Re: pkgsrc binary packages security with pkgin

[Johnny Billquist <bqt%update.uu.se@localhost>]

On 2020-01-31 10:25, yarl-baudig%mailoo.org@localhost wrote:
> That's exactly the answer I was waiting and hoping for. Thank you.
>
> I'll follow tech-pkg from now on. Packages must be signed.

And with that signature, you know that what you got from the server was 
not tampered with during transport to you, which is the same thing https 
would give you. And which still means you have no idea if the software 
is sane, proper, does what you think, or hasn't been tampered with.

  Johnny

> De : Martin Husemann <martin%duskware.de@localhost>
> À : Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost>
> Sujet : Re: pkgsrc binary packages security with pkgin
> Date : 31/01/2020 09:51:53 Europe/Paris
> Copie à : netbsd-users%netbsd.org@localhost
>
> Let me (as someone not heavily involved into pkgsrc and binary pkg building)
> try to unriddle a few bits that I think get easily confused in this context.
>
> When it comes to 3rd party packages, you have to trust:
>
> (1) the original source of the package ("upstream") and its release policies.
>
> Assuming that the released source has no bad things hidden, you then have
> to trust:
>
> (2) pkgsrc (or the commiters of the pkg and all its dependencies and all
> patches involved) to not do anything bad
>
> > From that point on we can help with various checks. When building a pkg
> (locally or in a bulk build environment) pkgsrc verifies the distribution
> file it downloaded does match the hashes recorded at (2). The result of
> that build is a binary pkg, and if you did build localy, you are done here


--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt%softjar.se@localhost             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol