Security

It is NEVER a good idea to install random binaries from random sources.

Trust but Verify

All the Build Scripts & workflows are completely open-source. You are free to audit & scrutinize everything.

Check the Package Page & Look for Build Script :
Using Soar

!# View Build Script
soar inspect "<PACKAGE>"

Build Logs

Using Soar

!# View Logs
soar log "<PACKAGE>"

Checksums: SHA256SUM & BLAKE3SUM

Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script

Signed Artifacts

If it still doesn't inspire confidence, there's a Docker Image you can Configure to Run & Reproduce any Binary/Build Script on your own Secure System.

Don't Trust Us

Repos that already publish pre-compiled binaries/packages, . You can compare checksums.

Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers

Spooky Things

Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.
Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.

Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.

It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.

PreviousPackage-Request Nextpkgcache

Last updated 3 months ago

Was this helpful?

Trust but Verify

All the Build Scripts & workflows are completely open-source. You are free to audit & scrutinize everything.

Check the Package Page & Look for Build Script :
Using Soar

!# View Build Script
soar inspect "<PACKAGE>"

Build Logs

Check the Package Page & Look for Build Log :
Using Soar

!# View Logs
soar log "<PACKAGE>"

If you get a 404 or it errors out, you can get the full logs here:

Checksums: SHA256SUM & BLAKE3SUM

Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script

Signed Artifacts

You can use to verify any of our artifacts using the Public Key:

All our CI workflows produce attestations for all of the artifacts:

If it still doesn't inspire confidence, there's a Docker Image you can Configure to Run & Reproduce any Binary/Build Script on your own Secure System.

Devscripts:
Dockerfiles:

Don't Trust Us

Repos that already publish pre-compiled binaries/packages, . You can compare checksums.

For , Debug Symbols, Comments are stripped, this will change the checksum
For , Icons, Desktops (& even repacking) are edited/fixed & patched, this will change the checksum

Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers

Spooky Things

Follow this guide to analyze a malicious binary/package:

First, it's important to verify that the alert is and truly confirm that indeed the
Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.
Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.

It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR ) & also like here:

All the follow to mitigate , so a single Malicious Binary is more probable than ALL the binaries being infected.
Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.

It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.

Check the Package Page & Look for Build Log :

If you get a 404 or it errors out, you can get the full logs here:

You can use to verify any of our artifacts using the Public Key:

All our CI workflows produce attestations for all of the artifacts:

Devscripts:

Dockerfiles:

For , Debug Symbols, Comments are stripped, this will change the checksum

For , Icons, Desktops (& even repacking) are edited/fixed & patched, this will change the checksum

Follow this guide to analyze a malicious binary/package:

First, it's important to verify that the alert is and truly confirm that indeed the

It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR ) & also like here:

All the follow to mitigate , so a single Malicious Binary is more probable than ALL the binaries being infected.

https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/

https://news.ycombinator.com/item?id=26203853

A cautionary tale from the decline of SourceForge

Downloading PuTTY Safely Is Nearly Impossible (2014)

Post-xz backdoor, how to know when to trust niche-distro binaries?

Hysp (Frontend PKG Manager)

featured on HN

https://news.ycombinator.com/item?id=38457926

The XZ Backdoor

Reproducible Builds

https://pkgs.pkgforge.dev/

https://meta.pkgforge.dev/bincache/logs/

minisign

https://raw.githubusercontent.com/pkgforge/bincache/refs/heads/main/keys/minisign.pub

Build Attestations & Provenance

https://github.com/pkgforge/bincache/attestations

https://github.com/pkgforge/devscripts

https://github.com/pkgforge/devscripts/tree/main/Github/Runners

Binaries

Packages

https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis

NOT a False Positive

Binary is Malicious

Contact Us

Report To Github the Original Repo

https://github.com/orgs/community/discussions/63603

Build Servers

Standard Security Hardening

Supply Chain Attacks

Security

Security

Recommended Reading

Trust but Verify

Don't Trust Us

Spooky Things

Recommended Reading

Trust but Verify

Don't Trust Us

Spooky Things