NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc binary packages security with pkgin



On 2020-01-26 03:43, J. Lewis Muir wrote:
On 01/25, maya%NetBSD.org@localhost wrote:
On Sat, Jan 25, 2020 at 01:34:34AM +0100, yarl-baudig%mailoo.org@localhost wrote:
May I ask how is safe the use pkgsrc binary packages. For example using pkgin. Does libfetch is doing fine with https? Any thoughts?

Is the authenticity and integrity of packages installed this way is guaranteed assuming no bugs in software involved?

No.

Wow!  That's surprising.  Can you explain why?

I understand that the binary packages are not digitally signed, but if
the binary repo is served over HTTPS, as long as the repo has not been
compromised, the integrity and authenticity is guaranteed, no?

Or as the OP asked, is pkgin not actually validating the server's SSL
certificate?  That would be terrible if it's silently behaving that way.
If it can't handle HTTPS properly, it should refuse to use the URL.
Anyway, I would be very surprised if this is what's going on, so I'm
just asking to understand better.

Thank you!

The code is not audited anyway, but just downloaded from various places, and then built.

If you really want to have some actual security, and not just a false sense of it, https or so on is not really the answer. Anyone who thinks that just because https is involved, it is somehow more secure, is really fooling themselves.

https is most properly something to use when submitting sensitive data to a web server, which you do not want someone to pick up along the way.

The total craziness of moving the whole internet to https is not really improving any security in most situations.

Not to mention the question of how you would solve the replication of repositories. All needs their own signatures. So there are a whole bunch of places where to get packages from. How do you know that they are all legit, and have the "right" binary packages even? You cannot have a single signature to ensure they are legit, since https ties certificates to the specific host.

  /Me feeling very tired of the https hysteria...
  Johnny

--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt%softjar.se@localhost             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol


Home | Main Index | Thread Index | Old Index