[OpenIndiana-discuss] pkg security and incentives?

Tim Mooney Tim.Mooney at ndsu.edu
Mon Aug 18 21:33:08 UTC 2025 

In regard to: Re: [OpenIndiana-discuss] pkg security and incentives?,...:

> So if I build Gnu Linear Programming Package (aka GLPK) how do you
> prevent me from adding a Trojan, building GLPK, restoring the original
> source and building an IPS pkg? Is there a checksum generated by the
> compiler from the source file that is recorded in the binary?

Upstream packages never get built by an end user.

You can build your own binary package and put it in your own repo, but
the package would not be accepted verbatim in oi-userland.  If I trusted
you and your repo was network accessible, I could add your repo to my
system and also install it, but it would come from your repo, not
oi-userland.

When contributing a component to oi-userland, what you're actually
providing is just the recipe to build it.  You don't provide any binaries,
and you don't provide the source code.

The build system fetches the source code from the URL you provided.
That's one of the things that Andreas and/or anyone accepting your recipe
would scrutinize when accepting your recipe.

The recipe (a Makefile with a bunch of macro inclusions and common
targets) can apply transforms to the source code before it's built, but
those are usually pretty straightforward.  Check out some of the Makefiles
in oi-userland for examples for transforms.

The biggest opportunity to trojan the generated package would be sneaking
something into any of the patches that you may need to include with your
recipe.  Patches are an additional part of the commit that makes up the
total recipe for "how to build component <X>".  Those again are things
that the person accepting your recipe would need to scrutinize.

Once the recipe has been committed to oi-userland, the official package is
auto-generated.

If you don't yet have a github.com account, you can still download all of
oi-userland and explore the various recipes to see what's part of a
recipe.  Just point a browser at

 	https://github.com/OpenIndiana/oi-userland

and click the green "Code" button and select the "Download Zip", to get
a zip file of the entire tree.

When you're ready to start contributing build recipes, for Andreas' sanity
you'll want to have a github account, but to just examine the current
tree you can download it without an account.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure /
Division of Information Technology    /                701-231-1076 (Voice)
North Dakota State University, Fargo, ND 58105-5164

More information about the openindiana-discuss mailing list