Re: pkgsrc binary packages security with pkgin

Sat, 25 Jan 2020 18:56:17 -0800 

On 2020-01-26 03:43, J. Lewis Muir wrote:

On 01/25, m...@netbsd.org wrote:

On Sat, Jan 25, 2020 at 01:34:34AM +0100, yarl-bau...@mailoo.org wrote:

May I ask how is safe the use pkgsrc binary packages. For example using pkgin. 
Does libfetch is doing fine with https? Any thoughts?

Is the authenticity and integrity of packages installed this way is guaranteed 
assuming no bugs in software involved?


No.


Wow!  That's surprising.  Can you explain why?

I understand that the binary packages are not digitally signed, but if
the binary repo is served over HTTPS, as long as the repo has not been
compromised, the integrity and authenticity is guaranteed, no?

Or as the OP asked, is pkgin not actually validating the server's SSL
certificate?  That would be terrible if it's silently behaving that way.
If it can't handle HTTPS properly, it should refuse to use the URL.
Anyway, I would be very surprised if this is what's going on, so I'm
just asking to understand better.

Thank you!
The code is not audited anyway, but just downloaded from various places, and then built.
If you really want to have some actual security, and not just a false sense of it, https or so on is not really the answer. Anyone who thinks that just because https is involved, it is somehow more secure, is really fooling themselves.
https is most properly something to use when submitting sensitive data to a web server, which you do not want someone to pick up along the way.
The total craziness of moving the whole internet to https is not really improving any security in most situations.
Not to mention the question of how you would solve the replication of repositories. All needs their own signatures. So there are a whole bunch of places where to get packages from. How do you know that they are all legit, and have the "right" binary packages even? You cannot have a single signature to ensure they are legit, since https ties certificates to the specific host. 

  /Me feeling very tired of the https hysteria...
  Johnny

--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: b...@softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

Reply via email to