Solved pkg mirror safety

[jronald]

I tried some official url for pkg, but very very slow.
I used https://mirrors.ustc.edu.cn/freebsd-pkg/${ABI}/latest, it's very fast.
How to assure that the packages are safe?
Thanks

 

[jronald]

solution: pkg check

 

[SirDice]

That only checks if the dependencies are in order. That doesn't mean the package itself is safe though, who's to say that package doesn't contain a backdoor? Using packages from untrusted sources is inherently unsafe.

 

[getopt]

How to assure that the packages are safe?

The one who is talking "safe" has to make transparent what he is thinking of.
Security in IT is not a state but a process keeping in mind that there never will something like enduring security.

If you need to trust on something you may feel safe but you are not necessarily safe by any means.

Downloading binaries comes at a price as ease does not match security.
Official mirrors may be safer than wild ones, but that does not mean you are safe using them.

So if you cannot afford the luxury downloading binary blubs you need to build them yourself. That can be done and fortunately FreeBSD makes it not difficult to do.

 

[jronald]

That only checks if the dependencies are in order. That doesn't mean the package itself is safe though, who's to say that package doesn't contain a backdoor? Using packages from untrusted sources is inherently unsafe.

I have misunderstood the doc.

pkg help check

pkg check -s or pkg check --checksums detects installed packages with invalid checksums. An invalid checksum can be caused by data corruption
or tampering.

 

[jronald]

If FreeBSD provides build option and corresponding checksum for each pkg binary, it'll be good for third party supports.