Date: Tue, 6 May 2025 17:03:57 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-pkgbase@freebsd.org Subject: Re: CFT: pkgbase support in 15.0 Message-ID: <fmhjk3f7friennoqivsybyh5uwz6ueeql3a3fhqeqdlptttz2s@zazexqwjfnox> In-Reply-To: <300e71f8-4a35-4496-8bf3-9d947f90990a@FreeBSD.org> References: <86a57t3cfu.fsf@asn.ftfl.ca> <CAKAYmMLu9HUbqNgoe=Qj9RSarWSBsm5pBqD1TqtDm3abcwZ3=A@mail.gmail.com> <300e71f8-4a35-4496-8bf3-9d947f90990a@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote: > On 05/05/2025 21:58, Chuck Tuffli wrote: > > One aspect of running pkg-base I've found tricky is figuring out which > > package provides a missing binary, library, or man page. The port > > pkg-provides answers this type of question for ports, but (seemingly) > > not for pkg-base (unless I'm being dumb?). Are there plans to add this > > type of support? Alternatively, if I'm being dumb, can someone point > > me at some docs? TIA > > There's provision in `pkg repo` (see: pkg-repo(8)) to generate a > `filesite.txz` file as repository metadata, which lists all of the files, > their checksums and various other per-file metadata for all of the files in > all of the packages in the repository. > > This isn't normally generated for the repositories provided by the project > due to limitations on available space and bandwidth. > > I've had the notion kicking around in my head for a while that having a > database of all of the checksums of all of the files ever packaged and > provided by the project, with cryptographic signatures proving the > authenticity and provenance of those data, would be a pretty awesome > resource. Basically tripwire(8) built into pkg(8). However, it would > require someone with pretty deep pockets to fund the necessary > infrastructure. Over the past few years, I've had this simmering in the back of my head as well. I think one approach could be to use filesystem extended attributes. If you store the hash of the file (perhaps an encrypted/signed hash?) in an extended attribute, then a MAC module could verify that upon calls to open(2). libarchive/bsdtar already supports filesystem extended attributes for the tar archive format. The only thing FreeBSD would need to do is integrate that support in pkg. HardenedBSD's version of pkg already supports that, so perhaps that could be adopted by FreeBSD. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmgaQOwACgkQ/y5nonf4 4fpFww/+K0QE/9pSSCz0rOfOQfdSVf+wMgOf8JOwTQTnBDO7mkxE6HcWrQbQTYYz iQa5ENTtSnusJVz4jIoSyiul8g2F16WlDh8zWwDvU7rr3n9HROr2PtkvFPuq7w7R ozbinKb2zbvddUOSSMjFPd+cUuV+xk47kCnYBpoD4KZhzM8IN1zD6lGzqOVmVpz7 bj2szbq/EJjXygCLQDbdi8tf53UN4ybQP4rncztMIwAAjM49uZrcgD3QXsp367I9 nTY2i/eMljQzP2zmqS87Z5My5DZksulNb/WULaaCRPdgfq7BhYytD2kat17E4XcA a9Bu8ydxLb6SE45AMKIZr7GFBT1yPwwWt5kOU8SHfHMJEQkj6lwJFWGklZLgaVl/ xVeQV1/UddMLmePmRQVrvSh5aj0HSScjycX0aCax18OUMz09Uhux1vkJQvTYYkXL myuH4Ilw/f/Wu3xYYnkQzQXCtHGXcV+dTTCoGj/WgzvcZMEZn0xPU7rbdmeQd0T4 XSIAOitrdtxddG6MioCUyryzlMpdB/HwxVQDK5llAhtbhgklm/EabKpoI7MyaZVM gmVxzDXzwMjxQfR0rCGu4ZQC2yGwo/rVG2oYaIRZRxAFfjUqSLLGzm94S/rHEpfH VNg6TLIQEJuOmmIfmbwYZw6ywkd4IDFaCk6Pwqi2U+k1osMJEXQ= =GzyJ -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fmhjk3f7friennoqivsybyh5uwz6ueeql3a3fhqeqdlptttz2s>