Updated, up and running. The best, lightest and fastest distro so far!
Anyway, I've got involved in an argue with some "clever" guys on reddit and now it bothers me a bit too. Is there any procedure/tool to verify all the installed packages and/or files? Like it's done with debsums in Debian, for example.
I'm feeling like more and more inclined to use Void on my production servers and am really concerned about security.
Thank you in advance.
You mean like xbps-pkgdb -a?
@ahesford
check/fix issues and modify the package database (pkgdb). It's able to check for missing dependencies, modified files and symlinks, and more errors that have been fixed in newer versions of xbps
Erm... I mean something like 'debsums', to check the installed packages (and the files included) for consistency, so that the hashes match and be sure that my system is not compromised due to some hacking attempt on the official repository.
xbps-pkgdb -a will check for package consistency (dependencies aren't missing) and package contents (files aren't missing and are the correct hashes).
The hashes/signatures of packages are checked at time of install, similar as to Debian.
The only files not checked are those marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.
Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of xbps-pkgdb -a. There is no method to verify that a repo hasn't been compromised.
compromised due to some hacking attempt on the official repository
First there are signatures for packages, if they can't be verified xbps will not install the package.
But if the official repository is really compromised including private keys, checking the checksum of files doesn't do anything as the source of those checksums is the compromised package signed with the compromised key.
@abenson, @ahesford, @Duncaen Thank you, guys! I'm closing this then. I'm still learning Void.
Best regards and have a nice day!