rizitis/slacker
2
1
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions
Page: Security
Pages
Blacklist Building and Releasing Commands Common Workflows Comparison Configuration Contributing Dependencies FAQ Home Installation Package History Quick Start Repositories and Priority Security Status and Roadmap Templates
1 Security
Anagnostakis Ioannis edited this page 2026-06-25 03:12:30 +03:00
Table of Contents

Security

slacker is fail-closed: a bad signature or a failed integrity check stops the operation, it never warns-and-continues. Verification, key pinning, and a quarantine model work together.

Verification at a glance

%%{init: {'theme':'base','themeVariables':{'primaryColor':'#161b22','primaryBorderColor':'#1f6feb','primaryTextColor':'#e6edf3','lineColor':'#6e7781','fontFamily':'monospace'}}}%%
flowchart TB
  U["slacker update"]:::blue --> G{"CHECKSUMS.md5<br/>vs its .asc signature"}
  G -->|good| OK["metadata accepted"]:::green
  G -->|bad / key changed| DROP["metadata discarded,<br/>repo warned, others continue"]:::grey
  I["install a package"]:::blue --> V{"per-package check<br/>(policy = VERIFY)"}
  V -->|".txz.asc GPG"| VG["verified: gpg"]:::green
  V -->|"md5 / sha"| VM["integrity verified"]:::green
  V -->|"nothing available"| STOP["install stops"]:::grey
  classDef grey fill:#0d1117,stroke:#6e7781,color:#8b949e;
  classDef blue fill:#0d1117,stroke:#1f6feb,color:#e6edf3;
  classDef green fill:#0d1117,stroke:#2ea043,color:#e6edf3;

On update

Once a repo's key is imported, slacker verifies its CHECKSUMS.md5 against the detached signature on every update. If that signature is bad or the key is missing, the repo is not aborted wholesale: slacker warns, discards that repo's freshly-fetched metadata so it is never used unverified, and continues with the others — then tells you how to proceed if you trust the repo anyway.

On install

Each package is checked according to the repo's policy. Slackware ships a per-package .txz.asc, so under the default all policy slacker also GPG-verifies the package itself when a signature is present (falling back to the md5 from the signature-verified CHECKSUMS otherwise), and prints which checks passed (e.g. verified: gpg (signer) + md5). At least one of gpg/md5/sha must pass; if none is available, the install stops.

The VERIFY policy

Set globally in slacker.conf and overridable per repo with a verify= flag in repos.

Policy Behaviour
all (default) GPG verified when present (a bad signature always fails); at least one integrity checksum (md5 or sha) must match. If neither is available, install stops.
gpg,md5,sha (a required list) Requires every listed method; if one is absent slacker stops and explains how to relax it.
none Disables verification — slacker prints a warning after update and in check-updates naming that repo. Applies to file:// repos too.

The official repo gets no exemptionofficial only affects install-new scope and ChangeLog tracking, never verification.

Key pinning (trust on first use)

%%{init: {'theme':'base','themeVariables':{'primaryColor':'#161b22','primaryBorderColor':'#1f6feb','primaryTextColor':'#e6edf3','lineColor':'#6e7781','fontFamily':'monospace'}}}%%
flowchart LR
  F["first GPG-KEY import"]:::green --> PIN["fingerprint pinned"]:::blue
  PIN --> L{"later import:<br/>same fingerprint?"}
  L -->|yes| OK["accepted"]:::green
  L -->|no| REJ["refused —<br/>possible key substitution"]:::grey
  classDef grey fill:#0d1117,stroke:#6e7781,color:#8b949e;
  classDef blue fill:#0d1117,stroke:#1f6feb,color:#e6edf3;
  classDef green fill:#0d1117,stroke:#2ea043,color:#e6edf3;

The first time a repo's GPG-KEY is imported, slacker pins its fingerprint. On every later import the fetched key must match the pinned one; a changed or substituted key is refused as a possible attack rather than trusted silently.

For a subtree repo the key is fetched from the parent/root URL, where Slackware keeps the one key that signs the whole tree — so extra/testing/ patches pin the same fingerprint as the official repo.

Run slacker update gpg once before trusting a mirror.

Quarantine and trust

A repository that fails vetting — unreachable, or serving metadata that looks malformed or hostile — is put into quarantine and provides no packages until you act.

Command What it does
vet-repo NAME Re-run the safety vetting on demand (quarantine on fail, clear on pass).
trust-repo NAME Lift a quarantine you judge a false positive (overriding the verdict, at your responsibility).
distrust-repo NAME Manually quarantine (freeze) a repo yourself.

A freshly added or as-yet-untrusted repo is light-vetted on the next update; add-repo and vet-repo run a thorough vet. Quarantine state is shown by list-repos and status.

slacker

Getting started

Using slacker

Trust & safety

Reference

For contributors

Sources · Releases · Issues

slacker — slackpkg + slackpkg+ in one · Apache-2.0 · by Ioannis Anagnostakis (rizitis) · beta / WIP, for Slackware64-current