NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc binary packages security with pkgin



On 31/01/2020 12:05, Leonardo Taccari wrote:
Ottavio Caruso writes:
[...]
I believe there's an internal pkgsrc security mailing list to which
users have no access (I could be wrong), so I don't really know how this
auditing really works.

One can always "pkg_admin fetch-pkg-vulnerabilities && pkg_admin audit".
[...]

pkgsrc-security@ is a team, usually there isn't much traffic on it and
the most possible private information that happens is on an internal RT
ticket system to track tickets that then ends up in pkg-vulnerabilities
file.

However, this is mostly unrelated to signing binary packages (we manually
sign the pkg-vulnerabilities file but that's unrelated).


Leo & al.,

The original questions were [sic]:

1) "is safe the use pkgsrc binary packages. For example using pkgin?"

2) "Is the authenticity and integrity of packages installed this way is guaranteed assuming no bugs in software involved?"

3) "Is it safer to compile by yourself?"

I have interpreted "binary packages safety" as something intrinsic to potential vulnerability of the 3rd party software itself, as opposed to package integrity checking with digital signatures, checksums, etc, at least related to questions 1 and 3.

It seems to me that one can sign a package all they want; if there is a vulnerability in the code itself, this won't go away by having it digitally signed.

(I'm not having a go at anybody. I'm just trying to understand what it is all about)


--
Ottavio Caruso



Home | Main Index | Thread Index | Old Index