[yocto] Yocto Project Manual

Rifenbark, Scott M scott.m.rifenbark at intel.com
Tue Jul 29 04:25:14 PDT 2014 

Paul,

This sounds reasonable.  I will modify based on that practice. 

Thanks, 
Scott

>-----Original Message-----
>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>Sent: Tuesday, July 29, 2014 3:57 AM
>To: Rifenbark, Scott M; Tiemo Krüger
>Cc: yocto at yoctoproject.org
>Subject: Re: [yocto] Yocto Project Manual
>
>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
>> Thanks for noting this and contacting me.  I am reposting to the
>> yocto at yoctoproject.org group for additional input.  I will get
>> modifications into the manual.
>>
>> Best,
>> Scott
>>
>>
>> >-----Original Message-----
>> >From: Tiemo Krüger [mailto:tk at mycable.de]
>> >Sent: Tuesday, July 29, 2014 2:50 AM
>> >To: Rifenbark, Scott M
>> >Subject: Yocto Project Manual
>> >
>> >Hello Scott,
>> >
>> >I just read a little bit in this doc:
>> >
>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new->
>> >>recipe-writing-a-new-recipe
>> >
>> >and since your eMail is mentioned on top I contact you regarding the
>> >below paragraph in chapter 5.3.5
>> >
>> >"To find these checksums, you can comment the statements out and then
>> >attempt to build the software. The build will produce an error for
>> >each missing checksum and as part of the error message provide the
>> >correct checksum string. Once you have the correct checksums, simply
>> >copy them into your recipe for a subsequent build."
>> >
>> >We here really think this is the wrong way to create the checksums
>> >for a recipe since downloading them and then creating the checksum
>> >doesn't protect you against man in the middle attacks.
>
>From that point onwards it does, but not on the initial build when creating the
>recipe, you are correct. If the upstream website does provide checksums or GPG
>signatures (and quite a lot don't) then you should use those to verify the source
>that was fetched.
>
>> >The text should be modified
>> >that the checksums must at least be checked against the checksums
>> >provided by the original website even if this is still not completely
>> >safe. And simple command line tools like md5sum and sha256sum shall be
>mentioned.
>
>I think the simplest thing is to just add a note which says that you should verify
>what was fetched against whatever signatures are provided by the upstream (if
>any). You can still use the build-fail method we currently describe as well so that
>you get the exact lines you need to put in the recipe rather than having to type
>those out each time.
>
>Cheers,
>Paul
>
>--
>
>Paul Eggleton
>Intel Open Source Technology Centre

More information about the yocto mailing list