Re: pkgsrc binary packages security with pkgin

[Johnny Billquist <bqt%update.uu.se@localhost>]

Or putting it another way...

Martin did an excellent summary of potential risks.

You seem to be all focused on point 5 of that list, which is, I think 
the least likely to be a problem or a risk. That someone would tamper 
with the data en route to you is the trickiest, and least likely to 
succeed in the first place.

Attacking at points 1-4 are all easier and more rewarding, and they are 
all left unsolved in your world.

And any attack at points 1-4 will go undetected by a check at point 5.

  Johnny

On 2020-01-31 11:08, Johnny Billquist wrote:
> On 2020-01-31 10:25, yarl-baudig%mailoo.org@localhost wrote:
> > That's exactly the answer I was waiting and hoping for. Thank you.
> >
> > I'll follow tech-pkg from now on. Packages must be signed.
>
> And with that signature, you know that what you got from the server was 
> not tampered with during transport to you, which is the same thing https 
> would give you. And which still means you have no idea if the software 
> is sane, proper, does what you think, or hasn't been tampered with.
>
>    Johnny
>
> > De : Martin Husemann <martin%duskware.de@localhost>
> > À : Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost>
> > Sujet : Re: pkgsrc binary packages security with pkgin
> > Date : 31/01/2020 09:51:53 Europe/Paris
> > Copie à : netbsd-users%netbsd.org@localhost
> >
> > Let me (as someone not heavily involved into pkgsrc and binary pkg 
> > building)
> > try to unriddle a few bits that I think get easily confused in this 
> > context.
> >
> > When it comes to 3rd party packages, you have to trust:
> >
> > (1) the original source of the package ("upstream") and its release 
> > policies.
> >
> > Assuming that the released source has no bad things hidden, you then have
> > to trust:
> >
> > (2) pkgsrc (or the commiters of the pkg and all its dependencies and all
> > patches involved) to not do anything bad
> >
> > > From that point on we can help with various checks. When building a pkg
> > (locally or in a bulk build environment) pkgsrc verifies the distribution
> > file it downloaded does match the hashes recorded at (2). The result of
> > that build is a binary pkg, and if you did build localy, you are done 
> > here


--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt%softjar.se@localhost             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol