1. 34

  2. 3

    When apk is pulling packages, it extracts them into / before checking that the hash matches what the signed manifest says it should be.

    This surprised me. There’s no way to check the hashes before extracting the files?

    1. 3

      Ideally, the outermost file (the archive itself) should have a detached signature of some sort. The algorithm should be as follows:

      1. Ensure the trust store is sane and still trustworthy
      2. Ensure there is a valid signature for the to-be-downloaded package
      3. Download the package
      4. Ensure that the signature is valid for the package
      5. Ensure that each file has an associated hash in the pkg metadata
      6. Extract files
      7. Ensure that the file hashes match
      1. 3

        And do as much work as possible with as few privileges as possible. Using MAC and/or chroot is a bonus.

    2. 3

      In the article is a donation link to the Alpine Linux maintainers: https://wiki.alpinelinux.org/wiki/Alpine_Linux:Developers. I had no idea so few developers were maintaining it.

      1. 2

        that seems like a common refrain for most OSS.