Re: pkgsrc binary packages security with pkgin

To: maya%NetBSD.org@localhost
Subject: Re: pkgsrc binary packages security with pkgin
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Sat, 25 Jan 2020 20:43:12 -0600

On 01/25, maya%NetBSD.org@localhost wrote:
> On Sat, Jan 25, 2020 at 01:34:34AM +0100, yarl-baudig%mailoo.org@localhost wrote:
> > May I ask how is safe the use pkgsrc binary packages. For example using pkgin. Does libfetch is doing fine with https? Any thoughts?
> > 
> > Is the authenticity and integrity of packages installed this way is guaranteed assuming no bugs in software involved?
> 
> No.

Wow!  That's surprising.  Can you explain why?

I understand that the binary packages are not digitally signed, but if
the binary repo is served over HTTPS, as long as the repo has not been
compromised, the integrity and authenticity is guaranteed, no?

Or as the OP asked, is pkgin not actually validating the server's SSL
certificate?  That would be terrible if it's silently behaving that way.
If it can't handle HTTPS properly, it should refuse to use the URL.
Anyway, I would be very surprised if this is what's going on, so I'm
just asking to understand better.

Thank you!

Lewis

Follow-Ups:
- Re: pkgsrc binary packages security with pkgin
  - From: Johnny Billquist

References:
- pkgsrc binary packages security with pkgin
  - From: yarl-baudig
- Re: pkgsrc binary packages security with pkgin
  - From: maya

Prev by Date: Re: pkgsrc binary packages security with pkgin
Next by Date: Re: pkgsrc binary packages security with pkgin
Previous by Thread: Re: pkgsrc binary packages security with pkgin
Next by Thread: Re: pkgsrc binary packages security with pkgin
Indexes:

Home | Main Index | Thread Index | Old Index