{"id":13717631,"url":"https://github.com/kpcyrd/apt-swarm","last_synced_at":"2025-04-14T13:32:03.002Z","repository":{"id":65910752,"uuid":"597917191","full_name":"kpcyrd/apt-swarm","owner":"kpcyrd","description":"🥸 Experimental p2p gossip network for OpenPGP signature transparency 🥸","archived":false,"fork":false,"pushed_at":"2025-04-05T10:51:21.000Z","size":1500,"stargazers_count":31,"open_issues_count":11,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-05T11:31:25.612Z","etag":null,"topics":["censorship-resistance","decentralized","p2p","rust","security","transparency-log"],"latest_commit_sha":null,"homepage":"https://map.apt-swarm.orca.toys/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpcyrd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["kpcyrd"]}},"created_at":"2023-02-06T01:37:48.000Z","updated_at":"2025-03-25T23:54:40.000Z","dependencies_parsed_at":"2024-01-17T09:22:04.184Z","dependency_job_id":"0fc9fced-948a-4992-8d1e-7fb8532fcf68","html_url":"https://github.com/kpcyrd/apt-swarm","commit_stats":{"total_commits":107,"total_committers":1,"mean_commits":107.0,"dds":0.0,"last_synced_commit":"94d0f1bb120752ce6d630482f73169f052fe6cb9"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fapt-swarm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fapt-swarm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fapt-swarm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Fapt-swarm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpcyrd","download_url":"https://codeload.github.com/kpcyrd/apt-swarm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248888729,"owners_count":21178100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["censorship-resistance","decentralized","p2p","rust","security","transparency-log"],"created_at":"2024-08-03T00:01:25.005Z","updated_at":"2025-04-14T13:32:02.986Z","avatar_url":"https://github.com/kpcyrd.png","language":"Rust","funding_links":["https://github.com/sponsors/kpcyrd"],"categories":["Point-of-use validations"],"sub_categories":["Vulnerability information exchange"],"readme":"# apt-swarm\n\nAn attempt to make a secure public p2p protocol that gossips about signed\n`InRelease` files to implement an update transparency log.\n\n![Screenshot of a keyring along with the number of known signatures](.github/keyring-screenshot.png)\n\n## Running a node\n\n\u003ca href=\"https://repology.org/project/apt-swarm/versions\"\u003e\u003cimg align=\"right\" src=\"https://repology.org/badge/vertical-allrepos/apt-swarm.svg\" alt=\"Packaging status\"\u003e\u003c/a\u003e\n\nInstall dependencies (Arch Linux):\n\n```\npacman -S podman\n```\n\nInstall dependencies (Debian/Ubuntu):\n\n```\napt-get install podman catatonit\n```\n\nCreate a systemd service at `/etc/systemd/system/apt-swarm.service`:\n\n```\ncat \u003e /etc/systemd/system/apt-swarm.service \u003c\u003cEOF\n[Unit]\nDescription=apt-swarm p2p container\nDocumentation=https://github.com/kpcyrd/apt-swarm\n\n[Service]\nExecStartPre=-/usr/bin/mkdir -p /opt/apt-swarm\nExecStart=/usr/bin/podman run --rm --pull always --init \\\n    -v /opt/apt-swarm:/data \\\n    -p 16169:16169 \\\n    ghcr.io/kpcyrd/apt-swarm:edge p2p \\\n    --check-container-updates ghcr.io/kpcyrd/apt-swarm:edge\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=default.target\nEOF\n```\n\nStart the service:\n\n```\nsystemctl daemon-reload\nsystemctl enable --now apt-swarm\n```\n\nWatch logs:\n\n```\njournalctl -fu apt-swarm\n```\n\n## Running a node (kubernetes)\n\n```\nminikube start\nkubectl create ns apt-swarm 2\u003e/dev/null || true\nkubectl apply -f contrib/k8s.yaml -n apt-swarm\n```\n\n## Configuring a repository to monitor\n\nTo ascii armor the pgp key use this command:\n\n```\nsq packet armor \u003c contrib/signal-desktop-keyring.pgp\n```\n\nThen write a configuration like this:\n\n```toml\n[[repository]]\nurls = [\"https://updates.signal.org/desktop/apt/dists/xenial/InRelease\"]\nkeyring = \"\"\"\n-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBFjlSicBEACgho//0EzxuvuCn01LwFqGAgwPKcSSl4L+AWws5/YbsZZvmTBk\nggIiVOCIMh+d3cmGu5W3ydaeUbWbFGNsxO44EB5YBZcuLa5EzRKbNPVaOXKXmhp+\nw0mEbkoKbF+3mz3lifwBnzcBpukyJDgcJSq8cXfq5JsDPR1KAL6ph/kwKeiDNg+8\noFgqfboukK56yPTYc9iM8hkTFdx9L6JCJaZGaDMfihoQm2caKAmqc+TlpgtKbBL0\nt5hrzDpCPpJvCddu1NRysTcqfACSSocvoqY0dlbNPMN8j04LH8hcKGFipuLdI8qx\nBFqlMIQJCVJhr05E8rEsI4nYEyG44YoPopTFLuQa+wewZsQkLwcfYeCecU1KxlpE\nOI3xRtALJjA/C/AzUXVXsWn7Xpcble8i3CKkm5LgX5zvR6OxTbmBUmpNgKQiyxD6\nTrP3uADm+0P6e8sJQtA7DlxZLA6HuSi+SQ2WNcuyLL3Q/lJE0qBRWVJ08nI9vvxR\nvAs20LKxq+D1NDhZ2jfG2+5agY661fkx66CZNFdz5OgxJih1UXlwiHpn6qhP7Rub\nOJ54CFb+EwyzDVVKj3EyIZ1FeN/0I8a0WZV6+Y/p08DsDLcKgqcDtK01ydWYP0tA\no1S2Z7Jsgya50W7ZuP/VkobDqhOmE0HDPggX3zEpXrZKuMnRAcz6Bgi6lwARAQAB\ntDFPcGVuIFdoaXNwZXIgU3lzdGVtcyA8c3VwcG9ydEB3aGlzcGVyc3lzdGVtcy5v\ncmc+iQI3BBMBCgAhBQJY5UonAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ\nENmAoXRX9vsGU00P/RBPPc5qx1EljTW3nnTtgugORrJhYl1CxNvrohVovAF4oP1b\nUIGT5/3FoDsxJHSEIvorPFSaG2+3CBhMB1k950Ig2c2n+PTnNk6D0YIUbbEI0KTX\nnLbCskdpy/+ICiaLfJZMe11wcQpkoNbG587JdQwnGegbQoo580CTSsYMdnvGzC8A\nl1F7r37RVZToJMGgfMKK3oz8xIDXqOe5oiiKcV36tZ5V/PCDAu0hXYBRchtqHlHP\ncKWeRTb1aDkbQ7SPlJ2bSvUjFdB6KahlSGJl3nIU5zAH2LA/tUQY16Z1QaJmfkEb\nRY61B/LPv1TaA1SIUW32ej0NmeF09Ze4Cggdkacxv6E+CaBVbz5rLh6m91acBibm\npJdGWdZyQU90wYFRbSsqdDNB+0DvJy6AUg4e5f79JYDWT/Szdr0TLKmdPXOxa1Mb\ni34UebYI7WF7q22e7AphpO/JbHcD+N6yYtN6FkUAmJskGkkgYzsM/G8OEbBRS7A+\neg3+NdQRFhKa7D7nIuufXDOTMUUkUqNYLC+qvZVPJrWnK9ZsGKsP0EUZTfEGkmEN\nUzmASxyMMe6JHmm5Alk4evJeQ31U5jy7ntZSWEV1pSGmSEJLRNJtycciFJpsEp/p\nLkL0iFb30R9bHBp6cg7gjXbqZ9ZpEsxtZMBuqS70ZZyQdu2yGDQCBk7eLKCjuQIN\nBFjlSicBEACsxCLVUE7UuxsEjNblTpSEysoTD6ojc2nWP/eCiII5g6SwA/tQKiQI\nZcGZsTZB9kTbCw4T3hVEmzPl6u2G6sY9Kh1NHKMR3jXvMC+FHODhOGyAOPERjHCJ\ng20XF2/Gg462iW8e3lS7CQBzbplUCW/oMajj2Qkc61NLtxxzsssXjCKExub2HxCQ\nAYtenuDtLU73G75BoghWJ19dIkodnEI0/fzccsgiP5xeVgmkWJPo9xKJtrBS5gcS\ns7yaGY9YYo71RFzkpJpeAeLrJJqt+2KqH1u0EJUbs8YVGXKlnYeSNisg4OaRsldW\nJmDDCD5WUdFq2LNdVisfwirgjmwYpLrzVMbmzPvdmxQ1NYzJsX4ARSL/wuKCvEub\ngh1AR5oV7mUEA9I3KRH0TIDOnH4nGG3kqArzrV2E1WtnNzFII0IN9/48xY7Vkxs7\nOil+E+wCpzUv/tF4ALx5TAXoPd66ddEOxzDrtBpEzsouszt7uUyncyT3X6ip5l9f\nmI4uxbsjwkLVfd1WpD1uvp869oyx6wtHluswr1VY/cbnHO8J6J35JVMhYQdMOaTZ\nrX6npe/YOHJ4a7YzLMfdrxyzK1wq5xu/9LgclMTdIhAKvnaXBg41jsid5n0GdIeW\nek8WAVNyvuvoTwm3GG6+/pkTwu0J79lAMD1mhJsuSca6SFNgYnd+PQARAQABiQIf\nBBgBCgAJBQJY5UonAhsMAAoJENmAoXRX9vsGvRgQAJ4tWnK2TncCpu5nTCxYMXjW\nLuvwORq8EBWczHS6SjLdwmSVKGKSYtl2n6nCkloVY6tONMoiCWmtcq7SJMJoyZw3\nXIf82Z39tzn/conjQcP0aIOFzww1XG7YiaTAhsDZ62kchukI52jUYm2w8cTZMEZB\noIwIWBpmLlyaDhjIM5neY5RuL7IbIpS/fdk2lwfAwcNq6z/ri2E5RWl3AEINdLUO\ngAiVMagNJaJ+ap7kMcwOLoI2GD84mmbtDWemdUZ3HnqLHv0mb1djsWL6LwjCuOgK\nl2GDrWCh18mE+9mVB1Lo7jzYXNSHXQP6FlDE6FhGO1nNBs2IJzDvmewpnO+a/0pw\ndCerATHWtrCKwMOHrbGLSiTKEjnNt/74gKjXxdFKQkpaEfMFCeiAOFP93tKjRRhP\n5wf1JHBZ1r1+pgfZlS5F20XnM2+f/K1dWmgh+4Grx8pEHGQGLP+A22O7iWjg9pS+\nLD3yikgyGGyQxgcN3sJBQ4yxakOUDZiljm3uNyklUMCiMjTvT/F02PalQMapvA5w\n7Gwg5mSI8NDs3RtiG1rKl9Ytpdq7uHaStlHwGXBVfvayDDKnlpmndee2GBiU/hc2\nZsYHzEWKXME/ru6EZofUFxeVdev5+9ztYJBBZCGMug5Xp3Gxh/9JUWi6F1+9qAyz\nN+O606NOXLwcmq5KZL0g\n=zyVo\n-----END PGP PUBLIC KEY BLOCK-----\n\"\"\"\n```\n\n## Status\n\nThis project is experimental. PGP is complicated and p2p security is difficult,\nrunning this program may use up a lot of disk space on your computer if\nsomebody finds a way to bypass the vandalism protection.\n\nThere's also the risk of a false-negative, the pgp implementation used by\napt-get may consider a signature as invalid that we different program considers\nvalid. If apt-swarm considers the signature as invalid it won't accept this\nrelease into the network and it won't appear in your audit logs.\n\napt-swarm can't detect network-partitioning attacks and doesn't intend to.\n\n[![Star History Chart](https://api.star-history.com/svg?repos=kpcyrd/apt-swarm\u0026type=Date)](https://www.star-history.com/#kpcyrd/apt-swarm\u0026Date)\n\n## Trivia\n\nAs part of this project, a [bug causing the pgp parser to\ncrash](https://gitlab.com/sequoia-pgp/sequoia/-/issues/1005) was identified in\nSequoia OpenPGP in 2023 through fuzzing.\n\nA bug that could in some cases lead to [silent data\nloss](https://github.com/tokio-rs/tokio/issues/7174) was identified in Tokio in\n2025.\n\n## Funding\n\n[![](.github/lolgpt.png)](https://github.com/sponsors/kpcyrd)\n\n## License\n\n`GPL-3.0-or-later`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Fapt-swarm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpcyrd%2Fapt-swarm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Fapt-swarm/lists"}