From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: Xen signing and wget [and 3 more messages] Date: Tue, 06 Jul 2010 17:56:23 +0200 Message-ID: <4C335227.20909@invisiblethingslab.com> References: <4C334B5C.4090305@invisiblethingslab.com> <4C3347C8.7020603@invisiblethingslab.com> <19507.20664.587547.9953@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0092641598==" Return-path: In-Reply-To: <19507.20664.587547.9953@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Ian Jackson Cc: "xen-devel@lists.xensource.com" , Keir Fraser List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0092641598== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4C797F78482148FB5BA8FE39" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4C797F78482148FB5BA8FE39 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/06/10 17:50, Ian Jackson wrote: > Joanna Rutkowska writes ("[Xen-devel] Xen signing and wget"): >> While the Xen sources have recently become digitally signed by xen.org= >> (which is just great), there is still a problem that its various >> Makefiles download (and subsequently build) various 3rd party software= >> via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something= , >> the downloaded 3rd part software is never verified in any way. >=20 > You are right, and you're right that this could be improved. >=20 > I think the correct solution is to have the xen.hg tree contain the > expected sha hashes of the downloaded items. These files change very > rarely, we don't really want to be signing them out of context with > our codesigning keys, we want to make sure you get the corresponding > version, and downloading and checking a signature as well as the > tarball would complicate the build (it would start to require gnupg). >=20 > So if you would like to prepare a patch to that effect I'd be very > pleased :-). >=20 Sorry, but I'm swamped enough with Qubes-specific things, and just cannot justify resources for this task at the moment (I don't really understand the whole Xen build process well, and would have to spend extra time investigating it). joanna. --------------enig4C797F78482148FB5BA8FE39 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkwzUicACgkQORdkotfEW865IACg9Pn5pZFTirI+Na5Cl1H7zmpY 9BcAmwdFVnL7wgANLxNNVG80mo1K8j5b =bKtA -----END PGP SIGNATURE----- --------------enig4C797F78482148FB5BA8FE39-- --===============0092641598== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============0092641598==--