The archlinux-inputs-fsck from kpcyrd

Hi! 👋

I'm an open-source developer with a background in offensive security, web security, computer networks and supply-chain security.

🛠️ Offensive Security Tools

🚢 Supply-Chain Security Tools

👾 Memory-safe Firmware

🌏 Network Tools

📑 Documentation

🚩 Capture The Flag

📦 Packaging

I package software in the official repositories of multiple Linux distributions:

💲 Funding

All my open-source work is currently funded by myself and donations from Github Sponsors.

📫 Contacting

You can find me as kpcyrd on irc (hackint, libera, oftc, overthewire), Twitter DM to @kpcyrd or DM kpcyrd on cncf slack. I read my emails infrequently.

archlinux-inputs-fsck's People

Contributors

Stargazers

Watchers

archlinux-inputs-fsck's Issues

Recognise tags pinned by their object hash instead of their name as secure

archlinux-inputs-fsck currently only recognises Git sources pinned by a commit hash as secure. However as outlined in a recent arch-dev-public mailing list post, pinning the SHA-1 hash of the tag object is as secure as pinning the commit ID:

_tag=1234567890123456789012345678901234567890 # git rev-parse "$tag_name"
source=("git+$url?signed#tag=$_tag")

Therefore is_commit_securely_pinned() should distinguish the case when the tag "name" is a 40-digit hex ID and return true in this case.

Is it possible to use it on an AUR package repo

Helo!

It's probably me that don't understand something. I try to run archlinux-inputs-fsck on a little aur package I maintian, and it fails with the following errors.

     Running `target/release/archlinux-inputs-fsck check --all -W ./urxvt-font-size-git/`
[2022-11-06T18:15:14Z INFO  archlinux_inputs_fsck] Checking "PKGBUILD"
[2022-11-06T18:15:14Z INFO  archlinux_inputs_fsck] Checking "urxvt-font-size.install"
[2022-11-06T18:15:14Z INFO  archlinux_inputs_fsck] Checking ".SRCINFO"
[2022-11-06T18:15:14Z INFO  archlinux_inputs_fsck] Checking ".gitignore"
[2022-11-06T18:15:14Z ERROR archlinux_inputs_fsck] Failed to check package: ".gitignore" => Failed to run bash: Not a directory (os error 20)
[2022-11-06T18:15:14Z ERROR archlinux_inputs_fsck] Failed to check package: "PKGBUILD" => Failed to run bash: Not a directory (os error 20)
[2022-11-06T18:15:14Z ERROR archlinux_inputs_fsck] Failed to check package: ".SRCINFO" => Failed to run bash: Not a directory (os error 20)
[2022-11-06T18:15:14Z ERROR archlinux_inputs_fsck] Failed to check package: "urxvt-font-size.install" => Failed to run bash: Not a directory (os error 20)
archlinux-inputs-fsck (main ●) $

I'm wondering if it's failing, because it assumes two layers of folder (e.g.: svntogit-community/package-name/PKGBUILD), while this one has only one layer package-name/PKGBUILD? If you have the answer on the top of your head, it'd be nice to know, otherwise I'll try to check the code and find out when I have time. :)

Recommend Projects

kpcyrd / archlinux-inputs-fsck Goto Github PK

archlinux-inputs-fsck's Introduction