Skip to content
/ archlinux-inputs-fsck Public

Lint repository of PKGBUILDs for cryptographically pinned inputs

License

GPL-3.0 license
11 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kpcyrd/archlinux-inputs-fsck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
rules
rules
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

archlinux-inputs-fsck

Lint a repository of PKGBUILDs to ensure all inputs are cryptographically pinned.

# Clone the archlinux-inputs-fsck source code
git clone https://github.com/kpcyrd/archlinux-inputs-fsck
cd archlinux-inputs-fsck
# Download the Arch Linux package repositories
git clone --depth=1 https://github.com/archlinux/svntogit-packages
git clone --depth=1 https://github.com/archlinux/svntogit-community
# Scan [core], [extra] and [community] for issues
cargo run --release -- check -W ./svntogit-packages/ -W ./svntogit-community/

Testing AUR packages

You can also test a specific package by providing the path that contains the PKGBUILD:

git clone --depth=1 https://aur.archlinux.org/paru.git
cd paru
cargo run --release -- check .

Please keep in mind archlinux-inputs-fsck executes the PKGBUILD when loading it, only run this on PKGBUILDs you've reviewed/trust.

Generate TODO lists for specific issues

Use -qq to disable log output (except errors), -r to print package names to stdout, -f git-commit-insecure-pin to filter for a specific issue.

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -qqrf git-commit-insecure-pin

You can use -f multiple times, to get a human readable report for specific issues do this:

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -q -f git-commit-insecure-pin -f svn-insecure-pin

To get a list of all supported issue types do this:

% cargo run --release -- supported-issues
insecure-scheme
unknown-scheme
wrong-number-of-checksums
git-commit-insecure-pin
svn-insecure-pin
hg-revision-insecure-pin
bzr-insecure-pin
url-artifact-insecure-pin

Issues explained

insecure-scheme

A source= uses a complex protocol over an unauthenticated connection. This applies to git:// for example. http:// and ftp:// are also unauthenticated but not included here because they are trivial to combine with sha256sums, b2sums, etc and updpkgsums has support for them.

unknown-scheme

A source= uses a scheme that archlinux-inputs-fsck didn't understand. If the scheme is understood by makepkg this would mean support needs to be added to archlinux-inputs-fsck.

wrong-number-of-checksums

The number of checksums didn't match the number of source= entries. You are unlikely to see this in practice.

git-commit-insecure-pin

A git source= didn't cryptographically pin a commit object. This makes it prone to curl | sh style attacks by malicious git servers.

svn-insecure-pin

A svn source= was found, which can not be cryptographically be pinned. They are always prone to curl | sh style attacks by malicious svn servers.

hg-revision-insecure-pin

An hg source= didn't cryptographically pin a revision object. This makes it prone to curl | sh style attacks by malicious hg servers.

bzr-insecure-pin

A bzr source= was found, which can not be cryptographically be pinned. They are always prone to curl | sh style attacks by malicious bzr servers.

url-artifact-insecure-pin

A url artifact source= was found that was not secured by at least one cryptographically secure checksum. This happens if only md5sums= or sha1sums= was used, if the secure checksums are all set to SKIP or if no checksums are configured at all.

License

GPLv3+

About

Lint repository of PKGBUILDs for cryptographically pinned inputs

Resources

Readme

License

GPL-3.0 license
Activity

Stars

11 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages