[yocto] Yocto Project Manual

Rifenbark, Scott M scott.m.rifenbark at intel.com
Thu Jul 31 06:36:28 PDT 2014 

Ahh... okay.  I will adjust.

Thanks,
Scott

>-----Original Message-----
>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>Sent: Thursday, July 31, 2014 2:32 AM
>To: Rifenbark, Scott M
>Cc: Tiemo Krüger; yocto at yoctoproject.org
>Subject: Re: [yocto] Yocto Project Manual
>
>This isn't quite what I was thinking of. Yes you should probably use the upstream
>signatures if they provide them, but it's going to be rare that both md5sum and
>sha256sum will be provided in my experience. That's why I was
>suggesting:
>
>1) Recommend if *any* signatures are provided upstream (e.g. md5, sha1,
>sha256, GPG, etc.) then you should verify these, by hand if necessary (since we
>only deal with sha256sum and md5sum). This probably should be a note box so
>that the importance is highlighted.
>
>2) Once that step has been performed if applicable, use the build-fail
>mechanism to get what you need added to the recipe.
>
>Cheers,
>Paul
>
>On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote:
>> Hi,
>>
>> I have modified this paragraph a bit to deal with the best way to get
>> these checksums.  See
>> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-re
>> cipe-> fetching-code.  If there are further concerns just let me know and I can
>address them.
>>
>> Scott
>>
>> >-----Original Message-----
>> >From: yocto-bounces at yoctoproject.org [mailto:yocto-
>> >bounces at yoctoproject.org] On Behalf Of Rifenbark, Scott M
>> >Sent: Tuesday, July 29, 2014 4:25 AM
>> >To: Paul Eggleton; Tiemo Krüger
>> >Cc: yocto at yoctoproject.org
>> >Subject: Re: [yocto] Yocto Project Manual
>> >
>> >Paul,
>> >
>> >This sounds reasonable.  I will modify based on that practice.
>> >
>> >Thanks,
>> >Scott
>> >
>> >>-----Original Message-----
>> >>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>> >>Sent: Tuesday, July 29, 2014 3:57 AM
>> >>To: Rifenbark, Scott M; Tiemo Krüger
>> >>Cc: yocto at yoctoproject.org
>> >>Subject: Re: [yocto] Yocto Project Manual
>> >>
>> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
>> >>> Thanks for noting this and contacting me.  I am reposting to the
>> >>> yocto at yoctoproject.org group for additional input.  I will get
>> >>> modifications into the manual.
>> >>>
>> >>> Best,
>> >>> Scott
>> >>>
>> >>> >-----Original Message-----
>> >>> >From: Tiemo Krüger [mailto:tk at mycable.de]
>> >>> >Sent: Tuesday, July 29, 2014 2:50 AM
>> >>> >To: Rifenbark, Scott M
>> >>> >Subject: Yocto Project Manual
>> >>> >
>> >>> >Hello Scott,
>> >>> >
>> >>> >I just read a little bit in this doc:
>> >>> >
>> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#n
>> >>> >ew-> >>> >
>> >>> >>recipe-writing-a-new-recipe
>> >>> >
>> >>> >and since your eMail is mentioned on top I contact you regarding
>> >>> >the below paragraph in chapter 5.3.5
>> >>> >
>> >>> >"To find these checksums, you can comment the statements out and
>> >>> >then attempt to build the software. The build will produce an
>> >>> >error for each missing checksum and as part of the error message
>> >>> >provide the correct checksum string. Once you have the correct
>> >>> >checksums, simply copy them into your recipe for a subsequent build."
>> >>> >
>> >>> >We here really think this is the wrong way to create the
>> >>> >checksums for a recipe since downloading them and then creating
>> >>> >the checksum doesn't protect you against man in the middle attacks.
>> >>
>> >>From that point onwards it does, but not on the initial build when
>> >>creating the recipe, you are correct. If the upstream website does
>> >>provide checksums or GPG signatures (and quite a lot don't) then you
>> >>should use those to verify the source that was fetched.
>> >>
>> >>> >The text should be modified
>> >>> >that the checksums must at least be checked against the checksums
>> >>> >provided by the original website even if this is still not
>> >>> >completely safe. And simple command line tools like md5sum and
>> >>> >sha256sum shall be
>> >>
>> >>mentioned.
>> >>
>> >>I think the simplest thing is to just add a note which says that you
>> >>should verify what was fetched against whatever signatures are
>> >>provided by the upstream (if any). You can still use the build-fail
>> >>method we currently describe as well so that you get the exact lines
>> >>you need to put in the recipe rather than having to type those out each time.
>> >>
>> >>Cheers,
>> >>Paul
>> >>
>> >>--
>> >>
>> >>Paul Eggleton
>> >>Intel Open Source Technology Centre
>> >
>> >--
>> >_______________________________________________
>> >yocto mailing list
>> >yocto at yoctoproject.org
>> >https://lists.yoctoproject.org/listinfo/yocto
>
>--
>
>Paul Eggleton
>Intel Open Source Technology Centre

More information about the yocto mailing list