Tool Code Review


(fred) #1

I’m aiming to switch from Kali to another distro with more scrutiny around tools.
With regards to new tools (and tools already added to Parrot OS) is any code review performed to ensure there is no malicious code present?


(Nico Paul) #2

We review all code that is in the parrot repo.
If you search the forum its probably easy to find posts talking about our repo security best practices and implementations… its pretty secure


(Lorenzo "Palinuro" Faletra) #4

we maintain things collaboratively, but no one can push updates to our repo without my manual approval and review (and gpg signature), and all our packages are then recompiled on our build infrastructure in the rare evenience that the binary differs from the source.

moreover we have different build platforms, one for untrusted packages that is frequently destroyed and re-installed, and a secret one for crucial packages like the kernel or the init system helpers

by the way all our build nodes perform the builds in isolated sandboxes, and every build is performed in a clean and genuine environment even on the build nodes for non-critical packages

the workflow is a little bit different for the native debian packages, as we import them directly from the official debian archive and verify the signatures against the debian gpg archive keys. then all the verified packages (sources and binaries) are imported into a testing branch, and they land parrot stable only if they prove to be reliable and fully working without breaking the system.