Skip to content

Latest commit

 

History

History
92 lines (60 loc) · 3.32 KB

README.md

File metadata and controls

92 lines (60 loc) · 3.32 KB

archlinux-inputs-fsck

Lint a repository of PKGBUILDs to ensure all inputs are cryptographically pinned.

# Clone the archlinux-inputs-fsck source code
git clone https://github.com/kpcyrd/archlinux-inputs-fsck
cd archlinux-inputs-fsck
# Download the Arch Linux package repositories
git clone --depth=1 https://github.com/archlinux/svntogit-packages
git clone --depth=1 https://github.com/archlinux/svntogit-community
# Scan [core], [extra] and [community] for issues
cargo run --release -- check -W ./svntogit-packages/ -W ./svntogit-community/

Testing AUR packages

You can also test a specific package by providing the path that contains the PKGBUILD:

git clone --depth=1 https://aur.archlinux.org/paru.git
cd paru
cargo run --release -- check .

Please keep in mind archlinux-inputs-fsck executes the PKGBUILD when loading it, only run this on PKGBUILDs you've reviewed/trust.

Generate TODO lists for specific issues

Use -qq to disable log output (except errors), -r to print package names to stdout, -f git-commit-insecure-pin to filter for a specific issue.

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -qqrf git-commit-insecure-pin

You can use -f multiple times, to get a human readable report for specific issues do this:

cargo run --release -- check -W ./svntogit-packages -W ./svntogit-community -q -f git-commit-insecure-pin -f svn-insecure-pin

To get a list of all supported issue types do this:

% cargo run --release -- supported-issues
insecure-scheme
unknown-scheme
wrong-number-of-checksums
git-commit-insecure-pin
svn-insecure-pin
hg-revision-insecure-pin
bzr-insecure-pin
url-artifact-insecure-pin

Issues explained

insecure-scheme

A source= uses a complex protocol over an unauthenticated connection. This applies to git:// for example. http:// and ftp:// are also unauthenticated but not included here because they are trivial to combine with sha256sums, b2sums, etc and updpkgsums has support for them.

unknown-scheme

A source= uses a scheme that archlinux-inputs-fsck didn't understand. If the scheme is understood by makepkg this would mean support needs to be added to archlinux-inputs-fsck.

wrong-number-of-checksums

The number of checksums didn't match the number of source= entries. You are unlikely to see this in practice.

git-commit-insecure-pin

A git source= didn't cryptographically pin a commit object. This makes it prone to curl | sh style attacks by malicious git servers.

svn-insecure-pin

A svn source= was found, which can not be cryptographically be pinned. They are always prone to curl | sh style attacks by malicious svn servers.

hg-revision-insecure-pin

An hg source= didn't cryptographically pin a revision object. This makes it prone to curl | sh style attacks by malicious hg servers.

bzr-insecure-pin

A bzr source= was found, which can not be cryptographically be pinned. They are always prone to curl | sh style attacks by malicious bzr servers.

url-artifact-insecure-pin

A url artifact source= was found that was not secured by at least one cryptographically secure checksum. This happens if only md5sums= or sha1sums= was used, if the secure checksums are all set to SKIP or if no checksums are configured at all.

License

GPLv3+