Security fixes are applied to the main branch only. There are no versioned release tracks at this time.
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private security advisory to report a vulnerability confidentially.
Please include:
- A description of the issue and its potential impact
- Steps to reproduce or a proof-of-concept
- The version or commit hash you tested against
You can expect an acknowledgement within 72 hours and a resolution plan within 14 days.
| Endpoint | Authentication |
|---|---|
POST /tug/fetch/<name> |
None — safe by design; only runs git fetch on a local clone |
GET /tug/repo/<name>/manifest.json |
None — clients need this to discover available versions |
GET /tug/repo/<name>/binaries/... |
None by default; Bearer token if download_token is set |
GET /tug/packages, GET /healthz |
None — informational |
GET /tug/build/next, POST /tug/build/.../result |
Bearer worker_secret |
POST /tug/repo/<name>/push |
Bearer worker_secret |
Worker secret — workers build and upload artifacts that clients download and execute. worker_secret is a high-value credential: a compromised secret allows pushing arbitrary binaries to any package on the server. Rotate immediately if exposed.
Download token — per-package optional secret restricting binary downloads. Clients must store it in cleartext in /etc/pkgtug/config.yaml; it is not a substitute for network-level access control.
Binary integrity — every stored binary is SHA256-hashed and the hash is published in manifest.json. The client re-computes the hash after download and aborts installation on mismatch.
Network transport — pkgtug-server listens on plain HTTP. All production deployments must front it with TLS (reverse proxy, Cloudflare Tunnel, etc.). See docs/wiki/deployment.md.
- Webhook flood — the webhook endpoint is intentionally unauthenticated. An attacker who can reach it can repeatedly trigger
git fetch. Mitigated bywebhook_cooldown(default 10 s per package). - Compromised worker — a malicious worker can inject arbitrary binaries. Workers should run in ephemeral, isolated environments (CI VMs, containers) that are discarded after each build.
- Post-install commands —
pkgtug update --allexecutes thepost_installshell commands stored in/etc/pkgtug/state.json. Protect that file with root-only read permissions (chmod 600). - GitHub Releases downloads —
pkgtug install github:owner/repofetches directly fromgithub.comandobjects.githubusercontent.com. Checksum verification is automatic when the release includes a checksum file; there is no verification when no checksum file is present.
CodeQL analysis runs on every push to main. See the CodeQL workflow for current status.