 Home |
Products |
Support |
Community |
News |
xen-devel
Re: [Xen-devel] Xen signing and wget
| To: | Keir Fraser <keir.fraser@xxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [Xen-devel] Xen signing and wget |
| From: | Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx> |
| Date: | Tue, 06 Jul 2010 17:23:56 +0200 |
| Cc: | "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx> |
| Delivery-date: | Tue, 06 Jul 2010 08:24:13 -0700 |
| Dkim-signature: | v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:date:from:mime-version:to:cc:subject:references:in-reply-to:content-type; s=smtpout; bh=M0Co4YH4O6WSSylj/Idlaqf0njQ=; b=gu4gpmlXpjPbxC4ple7FcyOjrGNKyarmAsc+R1C7Ra1YzRu/RMq+eiMMC+ZFJ4FlDFjrvWRO2cIbkhmhGRuKFBy0w2xGmJpzn0vPD41bPY2RsB/2rqeDAt5w4GcUuonkKbxCiUdAOf94N3x7O0YTGSAtYcr9VpEVtWt8JVuykUc= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <C85908A0.19807%keir.fraser@xxxxxxxxxxxxx> |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| References: | <C85908A0.19807%keir.fraser@xxxxxxxxxxxxx> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Lightning/1.0b2pre Thunderbird/3.0.5 |
On 07/06/10 17:21, Keir Fraser wrote: > On 06/07/2010 16:12, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx> > wrote: > >> While the Xen sources have recently become digitally signed by xen.org >> (which is just great), there is still a problem that its various >> Makefiles download (and subsequently build) various 3rd party software >> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something, >> the downloaded 3rd part software is never verified in any way. > > We download tarballs from http://xenbits.xensource.com/xen-extfiles rather > than random 3rd party sites. And qemu from our very own git repository also > on xenbits. > But you use plaintext connection, which, in security, means random code. I think we have already went through this last time when discussing the signing process for Xen ;) joanna.
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-devel] Xen signing and wget, Keir Fraser |
|---|---|
| Next by Date: | Re: [Xen-devel] Xen signing and wget, Keir Fraser |
| Previous by Thread: | Re: [Xen-devel] Xen signing and wget, Keir Fraser |
| Next by Thread: | Re: [Xen-devel] Xen signing and wget, Keir Fraser |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
