Re: checksums situation

[Alessandro GARDICH <gremlin@gremlin.it>]

Bernhard Guillon wrote:
> Tom Rini wrote:
>> This is one of my points.  People think we have security from our
>> current checksum list, but we do not.
>>
>>   
> Then we have to make clear that the checksums are for integrity only and 
> not for security.
> It is impossible for us to do security. E.g. most sourceforge projects 
> do not sign their packages. We would need to review the source of every 
> package to see if it does stuff it should not do. We would also need to 
> track security updates for packages - which we should do anyway.
> 
> Best regards
> Bernhard Guillon
> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel


Sincerely I don't feel the need of "security" in OE but that is.

In my opinion the checking of the sources is a feature we can have but 
for sure not in a global checksum.ini file, it's unmanageable.
Every recipe, in which is defined a source can have a checksum, as 
someone else proposed is a better solution.

Talking about security in a strict way, check the sources have in my 
opinion no sense, an "evil" recipe could fetch a well signed source of 
ssh (as example) and apply a patch to add a back door.
Checking can be useful but not for security reason, at most just to be 
sure the source is what expect to be.

How checksum behave is source is a latest revision of a VCS ?

Other point, I completely dislike the current behaviour : if a source 
haven't a checksum  fail do build. No please ... the default could be a 
warning not a fail!

I'm sure 90% or OE users got a failure, ask for help and now have 
OE_STRICT_CHECKSUMS = "" in their local.conf ... have it sense ???

In my opinion the default behaviour have to be a warning, for who is 
sensible to a (false) security they can enforce the behaviour (suck as 
-Werror for gcc) but no more.
A warning at the end of bitbake build could also be useful, something 
like "your final image contain non checked sources", but not a FAIL!


Last but more important : why the hell this feature is in the default 
dev branch ??? why wasn't created a "checksum" branch to test it !!!
One thing make OE UNUSABLE for day to day work is the BAD behaviour :
- think a feature
- start (but not finish) to implement it
- push
- make dev branch fail to build
- start to correct/finish the feature
damn, we got git to be easy to branch to test new features!!!


--
  /-------------------------------------------------------------\
|           Alessandro Gardich : gremlin#gremlin!it             |
  >-------------------------------------------------------------<
|  I never saw a wild thing sorry for itself.                   |
|  A small bird will drop frozen dead from a bough              |
|  without ever having felt sorry for itself.                   |
  \-------------------------------------------------------------/