| | 349 | |
| | 350 | == Information security and the integrity of the MacPorts base sofware and individual packages == |
| | 351 | |
| | 352 | === What controls are in place to check that the MacPorts utility is not tainted with malicious contributions and that the port scripts are not installing other than what it says on a Portfile? === |
| | 353 | |
| | 354 | For the integrity of the base software: |
| | 355 | * the MacPorts.dmg installer is signed by one of the project members, so that ensures the integrity of the initial installation. |
| | 356 | * the selfupdate process also uses signed tarballs that are checked against a public key that is part of the installation. |
| | 357 | |
| | 358 | MacPorts only gives commit access to people who have a considerable history of good contributions. |
| | 359 | Everyone else has to open pull requests which are reviewed by committers before being merged. |
| | 360 | |
| | 361 | For the integrity of the ports tree: |
| | 362 | * the distributed ports tree is also signed and the signature is verified when syncing the Portfiles. |
| | 363 | * the Portfiles itself come from the GitHub git repository, so the whole ports tree can be identified by a commit hash. |
| | 364 | |
| | 365 | It's not impossible that a committer could "turn evil" (though that would probably be noticed), or that software could be packaged that was compromised upstream. |
| | 366 | |
| | 367 | For the integrity of the Portfiles: |
| | 368 | * that relies on what is merged into the ports tree, which are developed on GitHub with Pull Requests and reviews by project members. |
| | 369 | * the Portfiles also contain checksums to verify the upstream sources used for building the software. |
| | 370 | * all downloaded have to be the same for all users (also a requirement in order to mirror these distfiles correctly). |
| | 371 | |
| | 372 | The base code, ports tree, and most upstream software has source readily available, so definitely do your own audit of all of that before using it for anything critical. |
| | 373 | |
| | 374 | === How to verify the integrity of a MacPorts installation? === |
| | 375 | |
| | 376 | You could in principle compare existing installation of the base software to a signed tar ball. |
| | 377 | Currently, there is no ready existing tooling for that. |
| | 378 | Also, some ports will be built locally, so there won't be a single "canonical" signed tarball for everything available. |
| | 379 | |
| | 380 | === What does MacPorts in capabilities for auditing of installation? === |
| | 381 | |
| | 382 | Being open source, MacPorts is inherently more auditable than proprietary binaries, but the drawback is you have to assume responsibility yourself. |
| | 383 | The MacPorts project is not in a position to make any guarantees and has to disclaim all liability. |
| | 384 | As far as integrity of the local files, we're mainly just relying on filesystem permissions. |
| | 385 | A third party file integrity checker should work fine though. |
