[yocto] Yocto Project Manual

Paul Eggleton paul.eggleton at linux.intel.com
Thu Jul 31 06:45:32 PDT 2014 

On reflection, it could be that the manual verification step is after you get 
the error to make things flow a bit more easily; the critical thing is it 
should be before you paste the values into the recipe and continue on with the 
build.

Cheers,
Paul

On Thursday 31 July 2014 13:36:28 Rifenbark, Scott M wrote:
> Ahh... okay.  I will adjust.
> 
> Thanks,
> Scott
> 
> >-----Original Message-----
> >From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
> >Sent: Thursday, July 31, 2014 2:32 AM
> >To: Rifenbark, Scott M
> >Cc: Tiemo Krüger; yocto at yoctoproject.org
> >Subject: Re: [yocto] Yocto Project Manual
> >
> >This isn't quite what I was thinking of. Yes you should probably use the
> >upstream signatures if they provide them, but it's going to be rare that
> >both md5sum and sha256sum will be provided in my experience. That's why I
> >was
> >suggesting:
> >
> >1) Recommend if *any* signatures are provided upstream (e.g. md5, sha1,
> >sha256, GPG, etc.) then you should verify these, by hand if necessary
> >(since we only deal with sha256sum and md5sum). This probably should be a
> >note box so that the importance is highlighted.
> >
> >2) Once that step has been performed if applicable, use the build-fail
> >mechanism to get what you need added to the recipe.
> >
> >Cheers,
> >Paul
> >
> >On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote:
> >> Hi,
> >> 
> >> I have modified this paragraph a bit to deal with the best way to get
> >> these checksums.  See
> >> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-re
> >> cipe-> fetching-code.  If there are further concerns just let me know and
> >> I can>
> >address them.
> >
> >> Scott
> >> 
> >> >-----Original Message-----
> >> >From: yocto-bounces at yoctoproject.org [mailto:yocto-
> >> >bounces at yoctoproject.org] On Behalf Of Rifenbark, Scott M
> >> >Sent: Tuesday, July 29, 2014 4:25 AM
> >> >To: Paul Eggleton; Tiemo Krüger
> >> >Cc: yocto at yoctoproject.org
> >> >Subject: Re: [yocto] Yocto Project Manual
> >> >
> >> >Paul,
> >> >
> >> >This sounds reasonable.  I will modify based on that practice.
> >> >
> >> >Thanks,
> >> >Scott
> >> >
> >> >>-----Original Message-----
> >> >>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
> >> >>Sent: Tuesday, July 29, 2014 3:57 AM
> >> >>To: Rifenbark, Scott M; Tiemo Krüger
> >> >>Cc: yocto at yoctoproject.org
> >> >>Subject: Re: [yocto] Yocto Project Manual
> >> >>
> >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
> >> >>> Thanks for noting this and contacting me.  I am reposting to the
> >> >>> yocto at yoctoproject.org group for additional input.  I will get
> >> >>> modifications into the manual.
> >> >>> 
> >> >>> Best,
> >> >>> Scott
> >> >>> 
> >> >>> >-----Original Message-----
> >> >>> >From: Tiemo Krüger [mailto:tk at mycable.de]
> >> >>> >Sent: Tuesday, July 29, 2014 2:50 AM
> >> >>> >To: Rifenbark, Scott M
> >> >>> >Subject: Yocto Project Manual
> >> >>> >
> >> >>> >Hello Scott,
> >> >>> >
> >> >>> >I just read a little bit in this doc:
> >> >>> >
> >> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#n
> >> >>> >ew-> >>> >
> >> >>> >
> >> >>> >>recipe-writing-a-new-recipe
> >> >>> >
> >> >>> >and since your eMail is mentioned on top I contact you regarding
> >> >>> >the below paragraph in chapter 5.3.5
> >> >>> >
> >> >>> >"To find these checksums, you can comment the statements out and
> >> >>> >then attempt to build the software. The build will produce an
> >> >>> >error for each missing checksum and as part of the error message
> >> >>> >provide the correct checksum string. Once you have the correct
> >> >>> >checksums, simply copy them into your recipe for a subsequent
> >> >>> >build."
> >> >>> >
> >> >>> >We here really think this is the wrong way to create the
> >> >>> >checksums for a recipe since downloading them and then creating
> >> >>> >the checksum doesn't protect you against man in the middle attacks.
> >> >>
> >> >>From that point onwards it does, but not on the initial build when
> >> >>creating the recipe, you are correct. If the upstream website does
> >> >>provide checksums or GPG signatures (and quite a lot don't) then you
> >> >>should use those to verify the source that was fetched.
> >> >>
> >> >>> >The text should be modified
> >> >>> >that the checksums must at least be checked against the checksums
> >> >>> >provided by the original website even if this is still not
> >> >>> >completely safe. And simple command line tools like md5sum and
> >> >>> >sha256sum shall be
> >> >>
> >> >>mentioned.
> >> >>
> >> >>I think the simplest thing is to just add a note which says that you
> >> >>should verify what was fetched against whatever signatures are
> >> >>provided by the upstream (if any). You can still use the build-fail
> >> >>method we currently describe as well so that you get the exact lines
> >> >>you need to put in the recipe rather than having to type those out each
> >> >>time.
> >> >>
> >> >>Cheers,
> >> >>Paul
> >> >>
> >> >>--
> >> >>
> >> >>Paul Eggleton
> >> >>Intel Open Source Technology Centre
> >> >
> >> >--
> >> >_______________________________________________
> >> >yocto mailing list
> >> >yocto at yoctoproject.org
> >> >https://lists.yoctoproject.org/listinfo/yocto
> >
> >--
> >
> >Paul Eggleton
> >Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto mailing list