* [ISSUE] Verify installed packages and files
@ 2020-05-19 11:17 AngryPhantom
2020-05-19 11:18 ` ahesford
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: AngryPhantom @ 2020-05-19 11:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 600 bytes --]
New issue by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/22126
Description:
### System
Updated, up and running. The best, lightest and fastest distro so far!
Anyway, I've got involved in an argue with some "clever" guys on reddit and now it bothers me a bit too. Is there any procedure/tool to **verify all the installed packages** and/or files? Like it's done with **debsusms** in Debian, for example.
I'm feeling like more and more inclined to use Void on my production servers and am really concerned about security.
Thank you in advance.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
@ 2020-05-19 11:18 ` ahesford
2020-05-19 12:29 ` AngryPhantom
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ahesford @ 2020-05-19 11:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 174 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630754176
Comment:
You mean like `xbps-pkgdb -a`?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
2020-05-19 11:18 ` ahesford
@ 2020-05-19 12:29 ` AngryPhantom
2020-05-19 12:59 ` abenson
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: AngryPhantom @ 2020-05-19 12:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 602 bytes --]
New comment by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630785965
Comment:
@ahesford
> check/fix issues and modify the package database (pkgdb). It's able to check for missing dependencies, modified files and symlinks, and more errors that have been fixed in newer versions of xbps
Erm... I mean something like 'debsums', to check the installed packages (and the files included) for consistency, so that the hashes match and be sure that my system is not compromised due to some hacking attempt on the official repository.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
2020-05-19 11:18 ` ahesford
2020-05-19 12:29 ` AngryPhantom
@ 2020-05-19 12:59 ` abenson
2020-05-19 13:02 ` ahesford
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: abenson @ 2020-05-19 12:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 387 bytes --]
New comment by abenson on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630799769
Comment:
`xbps-pkgdb -a` will check for package consistency (dependencies aren't missing) and package contents (files aren't missing and are the correct hashes).
The hashes/signatures of packages are checked at time of install, similar as to Debian.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
` (2 preceding siblings ...)
2020-05-19 12:59 ` abenson
@ 2020-05-19 13:02 ` ahesford
2020-05-19 13:02 ` ahesford
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ahesford @ 2020-05-19 13:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 533 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630801749
Comment:
The only files not checked are this marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.
Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of `xbps-pkgdb -a`. There is no method to verify that a repo hasn't been compromised.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
` (3 preceding siblings ...)
2020-05-19 13:02 ` ahesford
@ 2020-05-19 13:02 ` ahesford
2020-05-19 13:03 ` Duncaen
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ahesford @ 2020-05-19 13:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 534 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630801749
Comment:
The only files not checked are those marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.
Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of `xbps-pkgdb -a`. There is no method to verify that a repo hasn't been compromised.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
` (4 preceding siblings ...)
2020-05-19 13:02 ` ahesford
@ 2020-05-19 13:03 ` Duncaen
2020-05-19 13:05 ` AngryPhantom
2020-05-19 13:05 ` [ISSUE] [CLOSED] " AngryPhantom
7 siblings, 0 replies; 9+ messages in thread
From: Duncaen @ 2020-05-19 13:03 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 538 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630802620
Comment:
> compromised due to some hacking attempt on the official repository
First there are signatures for packages, if they can't be verified xbps will not install the package.
But if the official repository is really compromised including private keys, checking the checksum of files doesn't do anything as the source of those checksums is the compromised package signed with the compromised key.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
` (5 preceding siblings ...)
2020-05-19 13:03 ` Duncaen
@ 2020-05-19 13:05 ` AngryPhantom
2020-05-19 13:05 ` [ISSUE] [CLOSED] " AngryPhantom
7 siblings, 0 replies; 9+ messages in thread
From: AngryPhantom @ 2020-05-19 13:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 277 bytes --]
New comment by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/22126#issuecomment-630803564
Comment:
@abenson, @ahesford, @Duncaen Thank you, guys! I'm closing this then. I'm still learning Void.
Best regards and have a nice day!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ISSUE] [CLOSED] Verify installed packages and files
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
` (6 preceding siblings ...)
2020-05-19 13:05 ` AngryPhantom
@ 2020-05-19 13:05 ` AngryPhantom
7 siblings, 0 replies; 9+ messages in thread
From: AngryPhantom @ 2020-05-19 13:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 602 bytes --]
Closed issue by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/22126
Description:
### System
Updated, up and running. The best, lightest and fastest distro so far!
Anyway, I've got involved in an argue with some "clever" guys on reddit and now it bothers me a bit too. Is there any procedure/tool to **verify all the installed packages** and/or files? Like it's done with **debsums** in Debian, for example.
I'm feeling like more and more inclined to use Void on my production servers and am really concerned about security.
Thank you in advance.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-19 13:05 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-19 11:17 [ISSUE] Verify installed packages and files AngryPhantom
2020-05-19 11:18 ` ahesford
2020-05-19 12:29 ` AngryPhantom
2020-05-19 12:59 ` abenson
2020-05-19 13:02 ` ahesford
2020-05-19 13:02 ` ahesford
2020-05-19 13:03 ` Duncaen
2020-05-19 13:05 ` AngryPhantom
2020-05-19 13:05 ` [ISSUE] [CLOSED] " AngryPhantom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).