Please Maya and Mr Billquist, can you be more specific about how it is insecure?

To all: Is someone working on it and what is ongoing to improve this?

Thank you very much.



De : J. Lewis Muir <jlm...@imca-cat.org>
À : Johnny Billquist <b...@update.uu.se>
Sujet : Re: pkgsrc binary packages security with pkgin
Date : 27/01/2020 12:08:07 Europe/Paris
Copie à : m...@netbsd.org;
   yarl-bau...@mailoo.org;
   netbsd-users@netbsd.org

On 01/26, Johnny Billquist wrote:
> The code is not audited anyway, but just downloaded from various places, and
> then built.

I don't follow. What code are you saying is not audited? The source
code of each package? If so, I think that's mostly true (of course
there are exceptions where the source code has been audited), but that's
no different than other package management systems such as RHEL's or
Ubuntu's.

But this thread is about pkgsrc *binary* packages. Are you instead
talking about the distfiles downloaded in order to build the binary
packages from source? Each pkgsrc package contains a distinfo file
which contains a checksum for each distfile (or other) downloaded from
the Internet, so those can all be downloaded from anywhere without HTTPS
and still be trusted as long as the checksum matches.

> If you really want to have some actual security, and not just a false sense
> of it, https or so on is not really the answer. Anyone who thinks that just
> because https is involved, it is somehow more secure, is really fooling
> themselves.
> 
> https is most properly something to use when submitting sensitive data to a
> web server, which you do not want someone to pick up along the way.
> 
> The total craziness of moving the whole internet to https is not really
> improving any security in most situations.

It protects against man-in-the-middle attacks, so I think for
downloading binary packages it does add something significant.

> Not to mention the question of how you would solve the replication of
> repositories. All needs their own signatures. So there are a whole bunch of
> places where to get packages from. How do you know that they are all legit,
> and have the "right" binary packages even? You cannot have a single
> signature to ensure they are legit, since https ties certificates to the
> specific host.

I'm sorry, but I also don't follow this. By "repository replication" do
you mean mirroring repositories? I would say that this can be done in a
number of ways including over HTTPS or SSH.

And for binary packages, each package could be digitally signed by
whoever built it. You can trust more than one person or organization to
build packages, and if you trust whoever built it, and you can validate
the signature, then you can trust the package.

Regards,

Lewis

Reply via email to