rr icon indicating copy to clipboard operation
rr copied to clipboard
verified publisher icon RROrg

安全问题反馈: 安装后出现未知套件源 Security concern: Unknown package source added after installation

Open startle09 opened this issue 2 months ago • 5 comments

各位维护者你们好,首先感谢 RR 提供的方便工具!在使用过程中我遇到几个问题,想请教并确认。

问题

使用RR安装DSM后,在 套件来源 中发现系统自动添加了一个名为 “imnks” 的源,并不是由我添加的,我相信也不会是群晖官方自带的

疑问

  1. 我在仓库代码中没有检索到 “imnks” 相关添加逻辑。请问这是官方镜像中有意添加的源,还是镜像被篡改
  2. 如果这是项目方刻意添加的,请问具体是在代码的哪个位置注入/写入该套件源?如何在构建时关闭或修改该来源?

建议

使用 GitHub Actions 自动构建并上传 Releases 的建议:

是否可以提供官方的 GitHub Actions 工作流,实现从源码到 rr.img 的自动化构建,从而让用户可以验证下载到的镜像与源代码一致,降低“被加料”的风险,增强可审计性与可复现性。

另外,我查阅了 README、guide.md、docs、官方网站以及仓库目录结构,但没有找到一份完整编译指引,能否请官方提供一个最小可用的本地编译指南?

最后,感谢你们的付出!

Hello maintainers, thank you for the great work on RR. I encountered a few issues and would like to confirm and ask for guidance.

Issue

After installing DSM with RR, I found an automatically added package source named “imnks” under Package Center > Sources. I did not add it, and I believe it’s not an official Synology source either.

Questions

I couldn’t find any logic related to adding “imnks” in this repository’s code. Is this package source intentionally added by the official image, or has the image been tampered with? If it is intentionally added by the project, where exactly in the code is this package source injected/written? How can we disable or modify this source at build time?

Suggestions

Regarding GitHub Actions and Release builds:

Could you provide an official GitHub Actions workflow to automate building rr.img from source and publishing Releases? This would allow users to verify that the downloaded image matches the source code, reduce the risk of “extra payloads,” and improve auditability and reproducibility. Additionally, I’ve checked README, guide.md, docs, the website, and the repository structure, but couldn’t find a complete build guide. Could you provide a minimal, end-to-end local build guide?

Thank you for your efforts!

startle09 avatar Oct 13 '25 03:10 startle09

请填写以下信息.
Please fill in the following information.

Install ENV: (You can find it in the boot interface.)

  • DMI:
  • CPU:
  • NIC: (pid & vid)

RR version: (You can find it in the update menu.)

  • RR:
  • addons:
  • modules:
  • lkms:

DSM:

  • model:
  • version:

Issue:

logs:

(## 因为 log中存在 SN/MAC 等一些敏感信息, 当提供完整文件时请自行抹除他们, 当然你也可以发送到我的邮箱. ##)
(## Because the log contains some sensitive information such as SN/MAC, please delete them when providing the complete file. Of course, you can also send it to my email. ##)
...

(请先看一下#173、#175、#226 的内容)
(Plz review the content of #173, #175, #226 first)
...

(如果你只是说 XXX 不能用, 什么详细信息也不提供, 我也只能说感谢你的反馈.)
(If you just say XXX doesn't work without providing any details, I can only say thank you for your feedback.)
...

github-actions[bot] avatar Oct 13 '25 03:10 github-actions[bot]

imnks 为矿神源... RR 引导第一次会自动加入 可以移除

bdrwu avatar Oct 13 '25 07:10 bdrwu

addons 里的 misc 组件默认添加的,目前这两个套件源是公开的源里比较可靠的,有安全问题,可以反馈给套件源作者

# packages
if [ ! -f /usr/syno/etc/packages/feeds ]; then
  mkdir -p /usr/syno/etc/packages
  echo '[{"feed":"https://spk7.imnks.com","name":"imnks"},{"feed":"https://packages.synocommunity.com","name":"synocommunity"}]' >/usr/syno/etc/packages/feeds
fi

jim3ma avatar Oct 13 '25 09:10 jim3ma

目前编译是走的 github action:https://github.com/RROrg/rr-build/blob/main/.github/workflows/rr.yml 不过部分仓库是私有的,可能无法完全自己构建

jim3ma avatar Oct 13 '25 09:10 jim3ma

https://rrorg.cn/archives/Use%20guide

wjz304 avatar Oct 25 '25 03:10 wjz304