Re: CFT: pkgbase support in 15.0

Reply: Jesús Daniel Colmenares Oviedo: "Re: CFT: pkgbase support in 15.0"
In reply to: Matthew Seaman : "Re: CFT: pkgbase support in 15.0"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Tue, 06 May 2025 17:03:57 UTC

On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote:
> On 05/05/2025 21:58, Chuck Tuffli wrote:
> > One aspect of running pkg-base I've found tricky is figuring out which
> > package provides a missing binary, library, or man page. The port
> > pkg-provides answers this type of question for ports, but (seemingly)
> > not for pkg-base (unless I'm being dumb?). Are there plans to add this
> > type of support? Alternatively, if I'm being dumb, can someone point
> > me at some docs? TIA
> 
> There's provision in `pkg repo` (see: pkg-repo(8)) to generate a
> `filesite.txz` file as repository metadata, which lists all of the files,
> their checksums and various other per-file metadata for all of the files in
> all of the packages in the repository.
> 
> This isn't normally generated for the repositories provided by the project
> due to limitations on available space and bandwidth.
> 
> I've had the notion kicking around in my head for a while that having a
> database of all of the checksums of all of the files ever packaged and
> provided by the project, with cryptographic signatures proving the
> authenticity and provenance of those data, would be a pretty awesome
> resource.  Basically tripwire(8) built into pkg(8).  However, it would
> require someone with pretty deep pockets to fund the necessary
> infrastructure.

Over the past few years, I've had this simmering in the back of my
head as well. I think one approach could be to use filesystem extended
attributes. If you store the hash of the file (perhaps an
encrypted/signed hash?) in an extended attribute, then a MAC module
could verify that upon calls to open(2).

libarchive/bsdtar already supports filesystem extended attributes for
the tar archive format. The only thing FreeBSD would need to do is
integrate that support in pkg. HardenedBSD's version of pkg already
supports that, so perhaps that could be adopted by FreeBSD.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc