NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkgsrc binary packages security with pkgin
On 2020-01-31 20:36, Manuel Bouyer wrote:
[---]
>> *Assuming you can trust the build environment (which includes the
>> signing process)*, and assuming that you can trust the underlying crypto:
>>
>> - HTTPS protects the connection between you and the server (assuming
>> server authentication, and not just encryption). So if you trust the
>> remote server, your client, and the HTTPS implementation, then HTTPS is
>> sufficient for the entire chain.
>
> Not really; for this to be true you have to trust the build process, the way
> the binary package is uploaded to the http server and the http server itself.
I should have make clear that in that particular context "trust the
remote server" meant to encompass the entire build process and storage.
> With signed binary pkg you only need to trust the build process.
(And the tools you use to verify and install the package, but this is
implied).
Yes, this was the core point I was trying to convey.
--
Kind Regards,
Jan
Home |
Main Index |
Thread Index |
Old Index