[ISSUE] Verify installed packages and files

[ISSUE] Verify installed packages and files

[AngryPhantom]

[-- Attachment #1: Type: text/plain, Size: 600 bytes --]

New issue by AngryPhantom on void-packages repository

https://github.com/void-linux/void-packages/issues/22126

Description:
### System

Updated, up and running. The best, lightest and fastest distro so far!

Anyway, I've got involved in an argue with some "clever" guys on reddit and now it bothers me a bit too. Is there any procedure/tool to **verify all the installed packages** and/or files? Like it's done with **debsusms** in Debian, for example.
I'm feeling like more and more inclined to use Void on my production servers and am really concerned about security.
Thank you in advance.

Re: Verify installed packages and files

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 174 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630754176

Comment:
You mean like `xbps-pkgdb -a`?

Re: Verify installed packages and files

[AngryPhantom]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

New comment by AngryPhantom on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630785965

Comment:
@ahesford 

> check/fix issues and modify the package database (pkgdb). It's able to check for missing dependencies, modified files and symlinks, and more errors that have been fixed in newer versions of xbps

Erm... I mean something like 'debsums', to check the installed packages (and the files included) for consistency, so that the hashes match and be sure that my system is not compromised due to some hacking attempt on the official repository.

Re: Verify installed packages and files

[abenson]

[-- Attachment #1: Type: text/plain, Size: 387 bytes --]

New comment by abenson on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630799769

Comment:
`xbps-pkgdb -a` will check for package consistency (dependencies aren't missing) and package contents (files aren't missing and are the correct hashes). 

The hashes/signatures of packages are checked at time of install, similar as to Debian.

Re: Verify installed packages and files

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630801749

Comment:
The only files not checked are this marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.

Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of `xbps-pkgdb -a`. There is no method to verify that a repo hasn't been compromised.

Re: Verify installed packages and files

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 534 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630801749

Comment:
The only files not checked are those marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.

Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of `xbps-pkgdb -a`. There is no method to verify that a repo hasn't been compromised.

Re: Verify installed packages and files

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 538 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630802620

Comment:
> compromised due to some hacking attempt on the official repository

First there are signatures for packages, if they can't be verified xbps will not install the package.
But if the official repository is really compromised including private keys, checking the checksum of files doesn't do anything as the source of those checksums is the compromised package signed with the compromised key.

Re: Verify installed packages and files

[AngryPhantom]

[-- Attachment #1: Type: text/plain, Size: 277 bytes --]

New comment by AngryPhantom on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630803564

Comment:
@abenson, @ahesford, @Duncaen Thank you, guys! I'm closing this then. I'm still learning Void.
Best regards and have a nice day!

Re: [ISSUE] [CLOSED] Verify installed packages and files

[AngryPhantom]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

Closed issue by AngryPhantom on void-packages repository

https://github.com/void-linux/void-packages/issues/22126

Description:
### System

Updated, up and running. The best, lightest and fastest distro so far!

Anyway, I've got involved in an argue with some "clever" guys on reddit and now it bothers me a bit too. Is there any procedure/tool to **verify all the installed packages** and/or files? Like it's done with **debsums** in Debian, for example.
I'm feeling like more and more inclined to use Void on my production servers and am really concerned about security.
Thank you in advance.