From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-81735-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C66CF1396D0
	for <garchives@archives.gentoo.org>; Thu, 10 Aug 2017 01:42:32 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2AD501FC00F;
	Thu, 10 Aug 2017 01:42:27 +0000 (UTC)
Received: from mail2.obsidian-studios.com (mail2.obsidian-studios.com [45.79.71.79])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B39C5E0C5F
	for <gentoo-dev@lists.gentoo.org>; Thu, 10 Aug 2017 01:42:26 +0000 (UTC)
Received: (qmail 4044 invoked from network); 10 Aug 2017 01:42:25 -0000
Received: from unknown (HELO assp2.obsidian-studios.com) (wlt-ml@::ffff:127.0.0.1)
  by ::ffff:127.0.0.1 with ESMTPA; 10 Aug 2017 01:42:25 -0000
X-Assp-Version: 2.5.5(17073) on assp2.obsidian-studios.com
X-Assp-ID: assp2.obsidian-studios.com m1-29344-16064
X-Assp-Session: 3D47F8748A0 (mail 1)
X-Assp-Envelope-From: wlt-ml@o-sinc.com
X-Assp-Intended-For: gentoo-dev@lists.gentoo.org
X-Assp-Server-TLS: yes
Received: from unknown ([2601:344:4100:1b0f:f2d5:bfff:feac:9077]
	helo=localhost) by assp2.obsidian-studios.com with SMTPSA(TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256) (2.5.5);
	9 Aug 2017 18:42:23 -0700
Date: Wed, 9 Aug 2017 21:42:14 -0400
From: "William L. Thomson Jr." <wlt-ml@o-sinc.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Prevent binary/non-compiled packages from binary
 package creation
Message-ID: <assp.0395f68979.20170809214214.329cb148@o-sinc.com>
In-Reply-To: <1901492f-01d4-b390-3408-21e799850b33@gentoo.org>
References: <assp.0393730719.20170808123742.6e2e8d56@o-sinc.com>
 <ead6f492-5e68-c1b4-b452-48f83f0f3488@gentoo.org>
 <assp.03939f689e.20170808132301.2dbdab6b@o-sinc.com>
 <e07fff15-2a25-d95c-643c-71938ff2c291@gentoo.org>
 <assp.03938cd9d4.20170808142044.75a55374@o-sinc.com>
 <51802e5c-2dc2-3f08-e570-f6572a10dd33@gentoo.org>
 <assp.0394c02529.20170808204332.3420516c@o-sinc.com>
 <61c59979-fc8d-9978-3d21-a2f66edb8f04@gentoo.org>
 <assp.03940bed30.20170809113327.30d47e4c@o-sinc.com>
 <CAD6zcDwEeivFOrZNJLk-rZcoRdNkpAh5q38jK5ym4kuYNvWE7w@mail.gmail.com>
 <assp.0394db8eb2.20170809163556.337cb4a5@o-sinc.com>
 <1901492f-01d4-b390-3408-21e799850b33@gentoo.org>
Organization: Obsidian-Studios, Inc.
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 boundary="Sig_/zYgrEJ5HVMTuvsH_QqAeyy1"; protocol="application/pgp-signature"
X-Archives-Salt: 7c306236-9b3f-4fd0-a827-c4e43144551e
X-Archives-Hash: 1296b82acb7f4e67aeaa519b6fc08619

--Sig_/zYgrEJ5HVMTuvsH_QqAeyy1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Thu, 10 Aug 2017 10:50:45 +1000
"Sam Jorna (wraeth)" <wraeth@gentoo.org> wrote:

> On 10/08/17 06:35, William L. Thomson Jr. wrote:
> > FYI binpkgs have no hash. If someone did something malicious within
> > the binhost to the binpkgs. You have no way of knowing. Yes the
> > same can happen with ebuilds and manifest. But easy to sync portage
> > and see if a manifest has changed. =20
>=20
> This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which
> is a manifest of built packages and related metadata. Granted this is
> created by the binhost, it does exist and contains SHA1 and MD5
> hashes, as well as package size. In that sense it's no different to
> how a package Manifest file works within a repository.

You are correct. I meant to say no verifiable hash. You can hash
anything locally and claim it to be trustworthy. Thus mentioning
syncing portage to compare manifest of ebuild/SRC_URI.

Someone remakes a binpkg tarball, edits ${PKGDIR}/Packages with new
SHA1 and MD5. No way to know.

IMHO SRI_URI is more trustworthy than binhost, in the sense of
verification. If  you have means to verify the binhost stuff it maybe
more trustworthy. That is left to the admin.

I see binpkg as a temporary convenience. I am doing updates across many
of the same systems. Less images, containers, etc. I made binaries on
one system. Immediately used as updated on others. Then discarded on
binhost. Also used for  testing, reverting between slotted versions.

--=20
William L. Thomson Jr.

--Sig_/zYgrEJ5HVMTuvsH_QqAeyy1
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQTEeldqZjmVut8bVHJNcbKkg6ozUAUCWYu59gAKCRBNcbKkg6oz
UMuTAJ4/Sr9e/AJUeP4EmCdTghgBR/ThNACfU65CQqFbmDtB7p5eXvihk7hdFYk=
=njzY
-----END PGP SIGNATURE-----

--Sig_/zYgrEJ5HVMTuvsH_QqAeyy1--