Not tested yet, but there is an open issue in the pkg-provides(8) repository related to this thread:
https://github.com/rosorio/pkg-provides/issues/7#issuecomment-1759876029 6 de mayo de 2025, 17:03, "Shawn Webb" <shawn.w...@hardenedbsd.org mailto:shawn.w...@hardenedbsd.org?to=%22Shawn%20Webb%22%20%3Cshawn.webb%40hardenedbsd.org%3E > escribió: > > On Tue, May 06, 2025 at 09:07:36AM +0100, Matthew Seaman wrote: > > > > > On 05/05/2025 21:58, Chuck Tuffli wrote: > > One aspect of running pkg-base I've found tricky is figuring out which > > package provides a missing binary, library, or man page. The port > > pkg-provides answers this type of question for ports, but (seemingly) > > not for pkg-base (unless I'm being dumb?). Are there plans to add this > > type of support? Alternatively, if I'm being dumb, can someone point > > me at some docs? TIA > > > > There's provision in `pkg repo` (see: pkg-repo(8)) to generate a > > `filesite.txz` file as repository metadata, which lists all of the files, > > their checksums and various other per-file metadata for all of the files in > > all of the packages in the repository. > > > > This isn't normally generated for the repositories provided by the project > > due to limitations on available space and bandwidth. > > > > I've had the notion kicking around in my head for a while that having a > > database of all of the checksums of all of the files ever packaged and > > provided by the project, with cryptographic signatures proving the > > authenticity and provenance of those data, would be a pretty awesome > > resource. Basically tripwire(8) built into pkg(8). However, it would > > require someone with pretty deep pockets to fund the necessary > > infrastructure. > > > Over the past few years, I've had this simmering in the back of my > head as well. I think one approach could be to use filesystem extended > attributes. If you store the hash of the file (perhaps an > encrypted/signed hash?) in an extended attribute, then a MAC module > could verify that upon calls to open(2). > > libarchive/bsdtar already supports filesystem extended attributes for > the tar archive format. The only thing FreeBSD would need to do is > integrate that support in pkg. HardenedBSD's version of pkg already > supports that, so perhaps that could be adopted by FreeBSD. > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > Signal Username: shawn_webb.74 > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc >
