pkg_signature.c version.h vulnerabilities-file.c
>> > >
>> > > Log Message:
>> > > Implement inline package signature verification.
>> >
>> > I still believe the overlap between netpgpverify and OpenSSL should be
>> > addressed first.
>>
>> I first posted this for review back on February 2nd.  I then posted it
>> again on August 17th saying if I heard no feedback for a couple of weeks
>> I'd commit.  I didn't receive a single reply to either mail, so it's a bit
>> unfair to complain now.
>
> I meanted it on IRC more than once...
>
>> I'm not sure what overlap you mean exactly, but it sounds like something
>> that can be work on separately and doesn't negate the functionality that
>> has been implemented.
>
> The overlap can result in buffer overflows when using a native
> non-NetBSD OpenSSL. That is pretty serious given that this is security
> sensitive code. Check the symbol list of sha2.h.
>
> Joerg
>



Home | Main Index | Thread Index | Old Index