Date: Tue, 15 Jan 2013 10:33:55 +0100 From: n j <nino80@gmail.com> To: User Questions <freebsd-questions@freebsd.org> Subject: Re: pkgng package repository tracking security updates Message-ID: <CALf6cgbhn%2BOveD8in4SkMbcJ6SBFSxB7J1kM5_oqbOVSArJFRw@mail.gmail.com> In-Reply-To: <50F51DC7.4030300@freebsd.org> References: <CALf6cgYY0LYnUb_Yo3XZZ=-tsXoyJ=GUic8KtdcoaVWMF8XUqQ@mail.gmail.com> <50F403C6.1030705@gmail.com> <50F4130A.5050105@freebsd.org> <CALf6cgai%2BcGs_g1ekh_tdXt_7bDT4ETyEB_iAJqst-nz-srHvg@mail.gmail.com> <50F4197E.8050003@infracaninophile.co.uk> <CALf6cgbf3Vn2TBVx8FhvyjZhBBqA4Q55kTQTZywtCC0uxzuWoA@mail.gmail.com> <50F51DC7.4030300@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman <matthew@freebsd.org>wrote: > On 14/01/2013 22:44, n j wrote: > > One thing to think about would be the option of port maintainers > uploading > > the pre-compiled package of the updated port (or if the size of the > upload > > is an issue then just the hash signature of the valid package archive so > > other people with more bandwidth can upload it) to help the package > > building cluster (at least for mainstream architectures). The idea behind > > it being that the port maintainer has to compile the port anyway and pkg > > create is not a big overhead. The result would be a sort of distributed > > package building solution. > > > Sorry. Distributed package building like this is never going to be > acceptable. Too much scope for anyone to introduce trojans into > packages. Building packages securely is a very big deal, and as recent > events have shown, you can't take any chances. > > Cheers, > > Matthew > I'd trust this system as far as I trust port maintainers right now. I understand that a port maintainer can submit arbitrary MASTER_SITES in a port Makefile which allows the maintainer to inject malware as they wish. If I trust the port maintainer to make me download and build something coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random picks, no offense intended), then I'd trust that maintainer to upload the package for me or submit a SHA256 hash that the correct package must have. So if somebody else were to build the package, the server would accept the upload only if it matches the hash. Am I overlooking something? Is there some kind of port verification by someone from the team prior to accepting the port submission? -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALf6cgbhn%2BOveD8in4SkMbcJ6SBFSxB7J1kM5_oqbOVSArJFRw>