From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
Keir Fraser <keir.fraser@eu.citrix.com>
Subject: Re: Xen signing and wget [and 3 more messages]
Date: Tue, 06 Jul 2010 17:56:23 +0200 [thread overview]
Message-ID: <4C335227.20909@invisiblethingslab.com> (raw)
In-Reply-To: <19507.20664.587547.9953@mariner.uk.xensource.com>
[-- Attachment #1.1: Type: text/plain, Size: 1314 bytes --]
On 07/06/10 17:50, Ian Jackson wrote:
> Joanna Rutkowska writes ("[Xen-devel] Xen signing and wget"):
>> While the Xen sources have recently become digitally signed by xen.org
>> (which is just great), there is still a problem that its various
>> Makefiles download (and subsequently build) various 3rd party software
>> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
>> the downloaded 3rd part software is never verified in any way.
>
> You are right, and you're right that this could be improved.
>
> I think the correct solution is to have the xen.hg tree contain the
> expected sha hashes of the downloaded items. These files change very
> rarely, we don't really want to be signing them out of context with
> our codesigning keys, we want to make sure you get the corresponding
> version, and downloading and checking a signature as well as the
> tarball would complicate the build (it would start to require gnupg).
>
> So if you would like to prepare a patch to that effect I'd be very
> pleased :-).
>
Sorry, but I'm swamped enough with Qubes-specific things, and just
cannot justify resources for this task at the moment (I don't really
understand the whole Xen build process well, and would have to spend
extra time investigating it).
joanna.
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
prev parent reply other threads:[~2010-07-06 15:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-06 15:12 Xen signing and wget Joanna Rutkowska
2010-07-06 15:21 ` Keir Fraser
2010-07-06 15:23 ` Joanna Rutkowska
2010-07-06 15:24 ` Keir Fraser
2010-07-06 15:27 ` Joanna Rutkowska
2010-07-06 15:34 ` Keir Fraser
2010-07-06 15:42 ` Joanna Rutkowska
2010-07-06 15:50 ` Xen signing and wget [and 3 more messages] Ian Jackson
2010-07-06 15:56 ` Joanna Rutkowska [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C335227.20909@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=keir.fraser@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).