Whitelist only source-verified packages to be installed

mwait · 2023-12-28 22:34:30

Whenever I install a package from the AUR, I manually verify the PKGBUILD and all its sources and whatnot. Similarly, when I install a Flatpak, I verify its manifest and tighten the sandbox, typically also building it from source as well. Ditto for other installation methods. But when I install an officially maintained Arch Linux package - especially when some program requires a dozen of them as dependencies in order to run and I want/need the program working ASAP -, I often don't, as I trust that you have vetted it. However, it has come to my attention that you have programs such as Discord - an extremely proprietary source-unavailable insecure program that's most assuredly malware - in the official repos, and that such a thing could be unknowingly installed by me or a script, whether directly or as a dependency, transient or not. This is a huge security issue! I highly doubt that with any - let alone every - new version of that package, you have compiled it from source and verified that no malicious actions'll be made by it. At any point, it could just decide to steal my SSH keys, include some malicious command in my zshrc, or any of a billion other actions, and so could any of the other packages. I don't care all that much if a program is under a non-free license, so long as the source is available for me or someone I trust to verify that it won't do anything bad, as otherwise it can easily simply do evil. The sole exception is that I allow source-unavailable microcode on my CPU (and looking at it now, I guess also linux-firmware) and that's a very special case that I agonized a lot over allowing. And the rare times that I actually do want a source-unavailable program (e.g. many video games) to run on my machine, I ensure it's ran through a maximally restrictive bubblewrap/apparmor/firejail profile (well, mine are currently a WIP and AppArmor's completely borked, but I digress) or similar (and perhaps also on another account or with some other somewhat redundant security measure(s)), and installation and updates are handled manually by me; There's no chance that malicious source-unavailable code will be executed by mistake there - especially as root and unsandboxed. I also simply don't want anything source-unavailable on my system, from an ethical, educational, political, and so on standpoint, but I'm not getting into that now, and keeping this about the major security vulnerability it is.
So is there a way to hard blacklist all executed-source-unavailable packages from being installed or updated in any way on my Arch Linux system, or better yet whitelist only verified source-available package releases? If such could reliably extend to the AUR, great, if not, oh well. But if I'm going to continue to use and update Arch Linux for anything even remotely sensitive, I need to be able to at least trust that it won't install malware on my machine without my explicit knowing consent

I'm new to the forum, so please let me know if I'm doing something wrong
Thanks for your expended resources

mpan · 2023-12-29 01:11:20

Hello, and welcome to the Arch forum!

AFAIK pacman has no option to block installation of packages. Not only depending on the conditions you mentioned, but based on any criteria. The closest you could get is replacing official repositories with custom repositories containing only whitelisted packages, or to use custom mirrors with blacklisted files removed. Two important downsides: it’s a lot of effort and, if anything goes south, you are likely going to be left in “this is unsupported” territory. I don’t recall seeing the first option implemented; the second has apparently been used to censor Telegram in Iran.

I can imagine an alternative route, not directly implemented in pacman, would be to (ab-?)use pre-transaction hooks to run a filter script, which fails on blacklisted packages. But this has the same problem as the above.

However, before you spend any effort on this, let’s get some crucial things straight. Your model of trust seems to be based on wrong assumptions. To be clear, I very much sympathize with your attitude. But I find the reasoning behind it somewhat off.

Sources of software in the official repositories are not reviewed. A maintainer may, at their own discretion, look at the sources. But it’s not a requirement and it’s not a viable protection method.

A mere availability of sources is also not implying the package has been built from them. For this reproducibility is a requirement. There is an ongoing work on reproducible builds in Arch and other distros, but this is still something for the future.

We also seem to be in agreement regarding Discord usage. But the risk of them exfiltrating secrets from your machine is low, so I believe this should not be the primary reason to avoid Discord.

ayekat · 2023-12-30 11:32:52

Another solution to the denylist approach: Meta-package with `conflicts=(…)`:

pkgname=no-disallowed-packages-here
pkgver=0.20231230
pkgrel=1
arch=(any)
conflicts=(
  discord
  evilcorptool1
  evilcorptool2
  …
)

Arch Linux

#1 2023-12-28 22:34:30

Whitelist only source-verified packages to be installed

#2 2023-12-29 01:11:20

Re: Whitelist only source-verified packages to be installed

#3 2023-12-30 11:32:52

Re: Whitelist only source-verified packages to be installed

Board footer