Package Management Security Model

Cyberpunk_Is_Bae · 2020-03-23 14:56:59

Hi, thanks for your time.

I'm reading these:
https://wiki.archlinux.org/index.php/Ar … e_security
https://wiki.archlinux.org/index.php/Pa … ge_signing
https://www.archlinux.org/packages/?repo=Community
https://bbs.archlinux.org/viewtopic.php?id=160968
https://aur.archlinux.org/

I'm trying to understand how I can know where my packages are coming from. I noticed that one of the ones I've installed appears to be marked as [community] here but I do not remember compiling anything from source as in the above link. I am confused as to how I can absolutely know with strong warning when I am bringing in known-safe code, and when I am reaching out into the AUR or other community areas that might be safe, or might not.

I also do not completely understand the significance of /etc/pacman.conf "SigLevel" in how it relates to the signing of databases versus the signing of packages.

Thanks again.

Trilby · 2020-03-23 15:21:11

Cyberpunk_Is_Bae wrote:

I noticed that one of the ones I've installed appears to be marked as [community] here but I do not remember compiling anything from source as in the above link.

As in which link? [community] is a binary repo just like [core] and [extra]. The only difference is the set of people who oversee it are different (but perhaps overlapping sets). The community repo is maintained by Trusted Users while core and extra are maintained by Developers. From the user perspective, though, these shouldn't be seen as any different: they are both well-defined sets of community members who have been given responsibility for certain packages.

Cyberpunk_Is_Bae wrote:

I am confused as to how I can absolutely know with strong warning when I am bringing in known-safe code, and when I am reaching out into the AUR or other community areas that might be safe, or might not.

Pacman does not install anything from the AUR. Pacman installs built packages. Period.

If you use standard package commands, those built packages from from our binary repos.

You can use makepkg to build something from source into a local package that pacman can install. But you'd know if you did this.

Last edited by Trilby (2020-03-23 15:57:52)

loqs · 2020-03-23 15:22:35

Cyberpunk_Is_Bae wrote:

I'm trying to understand how I can know where my packages are coming from. I noticed that one of the ones I've installed appears to be marked as [community] here but I do not remember compiling anything from source as in the above link. I am confused as to how I can absolutely know with strong warning when I am bringing in known-safe code, and when I am reaching out into the AUR or other community areas that might be safe, or might not.

pacman can only use package repositories so it can not use AUR see also https://wiki.archlinux.org/index.php/Of … #community
Edit:
Beaten by Trilby

Last edited by loqs (2020-03-23 15:23:14)

mpan · 2020-03-23 16:20:59

Cyberpunk_Is_Bae
Trilby has explained it, but I am not sure if that explanation is clear enough to a person who seemingly got confused by the meaning of various words there. “[community]” is a name of one of the official package repositories of Arch Linux. It’s not a common adjective, as in AUR’s description. Therefore look at that in the following manner:

            Managed by Arch-appoved users      Managed by anyone
           ╭──────────────┴──────────────╮ ╭───────────┴─────────────╮
          ╭
package   │  [core] [extra] [community]      [repo-ck] [xyne-x86_64]
 repos    │    [multilib] [testing]          & other 3rd party repos
          │   [community-testing] . . .                                       
          ╰
          ╭
PKGBUILDs │      git.archlinux.org             AUR, posts on forum
          │                                     random websites
          ╰

All pacman repos listed on the official arch repositories list are managed by Arch approved people. Anything not listed there is not. Though note that some of the unofficial repos are still managed by the very same people (just not under the Arch umbrella), as well as many PKGBUILDs you can find in AUR are also managed by them.

The packages you have built based on PKGBUILDs found on AUR are built by you yourself. I believe you trust youself more than Arch package maintainers, so having non-official packages installed shouldn’t cause any concerns. After all you it was built by the most truted person you know. Right? Or… you don’t trust yourself, because you know that this “you” guy misuses AUR by not checking PKGBUILDs before building, doesn’t verify source signatures etc.?

Last edited by mpan (2020-03-23 16:29:11)

Cyberpunk_Is_Bae · 2020-03-24 00:09:56

Trilby wrote:

As in which link?

https://linuxhint.com/aur_arch_linux/ mb I pulled it before I sent the above message because it was off-site.

Trilby wrote:

You can use makepkg to build something from source into a local package that pacman can install. But you'd know if you did this.

I've tried a couple of different GUIs for pacman, I'll have to verify that they don't automatically do this.

Thank you.

loqs wrote:

pacman can only use package repositories so it can not use AUR see also https://wiki.archlinux.org/index.php/Of … #community

I didn't even realize we were binary based and not like Gentoo until your comment, thank you.

mpan wrote:

            Managed by Arch-appoved users      Managed by anyone
           ╭──────────────┴──────────────╮ ╭───────────┴─────────────╮
          ╭
package   │  [core] [extra] [community]      [repo-ck] [xyne-x86_64]
 repos    │    [multilib] [testing]          & other 3rd party repos
          │   [community-testing] . . .                                       
          ╰
          ╭
PKGBUILDs │      git.archlinux.org             AUR, posts on forum
          │                                     random websites
          ╰

I feel like you've posted this diagram before haha. It's nice, thanks.

mpan wrote:

The packages you have built based on PKGBUILDs found on AUR are built by you yourself. I believe you trust youself more than Arch package maintainers, so having non-official packages installed shouldn’t cause any concerns. After all you it was built by the most truted person you know. Right?

Ew no he makes lots of mistakes why would you assume that.

qinohe · 2020-03-24 01:31:00

Cyberpunk_Is_Bae wrote:

Ew no he makes lots of mistakes why would you assume that.

What mpan means is you need to fully trust binaries compiled by other devs for you to not have been tampered with...
If you're the one building the package you know for sure no one did anything to the compiled source but you.
It's just a matter of trust, not about you trusting yourself being a good admin, those are different things.

Arch Linux

#1 2020-03-23 14:56:59

Package Management Security Model

#2 2020-03-23 15:21:11

Re: Package Management Security Model

#3 2020-03-23 15:22:35

Re: Package Management Security Model

#4 2020-03-23 16:20:59

Re: Package Management Security Model

#5 2020-03-24 00:09:56

Re: Package Management Security Model

#6 2020-03-24 01:31:00

Re: Package Management Security Model

Board footer