Re: pkgsrc binary packages security with pkgin

To: Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost>
Subject: Re: pkgsrc binary packages security with pkgin
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 31 Jan 2020 09:06:05 -0500

Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost> writes:

> I have interpreted "binary packages safety" as something intrinsic to
> potential vulnerability of the 3rd party software itself, as opposed
> to package integrity checking with digital signatures, checksums, etc,
> at least related to questions 1 and 3.

In my view, the biggest risks are unintentional bugs and then backdoors
in the upstream packages.

> It seems to me that one can sign a package all they want; if there is
> a vulnerability in the code itself, this won't go away by having it
> digitally signed.

Absolutely true.  You can an attested build of buggy sources.

The point about signed packages is that it's fairly easy to do, for some
definition of fairly easy.  Certainly it's easier than ensuring there
are no bugs in 15000 upstream packages.

References:
- Re: pkgsrc binary packages security with pkgin
  - From: J. Lewis Muir
- Re: pkgsrc binary packages security with pkgin
  - From: yarl-baudig
- Re: pkgsrc binary packages security with pkgin
  - From: Ottavio Caruso
- Re: pkgsrc binary packages security with pkgin
  - From: Leonardo Taccari
- Re: pkgsrc binary packages security with pkgin
  - From: Ottavio Caruso

Prev by Date: Re: pkgsrc binary packages security with pkgin
Next by Date: Re: pkgsrc binary packages security with pkgin
Previous by Thread: Re: pkgsrc binary packages security with pkgin
Next by Thread: Re: pkgsrc binary packages security with pkgin
Indexes:

Home | Main Index | Thread Index | Old Index