WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Xen signing and wget [and 3 more messages]

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Xen signing and wget [and 3 more messages]
From: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Jul 2010 17:56:23 +0200
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Delivery-date: Tue, 06 Jul 2010 08:56:57 -0700
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:date:from:mime-version:to:cc:subject:references:in-reply-to:content-type; s=smtpout; bh=5j9z4tqMxhww4DOzLO7r1r0YwWY=; b=YwlCBA2PGeGTmagF1qwp0+g+lodVmyEWv7PZqUDQmQssRjfvWi3YckIjpwphcyymCeBOo+p81jZsDjGop7PlYMXim45dcpjSZ8B6BagXeOel1Cge0T/hueLF83sDOjHR/xjfqm+oGgHSXs9f68SPtjMO2ut2jAVQTmo0RVAkMgg=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <19507.20664.587547.9953@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4C334B5C.4090305@xxxxxxxxxxxxxxxxxxxxxx> <C8590BA9.198A1%keir.fraser@xxxxxxxxxxxxx> <C8590952.1980C%keir.fraser@xxxxxxxxxxxxx> <4C3347C8.7020603@xxxxxxxxxxxxxxxxxxxxxx> <19507.20664.587547.9953@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Lightning/1.0b2pre Thunderbird/3.0.5
On 07/06/10 17:50, Ian Jackson wrote:
> Joanna Rutkowska writes ("[Xen-devel] Xen signing and wget"):
>> While the Xen sources have recently become digitally signed by xen.org
>> (which is just great), there is still a problem that its various
>> Makefiles download (and subsequently build) various 3rd party software
>> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
>> the downloaded 3rd part software is never verified in any way.
> 
> You are right, and you're right that this could be improved.
> 
> I think the correct solution is to have the xen.hg tree contain the
> expected sha hashes of the downloaded items.  These files change very
> rarely, we don't really want to be signing them out of context with
> our codesigning keys, we want to make sure you get the corresponding
> version, and downloading and checking a signature as well as the
> tarball would complicate the build (it would start to require gnupg).
> 
> So if you would like to prepare a patch to that effect I'd be very
> pleased :-).
> 

Sorry, but I'm swamped enough with Qubes-specific things, and just
cannot justify resources for this task at the moment (I don't really
understand the whole Xen build process well, and would have to spend
extra time investigating it).

joanna.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>