Re: pkgsrc binary packages security with pkgin

To: "Martin Husemann" <martin%duskware.de@localhost>, "Ottavio Caruso" <ottavio2006-usenet2012%yahoo.com@localhost>
Subject: Re: pkgsrc binary packages security with pkgin
From: yarl-baudig%mailoo.org@localhost
Date: Fri, 31 Jan 2020 10:25:17 +0100 (CET)

That's exactly the answer I was waiting and hoping for. Thank you.

I'll follow tech-pkg from now on. Packages must be signed.



De : Martin Husemann <martin%duskware.de@localhost>
À : Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost>
Sujet : Re: pkgsrc binary packages security with pkgin
Date : 31/01/2020 09:51:53 Europe/Paris
Copie à : netbsd-users%netbsd.org@localhost

Let me (as someone not heavily involved into pkgsrc and binary pkg building)
try to unriddle a few bits that I think get easily confused in this context.

When it comes to 3rd party packages, you have to trust:

(1) the original source of the package ("upstream") and its release policies.

Assuming that the released source has no bad things hidden, you then have
to trust:

(2) pkgsrc (or the commiters of the pkg and all its dependencies and all
patches involved) to not do anything bad

>From that point on we can help with various checks. When building a pkg
(locally or in a bulk build environment) pkgsrc verifies the distribution
file it downloaded does match the hashes recorded at (2). The result of
that build is a binary pkg, and if you did build localy, you are done here

Follow-Ups:
- Re: pkgsrc binary packages security with pkgin
  - From: Johnny Billquist

References:
- Re: pkgsrc binary packages security with pkgin
  - From: Martin Husemann

Prev by Date: Tr: Re: pkgsrc binary packages security with pkgin
Next by Date: Re: pkgsrc binary packages security with pkgin
Previous by Thread: Re: pkgsrc binary packages security with pkgin
Next by Thread: Re: pkgsrc binary packages security with pkgin
Indexes:

Home | Main Index | Thread Index | Old Index