Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kpcyrd/archlinux-inputs-fsck

Lint repository of PKGBUILDs for cryptographically pinned inputs
https://github.com/kpcyrd/archlinux-inputs-fsck

Last synced: about 2 months ago
JSON representation

Lint repository of PKGBUILDs for cryptographically pinned inputs

Awesome Lists containing this project

README

        

# archlinux-inputs-fsck

Lint a repository of PKGBUILDs to ensure all inputs are cryptographically pinned.

```sh
# Clone the archlinux-inputs-fsck source code
git clone https://github.com/kpcyrd/archlinux-inputs-fsck
cd archlinux-inputs-fsck
# Download the Arch Linux package repositories
git clone --depth=1 https://github.com/archlinux/svntogit-packages
git clone --depth=1 https://github.com/archlinux/svntogit-community
# Scan [core], [extra] and [community] for issues
cargo run --release -- check -W ./svntogit-packages/ -W ./svntogit-community/
```

## Testing AUR packages

You can also test a specific package by providing the path that contains the PKGBUILD:

```sh
git clone --depth=1 https://aur.archlinux.org/paru.git
cd paru
cargo run --release -- check .
```

Please keep in mind archlinux-inputs-fsck executes the PKGBUILD when loading it, only run this on PKGBUILDs you've reviewed/trust.

## Generate TODO lists for specific issues

Use `-qq` to disable log output (except errors), `-r` to print package names to stdout, `-f git-commit-insecure-pin` to filter for a specific issue.

```sh
cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -qqrf git-commit-insecure-pin
```

You can use `-f` multiple times, to get a human readable report for specific issues do this:

```sh
cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -q -f git-commit-insecure-pin -f svn-insecure-pin
```

To get a list of all supported issue types do this:

```sh
% cargo run --release -- supported-issues
insecure-scheme
unknown-scheme
wrong-number-of-checksums
git-commit-insecure-pin
svn-insecure-pin
hg-revision-insecure-pin
bzr-insecure-pin
url-artifact-insecure-pin
```

## Issues explained

### `insecure-scheme`

A `source=` uses a complex protocol over an unauthenticated connection. This applies to `git://` for example. `http://` and `ftp://` are also unauthenticated but not included here because they are trivial to combine with `sha256sums`, `b2sums`, etc and `updpkgsums` has support for them.

### `unknown-scheme`

A `source=` uses a scheme that archlinux-inputs-fsck didn't understand. If the scheme is understood by `makepkg` this would mean support needs to be added to `archlinux-inputs-fsck`.

### `wrong-number-of-checksums`

The number of checksums didn't match the number of `source=` entries. You are unlikely to see this in practice.

### `git-commit-insecure-pin`

A git `source=` didn't cryptographically pin a commit object. This makes it prone to `curl | sh` style attacks by malicious git servers.

### `svn-insecure-pin`

A svn `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious svn servers.

### `hg-revision-insecure-pin`

An hg `source=` didn't cryptographically pin a revision object. This makes it prone to `curl | sh` style attacks by malicious hg servers.

### `bzr-insecure-pin`

A bzr `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious bzr servers.

### `url-artifact-insecure-pin`

A url artifact `source=` was found that was not secured by at least one cryptographically secure checksum. This happens if only `md5sums=` or `sha1sums=` was used, if the secure checksums are all set to `SKIP` or if no checksums are configured at all.

## License

GPLv3+