[Solved] Opkg local unsigned package install

seems that opkg let install a local downloaded ipk without checking the signature. Signature check seems provided only when you install/upgrade from remote site. In term of security if i've root access and sftp server running i can install quite everithings. I think that the same situation is for kernel modules.

Is my analisysy correct ? if so how to avoid the security issue ?

Thanks in advance

Is my analisysy correct ?


if so how to avoid the security issue ?

Do not allow root access. Bypassing opkg imposed restrictions would be trivial (e.g. wget -O - http://example.org/package.ipk | tar -Oxzf - ./data.tar.gz | tar -C / -tz)

thanks for your prompt reply