On 07/06/10 17:21, Keir Fraser wrote: > On 06/07/2010 16:12, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx> > wrote: > >> While the Xen sources have recently become digitally signed by xen.org >> (which is just great), there is still a problem that its various >> Makefiles download (and subsequently build) various 3rd party software >> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something, >> the downloaded 3rd part software is never verified in any way. > > We download tarballs from http://xenbits.xensource.com/xen-extfiles rather > than random 3rd party sites. And qemu from our very own git repository also > on xenbits. > But you use plaintext connection, which, in security, means random code. I think we have already went through this last time when discussing the signing process for Xen ;) joanna.
Description: OpenPGP digital signature
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel