[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Xen-devel] Xen signing and wget
While the Xen sources have recently become digitally signed by xen.org (which is just great), there is still a problem that its various Makefiles download (and subsequently build) various 3rd party software via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something, the downloaded 3rd part software is never verified in any way. From the security point of view, it is equal to say that Xen downloads random code from the web, and unconditionally executes it. So, this not only allows for building potentially compromised Xen packages, but also is a threat to the developers machine, where the (untrusted) Makefiles of the unverified 3rd party software are run. Consequently, I have the following suggestions: 1) Push on the vendors of the 3rd party components you use in the build to sign their software, verify the signatures after download in your Makefile, 2) Until the 3rd party vendors implement signing of their software, add hardcoded list of hashes for the specific versions of the software version you use in the build (e.g. md5sum and then use md5sum --check in the Makefile for verification that what you downloaded is good). joanna.
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
Lists.xenproject.org is hosted with RackSpace, monitoring our