GithubSoar

Security

It is NEVER a good idea to install random binaries from random sources.

Recommended Reading

Check these HackerNews Discussions

The amount of work and the near impossibility to ensure that every source used, provide reproducibility, is infeasibly impractical. Even if it were practical, not every pkg/tool provides source code, so this is impractical.

Trust but Verify

!# View Build Script
soar inspect "<PACKAGE>"
!# View Logs
soar log "<PACKAGE>"

If you get a 404 or it errors out, you can get the full logs here: https://meta.pkgforge.dev/bincache/logs/

Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script

You can use minisign to verify any of our artifacts using the Public Key: https://raw.githubusercontent.com/pkgforge/bincache/refs/heads/main/keys/minisign.pub

All our CI workflows produce attestations for all of the artifacts: https://github.com/pkgforge/bincache/attestations

Don't Trust Us

  1. Repos that already publish pre-compiled binaries/packages, . You can compare checksums.

  • For Binaries, Debug Symbols, Comments are stripped, this will change the checksum

  • For Packages, Icons, Desktops (& even repacking) are edited/fixed & patched, this will change the checksum

  1. Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers

Spooky Things

Follow this guide to analyze a malicious binary/package: https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis

  1. First, it's important to verify that the alert is NOT a False Positive and truly confirm that indeed the Binary is Malicious

  2. Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.

  3. Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.

It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR Contact Us) & also Report To Github the Original Repo like here: https://github.com/orgs/community/discussions/63603

  1. All the Build Servers follow Standard Security Hardening to mitigate Supply Chain Attacks, so a single Malicious Binary is more probable than ALL the binaries being infected.

  2. Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.

It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.

PreviousPackage-RequestNextpkgcache

Last updated

Was this helpful?