Or putting it another way...
Martin did an excellent summary of potential risks.
You seem to be all focused on point 5 of that list, which is, I think
the least likely to be a problem or a risk. That someone would tamper
with the data en route to you is the trickiest, and least likely to
succeed in the first place.
Attacking at points 1-4 are all easier and more rewarding, and they are
all left unsolved in your world.
And any attack at points 1-4 will go undetected by a check at point 5.
Johnny
On 2020-01-31 11:08, Johnny Billquist wrote:
On 2020-01-31 10:25, yarl-bau...@mailoo.org wrote:
That's exactly the answer I was waiting and hoping for. Thank you.
I'll follow tech-pkg from now on. Packages must be signed.
And with that signature, you know that what you got from the server was
not tampered with during transport to you, which is the same thing https
would give you. And which still means you have no idea if the software
is sane, proper, does what you think, or hasn't been tampered with.
Johnny
De : Martin Husemann <mar...@duskware.de>
À : Ottavio Caruso <ottavio2006-usenet2...@yahoo.com>
Sujet : Re: pkgsrc binary packages security with pkgin
Date : 31/01/2020 09:51:53 Europe/Paris
Copie à : netbsd-users@netbsd.org
Let me (as someone not heavily involved into pkgsrc and binary pkg
building)
try to unriddle a few bits that I think get easily confused in this
context.
When it comes to 3rd party packages, you have to trust:
(1) the original source of the package ("upstream") and its release
policies.
Assuming that the released source has no bad things hidden, you then have
to trust:
(2) pkgsrc (or the commiters of the pkg and all its dependencies and all
patches involved) to not do anything bad
From that point on we can help with various checks. When building a pkg
(locally or in a bulk build environment) pkgsrc verifies the distribution
file it downloaded does match the hashes recorded at (2). The result of
that build is a binary pkg, and if you did build localy, you are done
here
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: b...@softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol