Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kpcyrd/archlinux-inputs-fsck
Lint repository of PKGBUILDs for cryptographically pinned inputs
https://github.com/kpcyrd/archlinux-inputs-fsck
Last synced: about 2 months ago
JSON representation
Lint repository of PKGBUILDs for cryptographically pinned inputs
- Host: GitHub
- URL: https://github.com/kpcyrd/archlinux-inputs-fsck
- Owner: kpcyrd
- License: gpl-3.0
- Created: 2022-05-26T00:16:13.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-01-03T10:10:05.000Z (almost 2 years ago)
- Last Synced: 2024-09-19T09:07:03.377Z (3 months ago)
- Language: Rust
- Homepage:
- Size: 161 KB
- Stars: 10
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-software-supply-chain-security - kpcyrd/archlinux-inputs-fsck: Lint repository of PKGBUILDs for cryptographically pinned inputs
README
# archlinux-inputs-fsck
Lint a repository of PKGBUILDs to ensure all inputs are cryptographically pinned.
```sh
# Clone the archlinux-inputs-fsck source code
git clone https://github.com/kpcyrd/archlinux-inputs-fsck
cd archlinux-inputs-fsck
# Download the Arch Linux package repositories
git clone --depth=1 https://github.com/archlinux/svntogit-packages
git clone --depth=1 https://github.com/archlinux/svntogit-community
# Scan [core], [extra] and [community] for issues
cargo run --release -- check -W ./svntogit-packages/ -W ./svntogit-community/
```## Testing AUR packages
You can also test a specific package by providing the path that contains the PKGBUILD:
```sh
git clone --depth=1 https://aur.archlinux.org/paru.git
cd paru
cargo run --release -- check .
```Please keep in mind archlinux-inputs-fsck executes the PKGBUILD when loading it, only run this on PKGBUILDs you've reviewed/trust.
## Generate TODO lists for specific issues
Use `-qq` to disable log output (except errors), `-r` to print package names to stdout, `-f git-commit-insecure-pin` to filter for a specific issue.
```sh
cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -qqrf git-commit-insecure-pin
```You can use `-f` multiple times, to get a human readable report for specific issues do this:
```sh
cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -q -f git-commit-insecure-pin -f svn-insecure-pin
```To get a list of all supported issue types do this:
```sh
% cargo run --release -- supported-issues
insecure-scheme
unknown-scheme
wrong-number-of-checksums
git-commit-insecure-pin
svn-insecure-pin
hg-revision-insecure-pin
bzr-insecure-pin
url-artifact-insecure-pin
```## Issues explained
### `insecure-scheme`
A `source=` uses a complex protocol over an unauthenticated connection. This applies to `git://` for example. `http://` and `ftp://` are also unauthenticated but not included here because they are trivial to combine with `sha256sums`, `b2sums`, etc and `updpkgsums` has support for them.
### `unknown-scheme`
A `source=` uses a scheme that archlinux-inputs-fsck didn't understand. If the scheme is understood by `makepkg` this would mean support needs to be added to `archlinux-inputs-fsck`.
### `wrong-number-of-checksums`
The number of checksums didn't match the number of `source=` entries. You are unlikely to see this in practice.
### `git-commit-insecure-pin`
A git `source=` didn't cryptographically pin a commit object. This makes it prone to `curl | sh` style attacks by malicious git servers.
### `svn-insecure-pin`
A svn `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious svn servers.
### `hg-revision-insecure-pin`
An hg `source=` didn't cryptographically pin a revision object. This makes it prone to `curl | sh` style attacks by malicious hg servers.
### `bzr-insecure-pin`
A bzr `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious bzr servers.
### `url-artifact-insecure-pin`
A url artifact `source=` was found that was not secured by at least one cryptographically secure checksum. This happens if only `md5sums=` or `sha1sums=` was used, if the secure checksums are all set to `SKIP` or if no checksums are configured at all.
## License
GPLv3+