Re: pkgsrc binary packages security with pkgin

To: Johnny Billquist <bqt%update.uu.se@localhost>
Subject: Re: pkgsrc binary packages security with pkgin
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Fri, 31 Jan 2020 11:34:34 +0100

On Fri, Jan 31, 2020 at 11:08:05AM +0100, Johnny Billquist wrote:
> On 2020-01-31 10:25, yarl-baudig%mailoo.org@localhost wrote:
> > That's exactly the answer I was waiting and hoping for. Thank you.
> > 
> > I'll follow tech-pkg from now on. Packages must be signed.
> 
> And with that signature, you know that what you got from the server was not
> tampered with during transport to you, which is the same thing https would
> give you. And which still means you have no idea if the software is sane,
> proper, does what you think, or hasn't been tampered with.

No it's not the same thing.
package signature guarantees that the data have not been modified since it
has been built.
https guarantees that the data have not been modified between the http server
and client. It doesn't tell anything about what happened to the binary pkg
between the build server and the http server at the time you download it.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: pkgsrc binary packages security with pkgin
  - From: Johnny Billquist

References:
- Re: pkgsrc binary packages security with pkgin
  - From: yarl-baudig
- Re: pkgsrc binary packages security with pkgin
  - From: Johnny Billquist

Prev by Date: Re: pkgsrc binary packages security with pkgin
Next by Date: Re: pkgsrc binary packages security with pkgin
Previous by Thread: Re: pkgsrc binary packages security with pkgin
Next by Thread: Re: pkgsrc binary packages security with pkgin
Indexes:

Home | Main Index | Thread Index | Old Index