pkgng package repository tracking security updates

Lowell Gilbert freebsd-questions-local at be-well.ilk.org
Tue Jan 15 18:14:46 UTC 2013 

n j <nino80 at gmail.com> writes:

> On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman <matthew at freebsd.org>wrote:
>
>> On 14/01/2013 22:44, n j wrote:
>> > One thing to think about would be the option of port maintainers
>> uploading
>> > the pre-compiled package of the updated port (or if the size of the
>> upload
>> > is an issue then just the hash signature of the valid package archive so
>> > other people with more bandwidth can upload it) to help the package
>> > building cluster (at least for mainstream architectures). The idea behind
>> > it being that the port maintainer has to compile the port anyway and pkg
>> > create is not a big overhead. The result would be a sort of distributed
>> > package building solution.
>>
>>
>> Sorry.  Distributed package building like this is never going to be
>> acceptable.  Too much scope for anyone to introduce trojans into
>> packages.  Building packages securely is a very big deal, and as recent
>> events have shown, you can't take any chances.
>>
>>         Cheers,
>>
>>         Matthew
>>
>
> I'd trust this system as far as I trust port maintainers right now. 

Well, almost. It would have to be cryptographically validated, which
would be a bit of work to get right.

>                                                                     I
> understand that a port maintainer can submit arbitrary MASTER_SITES in a
> port Makefile which allows the maintainer to inject malware as they wish.
> If I trust the port maintainer to make me download and build something
> coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random
> picks, no offense intended), then I'd trust that maintainer to upload the
> package for me or submit a SHA256 hash that the correct package must have.
> So if somebody else were to build the package, the server would accept the
> upload only if it matches the hash.

It's easier to sneak something into a binary than a source code package,
although you can never be *completely* sure either way (c.f., Ken
Thompson's classic speech "Reflections on Trusting Trust"). In practice,
some amount of subterfuge would be required for the attacker to keep
from being found out too soon to do much good; possibly quite a lot of
subterfuge, if the port gets run on TrustedBSD systems or other forms of
system auditing. Once anyone notices a problem, the port will be shut
down quickly.

> Am I overlooking something? Is there some kind of port verification by
> someone from the team prior to accepting the port submission?

Well, a committer has to check the port in personally, but deliberate
sabotage could probably sneak by the committer most of the time. 

 - Lowell

More information about the freebsd-questions mailing list