Add checksum info in pkg definitions (`sqlpkg.lock`)

[joeljuca]

Hello Anton,

First of all – what an awesome project! Thank you for providing such needed tool to the SQLite community!

So, I just made my very first steps over sqlpkg and among the first things I noticed was 1) there's no central pkg registry/storage, and 2) there's no checksum info about pkg downloads. The first one I can comprehend, it'd be very hard to build and maintain such tool, but the second one is quite dangerous: any pkg author could swap a release and inject malicious code in an SQLite extension.

Even if all of your authors are trustworthy people who'd never do such an attack, not having a checksum step could potentially give an attacker, who manages to get author's credentials somehow, to inject malicious code without being noticed for quite some time. I think it could be of a great improvement if sqlpkg could, somehow, make sure the download file (ex.: a zip release file from github.com) is the exact one I'm interested by some cryptographic ways (checksums).

Some popular package managers like npm and Yarn does it, so they could serve as inspiration for the implementation.

[nalgeon]

Hi Joel! Thanks for your interest in Sqlpkg!

I think that when you initially install a package, you essentially trust the author. No amount of checksums will save you if they are actually a malicious actor.

Enforcing checksums in sqlpkg.lock will probably help against the version swapping. But it won't help against a malicious actor releasing a newer package version (which you get when you run update).

[joeljuca]

Anton, It sounds about right. I do trust an author when I download one of its released versions. However, I don't quite trust 1) the network, 2) the author will always keep their security setup up to date (he/she might as well leak their credentials somehow, or just forget to keep their projects' security setup as safe as it can/should be). If we're talking reproducibility (and therefore, SBOM security), checksums could play a great role in making sure we're not downloading files from some MitM. Sent from Proton Mail for iOS

…

On Wed, May 14, 2025 at 6:09 PM, Anton Zhiyanov ***@***.***> wrote: nalgeon left a comment (nalgeon/sqlpkg-cli#23) Hi Joel! Thanks for your interest in Sqlpkg! I think that when you initially install a package, you essentially trust the author. No amount of checksums will save you if they are actually a malicious actor. Enforcing checksums in `sqlpkg.lock` will probably help against the version swapping. But it won't help against a malicious actor releasing a newer package version (which you get when you run `update`). — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.