[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] Xen signing and wget [and 3 more messages]
Joanna Rutkowska writes ("[Xen-devel] Xen signing and wget"):
> While the Xen sources have recently become digitally signed by xen.org
> (which is just great), there is still a problem that its various
> Makefiles download (and subsequently build) various 3rd party software
> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
> the downloaded 3rd part software is never verified in any way.
You are right, and you're right that this could be improved.
I think the correct solution is to have the xen.hg tree contain the
expected sha hashes of the downloaded items. These files change very
rarely, we don't really want to be signing them out of context with
our codesigning keys, we want to make sure you get the corresponding
version, and downloading and checking a signature as well as the
tarball would complicate the build (it would start to require gnupg).
So if you would like to prepare a patch to that effect I'd be very
Xen-devel mailing list