Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kpcyrd/archlinux-inputs-fsck

Lint repository of PKGBUILDs for cryptographically pinned inputs
https://github.com/kpcyrd/archlinux-inputs-fsck

Last synced: 25 days ago
JSON representation

Lint repository of PKGBUILDs for cryptographically pinned inputs

Awesome Lists containing this project

README 

        
# archlinux-inputs-fsck



Lint a repository of PKGBUILDs to ensure all inputs are cryptographically pinned.



```sh

# Clone the archlinux-inputs-fsck source code

git clone https://github.com/kpcyrd/archlinux-inputs-fsck

cd archlinux-inputs-fsck

# Download the Arch Linux package repositories

git clone --depth=1 https://github.com/archlinux/svntogit-packages

git clone --depth=1 https://github.com/archlinux/svntogit-community

# Scan [core], [extra] and [community] for issues

cargo run --release -- check -W ./svntogit-packages/ -W ./svntogit-community/

```



## Testing AUR packages



You can also test a specific package by providing the path that contains the PKGBUILD:



```sh

git clone --depth=1 https://aur.archlinux.org/paru.git

cd paru

cargo run --release -- check .

```



Please keep in mind archlinux-inputs-fsck executes the PKGBUILD when loading it, only run this on PKGBUILDs you've reviewed/trust.



## Generate TODO lists for specific issues



Use `-qq` to disable log output (except errors), `-r` to print package names to stdout, `-f git-commit-insecure-pin` to filter for a specific issue.



```sh

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -qqrf git-commit-insecure-pin

```



You can use `-f` multiple times, to get a human readable report for specific issues do this:



```sh

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -q -f git-commit-insecure-pin -f svn-insecure-pin

```



To get a list of all supported issue types do this:



```sh

% cargo run --release -- supported-issues

insecure-scheme

unknown-scheme

wrong-number-of-checksums

git-commit-insecure-pin

svn-insecure-pin

hg-revision-insecure-pin

bzr-insecure-pin

url-artifact-insecure-pin

```



## Issues explained



### `insecure-scheme`



A `source=` uses a complex protocol over an unauthenticated connection. This applies to `git://` for example. `http://` and `ftp://` are also unauthenticated but not included here because they are trivial to combine with `sha256sums`, `b2sums`, etc and `updpkgsums` has support for them.



### `unknown-scheme`



A `source=` uses a scheme that archlinux-inputs-fsck didn't understand. If the scheme is understood by `makepkg` this would mean support needs to be added to `archlinux-inputs-fsck`.



### `wrong-number-of-checksums`



The number of checksums didn't match the number of `source=` entries. You are unlikely to see this in practice.



### `git-commit-insecure-pin`



A git `source=` didn't cryptographically pin a commit object. This makes it prone to `curl | sh` style attacks by malicious git servers.



### `svn-insecure-pin`



A svn `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious svn servers.



### `hg-revision-insecure-pin`



An hg `source=` didn't cryptographically pin a revision object. This makes it prone to `curl | sh` style attacks by malicious hg servers.



### `bzr-insecure-pin`



A bzr `source=` was found, which can not be cryptographically be pinned. They are always prone to `curl | sh` style attacks by malicious bzr servers.



### `url-artifact-insecure-pin`



A url artifact `source=` was found that was not secured by at least one cryptographically secure checksum. This happens if only `md5sums=` or `sha1sums=` was used, if the secure checksums are all set to `SKIP` or if no checksums are configured at all.



## License



GPLv3+