# Security of building from ports



## chavez243ca (Dec 2, 2010)

In light of the recent compromise of ProFTPd source code, I am curious if there are any safeguards built-in to FreeBSD ports that would have mitigated this issue at all.  I know there are your basic MD5 and SHA1 fingerprint checks - but what is the source of fingerprint?

I don't think using portaudit addresses this scenario either.

Thoughts?


----------



## SirDice (Dec 2, 2010)

The only safeguard would be the port maintainer. S/He is the one that commits the fingerprint. There's no 'source' for that fingerprint, it's made locally by the port maintainer.


----------



## chavez243ca (Dec 2, 2010)

That's kind of what I figured - so if the port maintainer accepts the source as pure and just fingerprints it, the port will be tainted and we would be none-the-wiser.

I think there is sometimes the perception that building from source is more secure than going the binary route.

Thanks for your input.


----------



## wblock@ (Dec 2, 2010)

portaudit would warn about the port if it was installed, or prevent it from being installed.  After the problem was known; it wouldn't detect it automatically.


----------



## SirDice (Dec 3, 2010)

wblock said:
			
		

> portaudit would warn about the port if it was installed, or prevent it from being installed.  After the problem was known; it wouldn't detect it automatically.



It also won't notice the difference between the backdoored proftpd-1.3.3c and the clean proftpd-1.3.3c because both have the same version.


----------



## ckester (Dec 3, 2010)

chavez243ca said:
			
		

> That's kind of what I figured - so if the port maintainer accepts the source as pure and just fingerprints it, the port will be tainted and we would be none-the-wiser.
> 
> I think there is sometimes the perception that building from source is more secure than going the binary route.
> 
> Thanks for your input.



Not sure what you mean by "going the binary route".  The binary packages you install with pkg_add are built from the same source code "accepted" by the maintainer.  So going with packages is neither more nor less secure than building the ports. 

If you mean that we should be downloading some binaries built and blessed by the upstream authors, you're probably unaware that this would mean sacrificing most of the 22,000+ things in the FreeBSD ports/packages system -- because most of those upstream authors are focused exclusively on Linux.

The port maintainers do work with sources obtained as directly as possible from those upstream authors, and our checksums ensure that those sources haven't been surreptitiously replaced when you download the distfile _(usually from the same place where the maintainer got it)_.  So in all but the most unusual cases, when a third-party app or library is running on FreeBSD, it's no less secure than it would be on Linux.  Those RPMs were built from that same sourcecode too!

(I'll leave aside the question of whether it might be more secure on FreeBSD because the underlying OS is.)

The real issue here is where you are getting your source tarballs, packages, RPM's or whatnot.  If you're not downloading them from the original author's site or a reputable repository (which includes the freebsd.org servers!), you're asking for trouble.

But yeah, if the source code is compromised even on the original author's site, there's nothing in the ports or packages system that will detect it.  As Warren says, portaudit can only tell you about it after the exploit becomes known.

Instead of looking to the ports/packages for remedies, perhaps you should be asking whether FreeBSD's jails provide the best protection against this kind of exploit?


----------

