Re: pkgsrc binary packages security with pkgin

[yarl-baudig%mailoo.org@localhost]

Please Maya and Mr Billquist, can you be more specific about how it is insecure?

To all: Is someone working on it and what is ongoing to improve this?

Thank you very much.

> De : J. Lewis Muir <jlmuir%imca-cat.org@localhost>
> À : Johnny Billquist <bqt%update.uu.se@localhost>
> Sujet : Re: pkgsrc binary packages security with pkgin
> Date : 27/01/2020 12:08:07 Europe/Paris
> Copie à : maya%NetBSD.org@localhost;
>    yarl-baudig%mailoo.org@localhost;
>    netbsd-users%netbsd.org@localhost
>
> On 01/26, Johnny Billquist wrote:
> > The code is not audited anyway, but just downloaded from various places, and
> > then built.
>  
> I don't follow.  What code are you saying is not audited?  The source
> code of each package?  If so, I think that's mostly true (of course
> there are exceptions where the source code has been audited), but that's
> no different than other package management systems such as RHEL's or
> Ubuntu's.
>
> But this thread is about pkgsrc *binary* packages.  Are you instead
> talking about the distfiles downloaded in order to build the binary
> packages from source?  Each pkgsrc package contains a distinfo file
> which contains a checksum for each distfile (or other) downloaded from
> the Internet, so those can all be downloaded from anywhere without HTTPS
> and still be trusted as long as the checksum matches.
>
> > If you really want to have some actual security, and not just a false sense
> > of it, https or so on is not really the answer. Anyone who thinks that just
> > because https is involved, it is somehow more secure, is really fooling
> > themselves.
> > 
> > https is most properly something to use when submitting sensitive data to a
> > web server, which you do not want someone to pick up along the way.
> > 
> > The total craziness of moving the whole internet to https is not really
> > improving any security in most situations.
>
> It protects against man-in-the-middle attacks, so I think for
> downloading binary packages it does add something significant.
>
> > Not to mention the question of how you would solve the replication of
> > repositories. All needs their own signatures. So there are a whole bunch of
> > places where to get packages from. How do you know that they are all legit,
> > and have the "right" binary packages even? You cannot have a single
> > signature to ensure they are legit, since https ties certificates to the
> > specific host.
>
> I'm sorry, but I also don't follow this.  By "repository replication" do
> you mean mirroring repositories?  I would say that this can be done in a
> number of ways including over HTTPS or SSH.
>
> And for binary packages, each package could be digitally signed by
> whoever built it.  You can trust more than one person or organization to
> build packages, and if you trust whoever built it, and you can validate
> the signature, then you can trust the package.
>
> Regards,
>
> Lewis