[yocto] Yocto Project Manual
Rifenbark, Scott M
scott.m.rifenbark at intel.com
Thu Jul 31 06:48:00 PDT 2014
ok
>-----Original Message-----
>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>Sent: Thursday, July 31, 2014 6:46 AM
>To: Rifenbark, Scott M
>Cc: Tiemo Krüger; yocto at yoctoproject.org
>Subject: Re: [yocto] Yocto Project Manual
>
>On reflection, it could be that the manual verification step is after you get the
>error to make things flow a bit more easily; the critical thing is it should be
>before you paste the values into the recipe and continue on with the build.
>
>Cheers,
>Paul
>
>On Thursday 31 July 2014 13:36:28 Rifenbark, Scott M wrote:
>> Ahh... okay. I will adjust.
>>
>> Thanks,
>> Scott
>>
>> >-----Original Message-----
>> >From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>> >Sent: Thursday, July 31, 2014 2:32 AM
>> >To: Rifenbark, Scott M
>> >Cc: Tiemo Krüger; yocto at yoctoproject.org
>> >Subject: Re: [yocto] Yocto Project Manual
>> >
>> >This isn't quite what I was thinking of. Yes you should probably use
>> >the upstream signatures if they provide them, but it's going to be
>> >rare that both md5sum and sha256sum will be provided in my
>> >experience. That's why I was
>> >suggesting:
>> >
>> >1) Recommend if *any* signatures are provided upstream (e.g. md5,
>> >sha1, sha256, GPG, etc.) then you should verify these, by hand if
>> >necessary (since we only deal with sha256sum and md5sum). This
>> >probably should be a note box so that the importance is highlighted.
>> >
>> >2) Once that step has been performed if applicable, use the
>> >build-fail mechanism to get what you need added to the recipe.
>> >
>> >Cheers,
>> >Paul
>> >
>> >On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote:
>> >> Hi,
>> >>
>> >> I have modified this paragraph a bit to deal with the best way to
>> >> get these checksums. See
>> >> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new
>> >> -re
>> >> cipe-> fetching-code. If there are further concerns just let me
>> >> cipe-> know and
>> >> I can>
>> >address them.
>> >
>> >> Scott
>> >>
>> >> >-----Original Message-----
>> >> >From: yocto-bounces at yoctoproject.org [mailto:yocto-
>> >> >bounces at yoctoproject.org] On Behalf Of Rifenbark, Scott M
>> >> >Sent: Tuesday, July 29, 2014 4:25 AM
>> >> >To: Paul Eggleton; Tiemo Krüger
>> >> >Cc: yocto at yoctoproject.org
>> >> >Subject: Re: [yocto] Yocto Project Manual
>> >> >
>> >> >Paul,
>> >> >
>> >> >This sounds reasonable. I will modify based on that practice.
>> >> >
>> >> >Thanks,
>> >> >Scott
>> >> >
>> >> >>-----Original Message-----
>> >> >>From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
>> >> >>Sent: Tuesday, July 29, 2014 3:57 AM
>> >> >>To: Rifenbark, Scott M; Tiemo Krüger
>> >> >>Cc: yocto at yoctoproject.org
>> >> >>Subject: Re: [yocto] Yocto Project Manual
>> >> >>
>> >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote:
>> >> >>> Thanks for noting this and contacting me. I am reposting to
>> >> >>> the yocto at yoctoproject.org group for additional input. I will
>> >> >>> get modifications into the manual.
>> >> >>>
>> >> >>> Best,
>> >> >>> Scott
>> >> >>>
>> >> >>> >-----Original Message-----
>> >> >>> >From: Tiemo Krüger [mailto:tk at mycable.de]
>> >> >>> >Sent: Tuesday, July 29, 2014 2:50 AM
>> >> >>> >To: Rifenbark, Scott M
>> >> >>> >Subject: Yocto Project Manual
>> >> >>> >
>> >> >>> >Hello Scott,
>> >> >>> >
>> >> >>> >I just read a little bit in this doc:
>> >> >>> >
>> >> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.htm
>> >> >>> >l#n
>> >> >>> >ew-> >>> >
>> >> >>> >
>> >> >>> >>recipe-writing-a-new-recipe
>> >> >>> >
>> >> >>> >and since your eMail is mentioned on top I contact you
>> >> >>> >regarding the below paragraph in chapter 5.3.5
>> >> >>> >
>> >> >>> >"To find these checksums, you can comment the statements out
>> >> >>> >and then attempt to build the software. The build will produce
>> >> >>> >an error for each missing checksum and as part of the error
>> >> >>> >message provide the correct checksum string. Once you have the
>> >> >>> >correct checksums, simply copy them into your recipe for a
>> >> >>> >subsequent build."
>> >> >>> >
>> >> >>> >We here really think this is the wrong way to create the
>> >> >>> >checksums for a recipe since downloading them and then
>> >> >>> >creating the checksum doesn't protect you against man in the middle
>attacks.
>> >> >>
>> >> >>From that point onwards it does, but not on the initial build
>> >> >>when creating the recipe, you are correct. If the upstream
>> >> >>website does provide checksums or GPG signatures (and quite a lot
>> >> >>don't) then you should use those to verify the source that was fetched.
>> >> >>
>> >> >>> >The text should be modified
>> >> >>> >that the checksums must at least be checked against the
>> >> >>> >checksums provided by the original website even if this is
>> >> >>> >still not completely safe. And simple command line tools like
>> >> >>> >md5sum and sha256sum shall be
>> >> >>
>> >> >>mentioned.
>> >> >>
>> >> >>I think the simplest thing is to just add a note which says that
>> >> >>you should verify what was fetched against whatever signatures
>> >> >>are provided by the upstream (if any). You can still use the
>> >> >>build-fail method we currently describe as well so that you get
>> >> >>the exact lines you need to put in the recipe rather than having
>> >> >>to type those out each time.
>> >> >>
>> >> >>Cheers,
>> >> >>Paul
>> >> >>
>> >> >>--
>> >> >>
>> >> >>Paul Eggleton
>> >> >>Intel Open Source Technology Centre
>> >> >
>> >> >--
>> >> >_______________________________________________
>> >> >yocto mailing list
>> >> >yocto at yoctoproject.org
>> >> >https://lists.yoctoproject.org/listinfo/yocto
>> >
>> >--
>> >
>> >Paul Eggleton
>> >Intel Open Source Technology Centre
>
>--
>
>Paul Eggleton
>Intel Open Source Technology Centre
More information about the yocto
mailing list