Security
It is NEVER a good idea to install random binaries from random sources.
Recommended Reading
The amount of work and the near impossibility to ensure that every source used, provide reproducibility, is infeasibly impractical. Even if it were practical, not every pkg/tool provides source code, so this is impractical.
Trust but Verify
!# View Build Script
soar inspect "<PACKAGE>"!# View Logs
soar log "<PACKAGE>"If you get a 404 or it errors out, you can get the full logs here: https://meta.pkgforge.dev/bincache/logs/
Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script
You can use minisign to verify any of our artifacts using the Public Key: https://raw.githubusercontent.com/pkgforge/bincache/refs/heads/main/keys/minisign.pub
All our CI workflows produce attestations for all of the artifacts: https://github.com/pkgforge/bincache/attestations
Devscripts: https://github.com/pkgforge/devscripts
Don't Trust Us
Repos that already publish pre-compiled binaries/packages, . You can compare checksums.
Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers
Spooky Things
Follow this guide to analyze a malicious binary/package: https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis
First, it's important to verify that the alert is NOT a False Positive and truly confirm that indeed the Binary is Malicious
Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.
Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.
It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR Contact Us) & also Report To Github the Original Repo like here: https://github.com/orgs/community/discussions/63603
All the Build Servers follow Standard Security Hardening to mitigate Supply Chain Attacks, so a single Malicious Binary is more probable than ALL the binaries being infected.
Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.
It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.
Last updated
Was this helpful?