From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v3] ca-certificates: new package
Date: Sun, 12 Jan 2014 12:27:43 +0100 [thread overview]
Message-ID: <20140112112743.GA3374@free.fr> (raw)
In-Reply-To: <87zjn14mtn.fsf@dell.be.48ers.dk>
Peter, All,
On 2014-01-12 09:38 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> > It's a pity we can't get that from a trusted channel (ie. https instead
> > of plain http). Sigh... :-(
>
> > I know we do not do that for the other packages, but I'd like that we
> > check the authenticity of that specific one. There's no point in adding
> > a security-related package that we can validate in the first place.
>
> > I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:
>
> > CA_CERTIFICATES_CHECKSUM = SHA1-hash
> > define CA_CERTIFICATES_VERIFY_CHECKSUM
> > hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
> > if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
> > printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
> > printf "ERROR: Maybe the download was MITMed\n"
> > exit 1
> > fi
> > endef
> > CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM
>
> > I don't know what others think of it. Peter, Thomas, others?
>
> If we want to do something like this, then I would much prefer to move
> it into the package infrastructure and do it for all packages (but not
> require it, similar to how we're progressively adding licensing info to
> packages).
Eh! I knew you'd say that! :-)
I guess there's no point in adding such a check for git, svn and all
other VCSes. Only 'static' content wouls be elligible to being checked.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2014-01-12 11:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-10 15:39 [Buildroot] [PATCH v3] ca-certificates: new package Martin Bark
2014-01-11 23:48 ` Yann E. MORIN
2014-01-12 8:38 ` Peter Korsgaard
2014-01-12 11:27 ` Yann E. MORIN [this message]
2014-01-12 18:23 ` Peter Korsgaard
2014-01-12 18:34 ` Yann E. MORIN
2014-01-12 19:19 ` Peter Korsgaard
2014-01-12 20:09 ` Yann E. MORIN
2014-01-12 20:32 ` Peter Korsgaard
2014-01-12 21:01 ` Yann E. MORIN
2014-01-12 21:08 ` Peter Korsgaard
2014-01-12 21:21 ` Bernd Kuhls
2014-01-12 21:38 ` Yann E. MORIN
2014-01-14 7:13 ` Arnout Vandecappelle
2014-01-12 20:09 ` Peter Korsgaard
2014-01-12 20:39 ` Martin Bark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140112112743.GA3374@free.fr \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.