From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Subject: Re: Xen signing and wget
Date: Tue, 06 Jul 2010 17:23:56 +0200
Message-ID: <4C334A8C.1080007@invisiblethingslab.com>
References: <C85908A0.19807%keir.fraser@eu.citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0600131395=="
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <C85908A0.19807%keir.fraser@eu.citrix.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Keir Fraser <keir.fraser@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0600131395==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigE2D15862AA03309F14EDC370"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE2D15862AA03309F14EDC370
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 07/06/10 17:21, Keir Fraser wrote:
> On 06/07/2010 16:12, "Joanna Rutkowska" <joanna@invisiblethingslab.com>=

> wrote:
>=20
>> While the Xen sources have recently become digitally signed by xen.org=

>> (which is just great), there is still a problem that its various
>> Makefiles download (and subsequently build) various 3rd party software=

>> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something=
,
>> the downloaded 3rd part software is never verified in any way.
>=20
> We download tarballs from http://xenbits.xensource.com/xen-extfiles rat=
her
> than random 3rd party sites. And qemu from our very own git repository =
also
> on xenbits.
>=20
But you use plaintext connection, which, in security, means random code.
I think we have already went through this last time when discussing the
signing process for Xen ;)

joanna.


--------------enigE2D15862AA03309F14EDC370
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwzSowACgkQORdkotfEW84tEACgtakcjgAecyjWllzTSbE5rwSd
R04AoLgpL6oYqm9m6i88snkad1LMlaik
=Jj20
-----END PGP SIGNATURE-----

--------------enigE2D15862AA03309F14EDC370--


--===============0600131395==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--===============0600131395==--