pkgng package repository tracking security updates
n j
nino80 at gmail.com
Tue Jan 15 09:34:22 UTC 2013
On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman <matthew at freebsd.org>wrote:
> On 14/01/2013 22:44, n j wrote:
> > One thing to think about would be the option of port maintainers
> uploading
> > the pre-compiled package of the updated port (or if the size of the
> upload
> > is an issue then just the hash signature of the valid package archive so
> > other people with more bandwidth can upload it) to help the package
> > building cluster (at least for mainstream architectures). The idea behind
> > it being that the port maintainer has to compile the port anyway and pkg
> > create is not a big overhead. The result would be a sort of distributed
> > package building solution.
>
>
> Sorry. Distributed package building like this is never going to be
> acceptable. Too much scope for anyone to introduce trojans into
> packages. Building packages securely is a very big deal, and as recent
> events have shown, you can't take any chances.
>
> Cheers,
>
> Matthew
>
I'd trust this system as far as I trust port maintainers right now. I
understand that a port maintainer can submit arbitrary MASTER_SITES in a
port Makefile which allows the maintainer to inject malware as they wish.
If I trust the port maintainer to make me download and build something
coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random
picks, no offense intended), then I'd trust that maintainer to upload the
package for me or submit a SHA256 hash that the correct package must have.
So if somebody else were to build the package, the server would accept the
upload only if it matches the hash.
Am I overlooking something? Is there some kind of port verification by
someone from the team prior to accepting the port submission?
--
Nino
More information about the freebsd-questions
mailing list