IMPORTANT NOTE: Paccheck is no longer maintained by IgnorantGuru. The last version produced by IgnorantGuru was paccheck version 0.8.12 (which only works with pacman versions prior to 3.5 due to minor changes in the Arch database format).
MY RECOMMENDATION: Be careful with Arch Linux if you need a reasonably secure system. In my conversations with the primary Arch Linux devs, I found them to disregard users’ security and concerns, and I found that there was a concerted effort to hide relevant security problems from users. The Arch devs consider the distro more like a toy used for experimentation.
The paccheck usage information and installation instructions below are outdated – they apply to the old version 0.8.12 and may not fully apply to newer versions. For the latest information on paccheck, see the Arch Forum Thread.
|Download Links:||No longer maintained here – See note above|
|Description:||Compares Arch Linux pacman sync and package cache to multiple mirrors to help detect compromised mirrors|
|Recommended For:||Arch Linux|
|Tested On:||Arch Linux|
|Current Version:||No longer maintained here – See note above|
|Requires:||curl wget sudo|
|License:||GNU GPL v3 * SEE DISCLAIMER *|
|Discussion:||Arch Forum – LinuxQuestions Forum – Archbang Forum|
paccheck downloads Arch Linux pacman sync database files from multiple mirrors and compares them against pacman’s sync and package cache in an attempt to detect a compromised mirror.
Rationale: Due to the current problem with unsigned packages on Arch Linux’s distribution mirrors, pacman has no way of detecting when files on any mirror have been compromised. Given that Arch has over 150 mirrors around the world, and these mirrors run assorted operating systems and server software, have hundreds of people with access to the servers, and may be stored on misconfigured or compromised servers, there is no way for an Arch user to evaluate the security of a given mirror. For example, if you use the mirror at ftp.tku.edu.tw, you are downloading your Arch updates from an Apache FTP server running on an Ubuntu machine. Thus your system becomes vulnerable to security problems in Ubuntu or caused by misconfigurations on that server.
paccheck helps to minimize this risk by comparing mirrors you choose against your pacman sync. It first runs sudo pacman to sync and download packages due for update on your system (but installs nothing). It then downloads database sync files from all the mirrors you select. It compares these files to your pacman sync files. If they don’t match, it scans your package cache and compares the desc file of each package against the mirror. If they don’t match, it reports this to you. (desc files contain the MD5 sum of the package, used by pacman for archive integrity checking, so tampering with a package on a mirror would also require changing its desc file.) In this way, paccheck is able to determine to some degree whether a problem is caused by an out-of-sync mirror or a compromised mirror. Finally, paccheck tests the sizes of the packages in pacman’s pkg cache.
Note that aside from triggering a pacman sync and package download, paccheck does not modify your system files or correct problems. It merely alerts you in plain english to what it finds. So it is imporant for you to read its report.
Also note that paccheck is not a comprehensive solution to the lack of package signing in Arch. It merely compares mirrors using your network connection. If your network connection or other system components are compromised, paccheck has no way of detecting this or other vulnerabilities. Yet until package signing is added to Arch, this polling method will somewhat improve your update security.
Hopefully you will never see a report of a MISMATCH on a package, but if you do, do not proceed with pacman’s update until you have determined which mirror is inaccurate.
paccheck --help Compares Arch Linux pacman sync and package cache to multiple mirrors to help detect compromised mirrors Usage: paccheck [OPTIONS] OPTIONS: --install PKG [...] Download packages (without sync) and check ONLY those packages, then offer to install --compare 'MIRROR' Fully download and compare all non-expired packages in pacman's pkg cache to MIRROR. Can alternatively be listed in /etc/paccheck/mirrorlist as "compare=MIRROR". MIRROR can also be local dir with packages in MIRROR/pkg/ --targets Limit check and download to current update targets only --verbose Show debugging output --keep Don't remove temporary files in /tmp/paccheck.tmp --alt-size Use alternate slower test of package sizes (useful due to stat bug with btrfs which gives inaccurate results) --skip-size Skip test of package sizes --no-sync No pacman update - mainly for use in scripts. paccheck requires an updated pacman sync and package cache. Before running "paccheck --no-sync" be sure to run: sudo pacman -Sy sudo pacman -w --noconfirm -Su Full System Update Procedure: 1) Run paccheck and examine report 2) If no package MISMATCH then run "sudo pacman -Su" to update your system Desired mirrors may be configured in /etc/paccheck/mirrorlist NOTE: paccheck only tests these official repositories (if configured): core extra community community-staging community-testing gnome-unstable kde-unstable multilib multilib-testing staging testing Exit Status: 3 Package MISMATCH, download failures, or other errors 2 Packages missing from some mirrors 1 Out of sync mirrors (DATABASE CONTENT MISMATCH) or other warnings 0 All OK
The system update procedure with paccheck is:
paccheck # then, if you're comfortable with paccheck's report: sudo pacman -Su
When run with no options, paccheck runs “pacman -Sy” (update your database) and “sudo pacman -w –noconfirm -Su” (downloads needed updates but installs nothing). It then checks the files and gives you a report. Nothing is installed.
Another example: to install new packages ‘abc’ and ‘xyz’ to the system:
sudo pacman -Sy # sync first if desired paccheck --install abc xyz
This will download the packages and their dependencies, check only those targets (including full mirror compare if configured), and offer to install them. Be sure to read the report to determine if installation is indicated.
If you are concerned about the unlikely possibility of fraudulent packages constructed with an MD5 collision, you can use one or more ––compare ‘MIRROR’ options. paccheck will fully download all non-expired packages in your cache from MIRROR, and will compare them byte-for-byte. To limit the download to current update targets only, include the ––targets option.
––no-sync is provided for scripts. Be sure to update pacman and download needed packages before running paccheck with this option, or you won’t check what’s needed. Prior to running “paccheck ––nosync” you should run:
sudo pacman -Sy sudo pacman -w --noconfirm -Su # download, no install
IMPORTANT NOTE: Paccheck is no longer maintained by IgnorantGuru. The last version produced by IgnorantGuru was paccheck version 0.8.12 (which only works with pacman versions prior to 3.5). For the latest information on paccheck, see the Arch Forum Thread and the AUR package. The usage information and installation instructions below are for version 0.8.12 and may not fully apply to newer versions.
You can use the AUR or “packer -S paccheck”.
Or, follow the standard Script Installation Instructions.
For greatest security, use Tier 1 mirrors, or Tier 2 mirrors that use a variety of Tier 1 mirrors as their upstream. See http://www.archlinux.org/mirrors/ Observe the Tier number of the mirrors, and click on a Tier 2 mirror to see its upstream Tier 1 mirror. You can also check the mirror status to find the most up-to-date mirrors.
Desired mirrors can be configured in /etc/paccheck/mirrorlist. If you didn’t install using the AUR, you’ll need to create this file (as root):
mkdir /etc/paccheck touch /etc/paccheck/mirrorlist
Then edit that file as root, and copy any mirrors you want to use from /etc/pacman.d/mirrorlist (paccheck accepts mirror entries in the same format as that file). Here is a default mirrorlist:
# Compare pacman sync and package cache to these mirrors: # Copy desired mirrors from /etc/pacman.d/mirrorlist Server = http://mirror.aarnet.edu.au/pub/archlinux/$repo/os/$arch Server = ftp://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch Server = http://ftp.tku.edu.tw/Linux/ArchLinux/$repo/os/$arch # Example - Do full package download and compare on this mirror # (same as --compare command line option): # Compare = ftp://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch
No comments yet.