On Sun, Aug 26, 2012 at 11:39:07AM -0700, Doug Barton wrote: > On 08/26/2012 05:58, Baptiste Daroussin wrote: > > > The is the longer plan but this with also true with pkg_add -r, and the pkg > > bootstrap may it be pkg-bootstrap or /usr/sbin/pkg. We have been discussing > > with > > Security officers and we are waiting for the plan being written and setup by > > them, so we can improved security in both pkgng and the bootstrap. This > > should > > have happen in BSDCan, but lack of time from everyone, didn't made it > > happen, we > > are now aiming at Cambridge DevSummit for that. > > It would be nice if this were in place before 10-current shifted to pkg > by default in order to limit the number of times that we have to start > testing over from scratch. > > > Given that such a security issue is already in with the current pkg_* > > tools, it > > was accepting that we can still go that way until the policy is written, > > given > > that the final goal is to have the pkgng package checked against a > > signature. > > This isn't the security issue I was talking about by having sbin/pkg > pass every command line to local/sbin/pkg. > > You keep saying that you have no objections to changing the name. I am > asking you to do that. I don't care if it is pkg-bootstrap or something > else you like better. But please change the name to not be pkg, and > limit the functionality of the tool to bootstrapping the pkg package. >
I received more feedback about keep pkg and changing it to pkg-bootstrap, so what should I do, changing it because you are asking for it? regards, Bapt
pgpnisowrHYbh.pgp
Description: PGP signature
