From nobody Tue May 6 17:03:57 2025 X-Original-To: freebsd-pkgbase@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZsPr55WlLz5v6QP for ; Tue, 06 May 2025 17:04:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZsPr51Vygz3bc1 for ; Tue, 06 May 2025 17:04:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-2c7f876b321so1814391fac.1 for ; Tue, 06 May 2025 10:04:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1746551039; x=1747155839; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xXUrao8tTJgWHPTKH/5AMY9fp48WfWqW9JMKPaQd/go=; b=jIrJ/U2vNv1C49Z29U0JP4uh1VJerehlSBum6kEdse75Xj4BXuvhgdmw/CvBvpcmYA p0l52glI+WJ+B1VYg+3hbJE42ujaZdFHCgmxIyKRfQlJSQjorcNyPV+FMuek4sKZHPFW izahGP6aGQhUt2Rvoqlg5wObjJCXh0T5zRyWcutKm/osTAJ4Ve2JelXftgj6lbBJTfsT m+icZpiPHQybF0grai/YJNwj6PYGls1/iX8ofJ9w/ka5diuToepZLr6yqouQvN4p8nln Ke81BfVNpzV9mRWF1SvphYucfIdXohoe2kLJMEJ/qADFxYl9UdqFpafXPJinQON01LQ7 SrUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746551039; x=1747155839; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xXUrao8tTJgWHPTKH/5AMY9fp48WfWqW9JMKPaQd/go=; b=NF3QeSILxjkTO2jK1pXMIM1iCHnrpf71X/unz3oCJpFCyRYW3y177wjudxeae/wH2J 9ZziNR8LCJWbnGqQwLTpbvBvhABy5jaey94fOrnv392o+nGVg2WYG/KUuEBNQMZEcW4b 0OY7K9B/YO+x4yGHDkVcOxWwtFZQUFuK47Iw0U7kFAsmzNl4Hu2i6InSOw3t5WL/9s9D VbbURrcoXwilJ8I7LO5vXq5gcVg30ej5rUkvDWUDKJ+ntUzx+LyasNKPOSgZiX/Fr4Hc ZtSML/+9bpKfztLSoHRfBTfNjevVm8kA/mLOyi9Df6V3oFS3Bgr8HNKn1xBJndvs3tYv uFiQ== X-Gm-Message-State: AOJu0YyPfURsLh0+pT2IO2xf32s023+NxUOuW5DM3ZnY/rlaXgEfI5qK ZI7qUdKGh0CAHo6zECRiggCFUYCjPG7T3btB0KrQuaopMziL2i02XN7TpfS/+jI= X-Gm-Gg: ASbGncuYVymxf3iPpntdF5NKzPm56/Y+BsBW2u8xPGKQEkP/cbbruTlBuoKEqDG6XSA UBfvwe97jFqFO2p1BYH6C4R6fMz870/645IuTCs+kDqACICZ68jzy9l7zrgSofjFGAMehmGWnTS NAAY6dCdW2sp+kWWsjtV+QT7lhV7McUuw0St9Opaj6T8UDSdqU4MToIzUdBh0yWVprfPTvd5AR1 ufdbotmDkGHkxvmqRp7yn8IUr9NK9vkc6wzzL68I+EWS3WBUPz1LqwdUzKCNWDEVxpejqHslCwE lY0MO43Nhm0QkTxdZ6meoaY= X-Google-Smtp-Source: AGHT+IH+edVDI3TVr7clvtbhEdQd+RLcHdF5Ww4hnxAEBcVWMlw4CWlpsLHopMpceUAzUXUVTm2vmA== X-Received: by 2002:a05:6870:a1a7:b0:2b8:2f9c:d513 with SMTP id 586e51a60fabf-2db5bec5a2emr8861fac.19.1746551039038; Tue, 06 May 2025 10:03:59 -0700 (PDT) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4f88aa8e479sm2335495173.115.2025.05.06.10.03.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 10:03:58 -0700 (PDT) Date: Tue, 6 May 2025 17:03:57 +0000 From: Shawn Webb To: Matthew Seaman Cc: freebsd-pkgbase@freebsd.org Subject: Re: CFT: pkgbase support in 15.0 Message-ID: X-Operating-System: FreeBSD mutt-hbsd 14.2-STABLE-HBSD FreeBSD 14.2-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <86a57t3cfu.fsf@asn.ftfl.ca> <300e71f8-4a35-4496-8bf3-9d947f90990a@FreeBSD.org> List-Id: Packaging the FreeBSD base system List-Archive: https://lists.freebsd.org/archives/freebsd-pkgbase List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkgbase@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dzm65lfkc5cdb3mb" Content-Disposition: inline In-Reply-To: <300e71f8-4a35-4496-8bf3-9d947f90990a@FreeBSD.org> X-Rspamd-Queue-Id: 4ZsPr51Vygz3bc1 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2001:4860:4864::/48, country:US] X-Spamd-Bar: ---- --dzm65lfkc5cdb3mb Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: CFT: pkgbase support in 15.0 MIME-Version: 1.0 On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote: > On 05/05/2025 21:58, Chuck Tuffli wrote: > > One aspect of running pkg-base I've found tricky is figuring out which > > package provides a missing binary, library, or man page. The port > > pkg-provides answers this type of question for ports, but (seemingly) > > not for pkg-base (unless I'm being dumb?). Are there plans to add this > > type of support? Alternatively, if I'm being dumb, can someone point > > me at some docs? TIA >=20 > There's provision in `pkg repo` (see: pkg-repo(8)) to generate a > `filesite.txz` file as repository metadata, which lists all of the files, > their checksums and various other per-file metadata for all of the files = in > all of the packages in the repository. >=20 > This isn't normally generated for the repositories provided by the project > due to limitations on available space and bandwidth. >=20 > I've had the notion kicking around in my head for a while that having a > database of all of the checksums of all of the files ever packaged and > provided by the project, with cryptographic signatures proving the > authenticity and provenance of those data, would be a pretty awesome > resource. Basically tripwire(8) built into pkg(8). However, it would > require someone with pretty deep pockets to fund the necessary > infrastructure. Over the past few years, I've had this simmering in the back of my head as well. I think one approach could be to use filesystem extended attributes. If you store the hash of the file (perhaps an encrypted/signed hash?) in an extended attribute, then a MAC module could verify that upon calls to open(2). libarchive/bsdtar already supports filesystem extended attributes for the tar archive format. The only thing FreeBSD would need to do is integrate that support in pkg. HardenedBSD's version of pkg already supports that, so perhaps that could be adopted by FreeBSD. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --dzm65lfkc5cdb3mb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmgaQOwACgkQ/y5nonf4 4fpFww/+K0QE/9pSSCz0rOfOQfdSVf+wMgOf8JOwTQTnBDO7mkxE6HcWrQbQTYYz iQa5ENTtSnusJVz4jIoSyiul8g2F16WlDh8zWwDvU7rr3n9HROr2PtkvFPuq7w7R ozbinKb2zbvddUOSSMjFPd+cUuV+xk47kCnYBpoD4KZhzM8IN1zD6lGzqOVmVpz7 bj2szbq/EJjXygCLQDbdi8tf53UN4ybQP4rncztMIwAAjM49uZrcgD3QXsp367I9 nTY2i/eMljQzP2zmqS87Z5My5DZksulNb/WULaaCRPdgfq7BhYytD2kat17E4XcA a9Bu8ydxLb6SE45AMKIZr7GFBT1yPwwWt5kOU8SHfHMJEQkj6lwJFWGklZLgaVl/ xVeQV1/UddMLmePmRQVrvSh5aj0HSScjycX0aCax18OUMz09Uhux1vkJQvTYYkXL myuH4Ilw/f/Wu3xYYnkQzQXCtHGXcV+dTTCoGj/WgzvcZMEZn0xPU7rbdmeQd0T4 XSIAOitrdtxddG6MioCUyryzlMpdB/HwxVQDK5llAhtbhgklm/EabKpoI7MyaZVM gmVxzDXzwMjxQfR0rCGu4ZQC2yGwo/rVG2oYaIRZRxAFfjUqSLLGzm94S/rHEpfH VNg6TLIQEJuOmmIfmbwYZw6ywkd4IDFaCk6Pwqi2U+k1osMJEXQ= =GzyJ -----END PGP SIGNATURE----- --dzm65lfkc5cdb3mb--