[yocto] Yocto Project Manual

Paul Eggleton paul.eggleton at linux.intel.com
Tue Jul 29 03:56:56 PDT 2014 

On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
> Thanks for noting this and contacting me.  I am reposting to the
> yocto at yoctoproject.org group for additional input.  I will get
> modifications into the manual. 
> 
> Best, 
> Scott
> 
> 
> >-----Original Message-----
> >From: Tiemo Krüger [mailto:tk at mycable.de]
> >Sent: Tuesday, July 29, 2014 2:50 AM
> >To: Rifenbark, Scott M
> >Subject: Yocto Project Manual
> >
> >Hello Scott,
> >
> >I just read a little bit in this doc:
> >
> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new-> >recipe-writing-a-new-recipe
> >
> >and since your eMail is mentioned on top I contact you regarding the below
> >paragraph in chapter 5.3.5
> >
> >"To find these checksums, you can comment the statements out and then
> >attempt to build the software. The build will produce an error for each
> >missing checksum and as part of the error message provide the correct
> >checksum string. Once you have the correct checksums, simply copy them
> >into your recipe for a subsequent build."
> >
> >We here really think this is the wrong way to create the checksums for a
> >recipe since downloading them and then creating the checksum doesn't
> >protect you against man in the middle attacks. 

>From that point onwards it does, but not on the initial build when creating 
the recipe, you are correct. If the upstream website does provide checksums or 
GPG signatures (and quite a lot don't) then you should use those to verify the 
source that was fetched.

> >The text should be modified
> >that the checksums must at least be checked against the checksums provided
> >by the original website even if this is still not completely safe. And
> >simple command line tools like md5sum and sha256sum shall be mentioned.

I think the simplest thing is to just add a note which says that you should 
verify what was fetched against whatever signatures are provided by the 
upstream (if any). You can still use the build-fail method we currently 
describe as well so that you get the exact lines you need to put in the recipe 
rather than having to type those out each time.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto mailing list