# Security of "pkg_add -r"



## mnvn (Oct 7, 2012)

How secure is installing packages with pkg_add -r? Are packages validated with checksum/digital signature?

What I mean is that when I install from port I see that every downloadaed file is checked with SHA256 checksum, so I can be sure that downloaded file wasn't modified. I don't see such verification with pkg_add -r, so if the remote server was compromised, then such package could have backdoor or other bad code.

Thank you very much
Marek


----------



## Mr_P (Oct 7, 2012)

Hello,
I have the same question but knowing a bit about both sides of the coin.. you are not really safe. If you are so much concerned about security you must learn penetration testing and test your own defence to make it better. There are always security issues (more or less signifigant) and this is why we get new distros or releases of operating systems and software generally. So if you really need a package just download it. If you don't really need it, live without it or write code yourself (like a small script or program that does the same (or almost) job). The professor that introduced FreeBSD to me had the opinion that you must learn to work under the worst circumstances to set up a server (no internet for information or extra software, no GUI). As I can see you are a junior member like me, so if you are young or just have the passion.. learn the kernel and code code code by yourself (except something very difficult comes up).
Good luck!


----------



## mnvn (Oct 7, 2012)

Mr_P, what the hell you are talking about? I asked simple question and you flooded me with river of banality and spam. Your sugestion "if you really need a package just download it" is a Windows-user thinking. I'm not young newbie, I just want simple answer and it's source.

The question is still open.


----------



## ericbsd (Oct 7, 2012)

mnvn 

How secure is installing packages with pkg_add -r? 
all package is in ftp://ftp.freebsd.org/pub/FreeBSD/ports/ wish is FreeBSD FTP server. If you not trust pkg from FreeBSD server. I can see why you trust ports when it fetch file every were in the internet. Checksum only guaranty you that is the original file ported. That doesn't mean that is secure.


----------



## mnvn (Oct 7, 2012)

I don't mean that checksummed file is ultra secure - I know that there could be not known security issues. I just want to prevent situation where file was replaced without knowleadge of release team, that's it.

After some searching I found that there is upcoming pkgng which will be able to check digital signatures.


----------



## kpa (Oct 7, 2012)

PKGNG will have the capability to cryptographically sign the repository and verify the package checksums using the signature.


----------



## NewGuy (Oct 7, 2012)

Anyone know when pkgng will be included in the ports tree? Or if it will be made part of the default OS? It seems like a really good idea and much more friendly than the pkg_ tools or plain ports. Last time I looked at pkgng it still had to be compiled from source after downloading it from a third-party repository.


----------



## kpa (Oct 7, 2012)

It's in the ports tree as ports-mgmt/pkg. 9.1 release candidate and 9-STABLE have a bootstrap program /usr/sbin/pkg that downloads and installs ports-mgmt/pkg. The old pkg tools are still the default.


----------



## Mr_P (Oct 8, 2012)

Sorry for the bad answer mnvn. No you can't feel 100% safe downloading ports or packages. You can only be sure if you pentest your system after you have installed the package and it is in use. Have a nice day.


----------

