Security

It is NEVER a good idea to install random binaries from random sources.

The amount of work and the near impossibility to ensure that every source used, provide reproducibility, is infeasibly impractical. Even if it were practical, not every pkg/tool provides source code, so this is impractical.


Trust but Verify

!# View Build Script
soar inspect "<PACKAGE>"

if you get a 404 or it errors out, you can get the build script here: https://github.com/pkgforge/soarpkgs/tree/main/packages

!# View Logs
soar log "<PACKAGE>"

If you get a 404 or it errors out, you can get the full logs for Toolpacks (BinCache) here:

If you get a 404 or it errors out, you can get the full logs for PkgCache here:

Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script


Don't Trust Us

  1. Repos that already publish pre-compiled binaries/packages, nothing is changed. You can compare checksums.

  • For Binaries, Debug Symbols, Comments are stripped, this will change the checksum

  • For Packages, Icons, Desktops (& even repacking) are edited/fixed & patched, this will change the checksum

  • To preserve checksums wherever possible, we don't sign any of our binaries as we already have Logs + Checksums

  1. Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers


Spooky Things

  1. First, it's important to verify that the alert is NOT a False Positive and truly confirm that indeed the Binary is Malicious

  2. Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.

  3. Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.

It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR Contact Us) & also Report To Github the Original Repo like here: https://github.com/orgs/community/discussions/63603

  1. All the Build Servers follow Standard Security Hardening to mitigate Supply Chain Attacks, so a single Malicious Binary is more probable than ALL the binaries being infected.

  2. Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.

It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.

Last updated