Date: Tue, 06 May 2025 21:00:48 +0000 From: "=?utf-8?B?SmVzw7pzIERhbmllbCBDb2xtZW5hcmVzIE92aWVkbw==?=" <dtxdf@disroot.org> To: "Shawn Webb" <shawn.webb@hardenedbsd.org>, "Matthew Seaman" <matthew@freebsd.org> Cc: freebsd-pkgbase@freebsd.org Subject: Re: CFT: pkgbase support in 15.0 Message-ID: <81aa517f99b99b424049417a90b67d4d645c135f@disroot.org> In-Reply-To: <fmhjk3f7friennoqivsybyh5uwz6ueeql3a3fhqeqdlptttz2s@zazexqwjfnox> References: <86a57t3cfu.fsf@asn.ftfl.ca> <CAKAYmMLu9HUbqNgoe=Qj9RSarWSBsm5pBqD1TqtDm3abcwZ3=A@mail.gmail.com> <300e71f8-4a35-4496-8bf3-9d947f90990a@FreeBSD.org> <fmhjk3f7friennoqivsybyh5uwz6ueeql3a3fhqeqdlptttz2s@zazexqwjfnox>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Not tested yet, but there is an open issue in the pkg-provides(8) repository related to this thread: https://github.com/rosorio/pkg-provides/issues/7#issuecomment-1759876029 6 de mayo de 2025, 17:03, "Shawn Webb" <shawn.webb@hardenedbsd.org mailto:shawn.webb@hardenedbsd.org?to=%22Shawn%20Webb%22%20%3Cshawn.webb%40hardenedbsd.org%3E > escribió: > > On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote: > > > > > On 05/05/2025 21:58, Chuck Tuffli wrote: > > One aspect of running pkg-base I've found tricky is figuring out which > > package provides a missing binary, library, or man page. The port > > pkg-provides answers this type of question for ports, but (seemingly) > > not for pkg-base (unless I'm being dumb?). Are there plans to add this > > type of support? Alternatively, if I'm being dumb, can someone point > > me at some docs? TIA > > > > There's provision in `pkg repo` (see: pkg-repo(8)) to generate a > > `filesite.txz` file as repository metadata, which lists all of the files, > > their checksums and various other per-file metadata for all of the files in > > all of the packages in the repository. > > > > This isn't normally generated for the repositories provided by the project > > due to limitations on available space and bandwidth. > > > > I've had the notion kicking around in my head for a while that having a > > database of all of the checksums of all of the files ever packaged and > > provided by the project, with cryptographic signatures proving the > > authenticity and provenance of those data, would be a pretty awesome > > resource. Basically tripwire(8) built into pkg(8). However, it would > > require someone with pretty deep pockets to fund the necessary > > infrastructure. > > > Over the past few years, I've had this simmering in the back of my > head as well. I think one approach could be to use filesystem extended > attributes. If you store the hash of the file (perhaps an > encrypted/signed hash?) in an extended attribute, then a MAC module > could verify that upon calls to open(2). > > libarchive/bsdtar already supports filesystem extended attributes for > the tar archive format. The only thing FreeBSD would need to do is > integrate that support in pkg. HardenedBSD's version of pkg already > supports that, so perhaps that could be adopted by FreeBSD. > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > Signal Username: shawn_webb.74 > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > [-- Attachment #2 --] <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body><div>Not tested yet, but there is an open issue in the pkg-provides(8) repository related to this thread:</div><div><br></div><div><a href="https://github.com/rosorio/pkg-provides/issues/7#issuecomment-1759876029">https://github.com/rosorio/pkg-provides/issues/7#issuecomment-1759876029</a><br></div><p>6 de mayo de 2025, 17:03, "Shawn Webb" <<a href="mailto:shawn.webb@hardenedbsd.org?to=%22Shawn%20Webb%22%20%3Cshawn.webb%40hardenedbsd.org%3E" target="_blank" tabindex="-1">shawn.webb@hardenedbsd.org</a>> escribió:</p><blockquote>On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote:<br><blockquote>On 05/05/2025 21:58, Chuck Tuffli wrote:<br> One aspect of running pkg-base I've found tricky is figuring out which<br> package provides a missing binary, library, or man page. The port<br> pkg-provides answers this type of question for ports, but (seemingly)<br> not for pkg-base (unless I'm being dumb?). Are there plans to add this<br> type of support? Alternatively, if I'm being dumb, can someone point<br> me at some docs? TIA<br> <br> There's provision in `pkg repo` (see: pkg-repo(8)) to generate a<br> `filesite.txz` file as repository metadata, which lists all of the files,<br> their checksums and various other per-file metadata for all of the files in<br> all of the packages in the repository.<br> <br> This isn't normally generated for the repositories provided by the project<br> due to limitations on available space and bandwidth.<br> <br> I've had the notion kicking around in my head for a while that having a<br> database of all of the checksums of all of the files ever packaged and<br> provided by the project, with cryptographic signatures proving the<br> authenticity and provenance of those data, would be a pretty awesome<br> resource. Basically tripwire(8) built into pkg(8). However, it would<br> require someone with pretty deep pockets to fund the necessary<br> infrastructure.</blockquote><br>Over the past few years, I've had this simmering in the back of my<br>head as well. I think one approach could be to use filesystem extended<br>attributes. If you store the hash of the file (perhaps an<br>encrypted/signed hash?) in an extended attribute, then a MAC module<br>could verify that upon calls to open(2).<br><br>libarchive/bsdtar already supports filesystem extended attributes for<br>the tar archive format. The only thing FreeBSD would need to do is<br>integrate that support in pkg. HardenedBSD's version of pkg already<br>supports that, so perhaps that could be adopted by FreeBSD.<br><br>Thanks,<br><br>-- <br>Shawn Webb<br>Cofounder / Security Engineer<br>HardenedBSD<br><br>Signal Username: shawn_webb.74<br>Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50<br><a href="https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc" target="_blank" tabindex="-1">https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc</a></blockquote><div><br></div></body></html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81aa517f99b99b424049417a90b67d4d645c135f>