NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc binary packages security with pkgin



That's exactly the answer I was waiting and hoping for. Thank you.

I'll follow tech-pkg from now on. Packages must be signed.



De : Martin Husemann <martin%duskware.de@localhost>
À : Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost>
Sujet : Re: pkgsrc binary packages security with pkgin
Date : 31/01/2020 09:51:53 Europe/Paris
Copie à : netbsd-users%netbsd.org@localhost

Let me (as someone not heavily involved into pkgsrc and binary pkg building)
try to unriddle a few bits that I think get easily confused in this context.

When it comes to 3rd party packages, you have to trust:

(1) the original source of the package ("upstream") and its release policies.

Assuming that the released source has no bad things hidden, you then have
to trust:

(2) pkgsrc (or the commiters of the pkg and all its dependencies and all
patches involved) to not do anything bad

>From that point on we can help with various checks. When building a pkg
(locally or in a bulk build environment) pkgsrc verifies the distribution
file it downloaded does match the hashes recorded at (2). The result of
that build is a binary pkg, and if you did build localy, you are done here


Home | Main Index | Thread Index | Old Index