[yocto] Yocto Project Manual
Rifenbark, Scott M
scott.m.rifenbark at intel.com
Wed Jul 30 23:39:38 PDT 2014
Hi,
I have modified this paragraph a bit to deal with the best way to get these checksums. See http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-recipe-fetching-code. If there are further concerns just let me know and I can address them.
Scott
>-----Original Message-----
>From: yocto-bounces at yoctoproject.org [mailto:yocto-
>bounces at yoctoproject.org] On Behalf Of Rifenbark, Scott M
>Sent: Tuesday, July 29, 2014 4:25 AM
>To: Paul Eggleton; Tiemo Krüger
>Cc: yocto at yoctoproject.org
>Subject: Re: [yocto] Yocto Project Manual
>
>Paul,
>
>This sounds reasonable. I will modify based on that practice.
>
>Thanks,
>Scott
>
>>-----Original Message-----
>>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>>Sent: Tuesday, July 29, 2014 3:57 AM
>>To: Rifenbark, Scott M; Tiemo Krüger
>>Cc: yocto at yoctoproject.org
>>Subject: Re: [yocto] Yocto Project Manual
>>
>>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
>>> Thanks for noting this and contacting me. I am reposting to the
>>> yocto at yoctoproject.org group for additional input. I will get
>>> modifications into the manual.
>>>
>>> Best,
>>> Scott
>>>
>>>
>>> >-----Original Message-----
>>> >From: Tiemo Krüger [mailto:tk at mycable.de]
>>> >Sent: Tuesday, July 29, 2014 2:50 AM
>>> >To: Rifenbark, Scott M
>>> >Subject: Yocto Project Manual
>>> >
>>> >Hello Scott,
>>> >
>>> >I just read a little bit in this doc:
>>> >
>>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new-
>>> >>
>>> >>recipe-writing-a-new-recipe
>>> >
>>> >and since your eMail is mentioned on top I contact you regarding the
>>> >below paragraph in chapter 5.3.5
>>> >
>>> >"To find these checksums, you can comment the statements out and
>>> >then attempt to build the software. The build will produce an error
>>> >for each missing checksum and as part of the error message provide
>>> >the correct checksum string. Once you have the correct checksums,
>>> >simply copy them into your recipe for a subsequent build."
>>> >
>>> >We here really think this is the wrong way to create the checksums
>>> >for a recipe since downloading them and then creating the checksum
>>> >doesn't protect you against man in the middle attacks.
>>
>>From that point onwards it does, but not on the initial build when
>>creating the recipe, you are correct. If the upstream website does
>>provide checksums or GPG signatures (and quite a lot don't) then you
>>should use those to verify the source that was fetched.
>>
>>> >The text should be modified
>>> >that the checksums must at least be checked against the checksums
>>> >provided by the original website even if this is still not
>>> >completely safe. And simple command line tools like md5sum and
>>> >sha256sum shall be
>>mentioned.
>>
>>I think the simplest thing is to just add a note which says that you
>>should verify what was fetched against whatever signatures are provided
>>by the upstream (if any). You can still use the build-fail method we
>>currently describe as well so that you get the exact lines you need to
>>put in the recipe rather than having to type those out each time.
>>
>>Cheers,
>>Paul
>>
>>--
>>
>>Paul Eggleton
>>Intel Open Source Technology Centre
>--
>_______________________________________________
>yocto mailing list
>yocto at yoctoproject.org
>https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list