On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote: > On 05/05/2025 21:58, Chuck Tuffli wrote: > > One aspect of running pkg-base I've found tricky is figuring out which > > package provides a missing binary, library, or man page. The port > > pkg-provides answers this type of question for ports, but (seemingly) > > not for pkg-base (unless I'm being dumb?). Are there plans to add this > > type of support? Alternatively, if I'm being dumb, can someone point > > me at some docs? TIA > > There's provision in `pkg repo` (see: pkg-repo(8)) to generate a > `filesite.txz` file as repository metadata, which lists all of the files, > their checksums and various other per-file metadata for all of the files in > all of the packages in the repository. > > This isn't normally generated for the repositories provided by the project > due to limitations on available space and bandwidth. > > I've had the notion kicking around in my head for a while that having a > database of all of the checksums of all of the files ever packaged and > provided by the project, with cryptographic signatures proving the > authenticity and provenance of those data, would be a pretty awesome > resource. Basically tripwire(8) built into pkg(8). However, it would > require someone with pretty deep pockets to fund the necessary > infrastructure.
Over the past few years, I've had this simmering in the back of my head as well. I think one approach could be to use filesystem extended attributes. If you store the hash of the file (perhaps an encrypted/signed hash?) in an extended attribute, then a MAC module could verify that upon calls to open(2). libarchive/bsdtar already supports filesystem extended attributes for the tar archive format. The only thing FreeBSD would need to do is integrate that support in pkg. HardenedBSD's version of pkg already supports that, so perhaps that could be adopted by FreeBSD. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
