Hi All,

I thought I'd give sbopkg a go, but I don't see any checksums, or even better signatures, to enable checking that the download is authentic.

Am I missing something?

Thanks,
g.

for slackbuilds.org's official http repository, each slackbuilds is extracted before building from a .tar.gz signed with pgp (the .asc files, like /var/lib/sbopkg/SBo/13.37/libraries/libvpx.tar.gz.asc).

in case of a git repository, everything is signed and hashed in the repository itself (by design), so there's no need to verify manually with pgp.

Thanks for the response.

Yes, I'm familiar with the .asc files at sbo. That's what I was expecting at http://www.sbopkg.org/downloads.php.

I'm not familiar with git, but a quick google seems to suggest that signing tags is optional.
However, even if it wasn't optional, the actual download of the "prebuilt package" at http://www.sbopkg.org/downloads.php comes straight over http, with git not involved. So without an accompanying signature how can I know that I've downloaded the authentic package which has come out of a secure(?) git repository?

What am I missing?!

Ah, I've found sha1 checksums if I download from this page http://code.google.com/p/sbopkg/downloads/list, which thinking about it doesn't add much in terms of verifying package authenticity, because I can't tell whether the hash value itself is authentic. Doh!

every commit is signed.

sorry, I had understood you were referring at the repositories sbopkg uses, not at sbopkg itself.
Just two considerations:
- the upload is by slakmagik, I can read his name, he logged in and Google guarantees that's he is himself;
- I think the sha1 hash value is calculated by googlecode.

Hello again, thanks for your reply.

Interesting. I'll have to take a closer look at git (especially given its increasing popularity; I mostly use bazaar).

OK. yes, that is some assurance.
I guess my point is that from the web interface everything looks ok, but really I could be being served with anything, from anywhere, and without a key or hash from some ultimately trusted source I can't tell.
Still, not a completely unusual state of affairs (I suppose I'd expected signatures on something that plays such a critical role in the system, especially since sbopkg expects signatures on the sbo downloads).

Thanks for your replies,

g.

And how would you tell that the person signing it is trustworthy?

Think long and hard about that question.

I, personally, see it like this: if the sbopkg devs think the tarball is ok, I simply trust them and that's enough.

being an user of sbopkg since some years, it actually saved a lot of my time: now I just can't think of a world without it and slackbuilds.org.

Chain of trust etc.. fair enough.
But surely a suspect key is easier to detect than a suspect file?
After all, (i) if a key has been used over a period of time then a different key would be detected by the community.
And (ii) keys can be published in multiple places, which makes it harder to publish a fake key than to publish, for example, a single fake download.

And once I've decided to trust a key, then by implication I can trust future files signed with the same key, rather than examine each file anew.

What approach do you take?


I trust the devs alright, just concerned about whether the tarball they produced is the same thing I download..

I can see the value alright
I just take a cautious approach to what I install.