Be aware of where your packages/PKGBUILDS come from.

cactus · 2005-04-06 19:09:07

A word of caution to all you Archers out there. Be careful where you get your packages from.

It goes without saying that a package from an unknown user/entity could house harmful material. A package could install a trojan, a backdoor, or several other devious things.

The Arch Build System is powerful, and safe if used responsibly. Responsability on the user end is key though. It would be a simple matter of building a package with a harmful post_install script embedded in it, or even an embedded keystroke logger daemon. The myriad of possabilities given that install scripts are executed as root is endless.

So, in summation, know what you are installing. Be an educated user. Know the source of your packages/pkgbuilds. Package builds posted on the forum are generally subject to the review of the public, and thus it is likely that some user would pick up on some squirrelliness and say, "hey! that doen't look right!".

I consider pkgbuilds safer than binaries from sources that I do not trust, because I know what is going on in the pkgbuilds and I can review it. If you do not have the experience required to feel comfortable understanding pkgbuilds, then stick with repos that you trust.

Nothing to be alarmed about. I was just thinking about security this afternoon, and thought I would say something in the hopes that it would make even one user out there a bit safer. 8)

phrakture · 2005-04-06 19:19:54

I guess technically, you can put "rm -rf /" in a (pre)post_install function... yikes... be careful of those too

dadexter · 2005-04-06 20:41:35

so in other word... always read your PKGBUILDS and always build them as a normal user using fakeroot?

cactus · 2005-04-07 01:59:25

either that or make darn sure you trust the source of them..

dtw · 2005-04-07 09:05:12

For people with their own repos e.g. cactus, phrak and I, should we propose that PKGBUILDs for binaries offered should always be available? My repo even has all the install scripts and patches in the PKGBUILD dir - could we build on that for some hosting your own repo best practice stuff?

(split me to a new thread if you think this is a good idea)

cactus · 2005-04-07 09:14:03

I generally keep a link to my svn repo (which is web viewable by the way ) in my repo page. The .install scripts, pkgbuilds, and other needed files (like the random diff file), are all in there. Users are free to snag from either.

miqorz · 2005-04-07 10:45:38

Great cactus. Now no one will fall for my rm -rf / PKGBUILDs

dtw · 2005-04-08 09:27:05

yeah - that's funny

cactus - i didn't mean you personally i meant generally

miqorz · 2005-04-08 09:30:40

I look at harmful Arch packages like I do linux spyware and whatnot.

Sure it's POSSIBLE and we all know the possibility could arise.

But it has yet to really happen and if it does it will be spotted extremely fast and reported.

STiAT · 2005-04-08 09:41:28

I as well put filelist, patches and PKGBUILDs to my server (even though, no repo).

Anyway, think about larger patches ... who's realy going to read them? Any of you (okay, i know it's an official package) read the visibility patch of GCC? I did, since i maintained the patched GCC for another distribution. Though, this patch just was released on mailinglists... as i know.

I've never used any other package source than official repos and the packages i created, and i feel convenient about this.

Anyway, it's a good idea at least to let people know about the risks. I'm also providing binary / pkgbuild / filelists / patches, but i doubt anyone read what the builds are really doing (statistic of my webserver tells that not even 20% of the people downloading binaries reviewed the PKGBUILDs, i just took a short look at this).

// STi

miqorz · 2005-04-08 10:02:36

I make it a rule of thumb to never use anyone elses binaries.

I just use their pkgbuilds and place them in my /opt/abs/local and build as needed.

Snowman · 2005-04-08 19:24:05

dibblethewrecker wrote:

For people with their own repos e.g. cactus, phrak and I, should we propose that PKGBUILDs for binaries offered should always be available? My repo even has all the install scripts and patches in the PKGBUILD dir - could we build on that for some hosting your own repo best practice stuff

I agree that PKGBUILD should be provided. I am already doing it for my repo. However, it crossed my mind that there is no way (I think) to know if the binary package was build with a specific PKGBUILD. It would be possible for someone to offer malicious binary packages while pretending that they were build with a "well-behaved" PKGBUILD. In that case, reading the PKGBUILD, install files and patches is useless unless you trust the source.

neotuli · 2005-04-09 03:21:32

You know when I first saw this thread, I thought something horrific had happened. Then I realized it was just cactus being paranoid about security again (I didn't say this is a bad thing).
Indeed, there is no way to verify what pkgbuild was used to make a given package, and even then, files and scripts could later be easily inserted into the package. There is no real way around this, and not much anybody can do.
If you're really paranoid, you can untar every package and browse through it before installing. Not much else you can do...

Snowman · 2005-04-09 05:31:36

I don't think that untarring the package is safe because you can't check the contents of the binary files. I think that if you have the PKGBUILD, install file and patches then you can check what they do and build the package yourself. IMO, this could be the safest way to do it.

neotuli · 2005-04-09 05:43:34

Snowman wrote:

I don't think that untarring the package is safe because you can't check the contents of the binary files. I think that if you have the PKGBUILD, install file and patches then you can check what they do and build the package yourself. IMO, this could be the safest way to do it.

Right, but not everyone has the time and patience for that.

miqorz · 2005-04-09 06:05:35

Isn't this why we have TRUSTED user repos?

Snowman · 2005-04-09 06:06:21

neotuli wrote:

Snowman wrote:
I don't think that untarring the package is safe because you can't check the contents of the binary files. I think that if you have the PKGBUILD, install file and patches then you can check what they do and build the package yourself. IMO, this could be the safest way to do it.
Right, but not everyone has the time and patience for that.

Yes. And you must trust the devs writing the apps. If you are paranoid with safety, you must verify the source code of all the apps/libraries installed on your system. Of course, no one has time for that so you must trust others.

dtw · 2005-04-09 10:20:33

my suggestion was aimed at people like migorz - if people are worried about security i provide all the bits they need to build my packages themselves

Arch Linux

#1 2005-04-06 19:09:07

Be aware of where your packages/PKGBUILDS come from.

#2 2005-04-06 19:19:54

Re: Be aware of where your packages/PKGBUILDS come from.

#3 2005-04-06 20:41:35

Re: Be aware of where your packages/PKGBUILDS come from.

#4 2005-04-07 01:59:25

Re: Be aware of where your packages/PKGBUILDS come from.

#5 2005-04-07 09:05:12

Re: Be aware of where your packages/PKGBUILDS come from.

#6 2005-04-07 09:14:03

Re: Be aware of where your packages/PKGBUILDS come from.

#7 2005-04-07 10:45:38

Re: Be aware of where your packages/PKGBUILDS come from.

#8 2005-04-08 09:27:05

Re: Be aware of where your packages/PKGBUILDS come from.

#9 2005-04-08 09:30:40

Re: Be aware of where your packages/PKGBUILDS come from.

#10 2005-04-08 09:41:28

Re: Be aware of where your packages/PKGBUILDS come from.

#11 2005-04-08 10:02:36

Re: Be aware of where your packages/PKGBUILDS come from.

#12 2005-04-08 19:24:05

Re: Be aware of where your packages/PKGBUILDS come from.

#13 2005-04-09 03:21:32

Re: Be aware of where your packages/PKGBUILDS come from.

#14 2005-04-09 05:31:36

Re: Be aware of where your packages/PKGBUILDS come from.

#15 2005-04-09 05:43:34

Re: Be aware of where your packages/PKGBUILDS come from.

#16 2005-04-09 06:05:35

Re: Be aware of where your packages/PKGBUILDS come from.

#17 2005-04-09 06:06:21

Re: Be aware of where your packages/PKGBUILDS come from.

#18 2005-04-09 10:20:33

Re: Be aware of where your packages/PKGBUILDS come from.

Board footer