stout 0.2.0

A fast, Rust-based Homebrew-compatible package manager
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

# Security

Stout implements defense-in-depth security to protect your system.

---

## Security Model Overview

Stout's security is built on multiple layers:

1. **Transport Security** - HTTPS with TLS 1.2+
2. **Index Integrity** - Ed25519 cryptographic signatures
3. **Package Integrity** - SHA256 checksums
4. **Installation Security** - Sandboxed extraction

---

## Transport Security

### HTTPS Required

All network operations use HTTPS:

- Package index downloads
- Bottle (binary package) downloads
- Cask downloads

HTTP URLs are automatically upgraded to HTTPS.

### TLS Requirements

- Minimum TLS 1.2
- Modern cipher suites only
- Certificate validation enforced

---

## Index Integrity

### Ed25519 Signatures

The package index is cryptographically signed using Ed25519:

- Every index update includes a signature
- Signatures are verified before the index is used
- The public key is embedded in the Stout binary

### Signature Verification

```
Index File → SHA256 Hash → Ed25519 Verify → Public Key
```

If verification fails, Stout refuses to use the index.

### Signature Freshness

Signatures include a timestamp. Stout rejects signatures older than the configured maximum age (default: 7 days):

```toml
[security]
max_signature_age = 604800  # 7 days in seconds
```

This prevents replay attacks with old, potentially compromised indexes.

---

## Package Integrity

### SHA256 Checksums

Every package download is verified:

1. Index contains expected SHA256 hash
2. Package is downloaded
3. SHA256 hash is computed
4. Hashes are compared

If hashes don't match, installation is aborted.

### Verification Flow

```
Download → Compute SHA256 → Compare with Index → Install or Abort
```

---

## Installation Security

### Sandboxed Extraction

Package extraction is sandboxed:

- No arbitrary code execution during install
- Files extracted only to designated directories
- Symlinks validated before creation

### No Post-Install Scripts

Unlike Homebrew, Stout doesn't execute Ruby scripts during installation. Package installation is purely file extraction and symlinking.

---

## Configuration

### Security Settings

```toml
[security]
# Require signatures (recommended: true)
require_signature = true

# Allow unsigned packages (recommended: false)
allow_unsigned = false

# Maximum signature age in seconds
max_signature_age = 604800

# Additional trusted public keys
trusted_keys = []
```

### Recommended Settings

For production environments:

```toml
[security]
require_signature = true
allow_unsigned = false
max_signature_age = 604800
```

!!! danger "Never Disable Signature Verification"
    Setting `require_signature = false` or `allow_unsigned = true` removes critical security protections. Only do this in isolated development environments.

---

## Trust Model

### Default Trust

Stout trusts:

1. The embedded Neul Labs public key
2. Any additional keys in `trusted_keys` configuration
3. HTTPS certificates from standard CA roots

### Custom Trust (Enterprise)

For private indexes, add your organization's public key:

```toml
[security]
trusted_keys = [
    "your-base64-encoded-ed25519-public-key"
]
```

Generate a key pair:

```bash
# Generate private key
openssl genpkey -algorithm ED25519 -out private.pem

# Extract public key
openssl pkey -in private.pem -pubout -out public.pem

# Convert to base64 for config
base64 -w0 public.pem
```

---

## Vulnerability Scanning

### Audit Command

Scan installed packages for known vulnerabilities:

```bash
stout audit
```

### Filter by Severity

```bash
stout audit --severity=high
stout audit --severity=critical
```

### Severity Levels

| Level | Description |
|-------|-------------|
| `low` | Minor issues, low impact |
| `medium` | Moderate issues |
| `high` | Serious vulnerabilities |
| `critical` | Severe, actively exploited |

### CVE Database

Stout maintains a vulnerability database synced from public sources. Update it with:

```bash
stout update
```

---

## Comparison with Homebrew

| Feature | Homebrew | Stout |
|---------|----------|-------|
| Transport | HTTPS | HTTPS |
| Index integrity | Git commit hashes | Ed25519 signatures |
| Package integrity | SHA256 | SHA256 |
| Post-install scripts | Ruby execution | None |
| Signature verification | No | Yes |
| CVE scanning | No | Built-in |

---

## Security Best Practices

### Keep Stout Updated

```bash
# Update stout itself
stout upgrade stout
```

### Regular Audits

```bash
# Weekly vulnerability scan
stout audit
```

### Review Before Install

Check package details before installing:

```bash
stout info suspicious-package
```

### Use Pinning for Stability

Pin critical packages to prevent unexpected updates:

```bash
stout pin openssl
stout pin python@3.11
```

### Monitor Outdated Packages

Old packages may have unpatched vulnerabilities:

```bash
stout outdated
```

---

## Reporting Security Issues

Report security vulnerabilities to:

- Email: security@neul-labs.com
- GitHub: Private security advisory

Please do not open public issues for security vulnerabilities.