NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc binary packages security with pkgin



On 01/25, maya%NetBSD.org@localhost wrote:
> On Sat, Jan 25, 2020 at 01:34:34AM +0100, yarl-baudig%mailoo.org@localhost wrote:
> > May I ask how is safe the use pkgsrc binary packages. For example using pkgin. Does libfetch is doing fine with https? Any thoughts?
> > 
> > Is the authenticity and integrity of packages installed this way is guaranteed assuming no bugs in software involved?
> 
> No.

Wow!  That's surprising.  Can you explain why?

I understand that the binary packages are not digitally signed, but if
the binary repo is served over HTTPS, as long as the repo has not been
compromised, the integrity and authenticity is guaranteed, no?

Or as the OP asked, is pkgin not actually validating the server's SSL
certificate?  That would be terrible if it's silently behaving that way.
If it can't handle HTTPS properly, it should refuse to use the URL.
Anyway, I would be very surprised if this is what's going on, so I'm
just asking to understand better.

Thank you!

Lewis


Home | Main Index | Thread Index | Old Index