|
|
|
|
|
|
|
|
|
|
xen-devel
Re: [Xen-devel] Xen signing and wget [and 3 more messages]
On 07/06/10 17:50, Ian Jackson wrote:
> Joanna Rutkowska writes ("[Xen-devel] Xen signing and wget"):
>> While the Xen sources have recently become digitally signed by xen.org
>> (which is just great), there is still a problem that its various
>> Makefiles download (and subsequently build) various 3rd party software
>> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
>> the downloaded 3rd part software is never verified in any way.
>
> You are right, and you're right that this could be improved.
>
> I think the correct solution is to have the xen.hg tree contain the
> expected sha hashes of the downloaded items. These files change very
> rarely, we don't really want to be signing them out of context with
> our codesigning keys, we want to make sure you get the corresponding
> version, and downloading and checking a signature as well as the
> tarball would complicate the build (it would start to require gnupg).
>
> So if you would like to prepare a patch to that effect I'd be very
> pleased :-).
>
Sorry, but I'm swamped enough with Qubes-specific things, and just
cannot justify resources for this task at the moment (I don't really
understand the whole Xen build process well, and would have to spend
extra time investigating it).
joanna.
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|