Re: [coreboot] It appears the build process still uses unverified http wget sources

Sun, 06 Nov 2016 14:52:12 -0800 

On 06.11.2016 23:30, taii...@gmx.com wrote:
> I suppose you are correct, but would you have rather I didn't mention it?

No, but you could have chosen kindlier words.

>
> I would love to, however I do not have the scripting skills required to
> ensure proper verification and unfortunately there are multiple
> dependencies that don't publish gpg signatures.
>
> It isn't an easy task if we want close to 100% assurance.

If you want that, best option would be to pay an expert.

>
> https://blog.invisiblethings.org/2016/05/30/build-security.html
>
> Simply changing the build process to https is an improvement over what
> we have now but I do would rather not do a half baked solution that
> depends on on the goodwill of every CA.

I agree. I haven't seen any hierarchical PKI I'd trust so far.

Nico

>
> GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-${GMP_VERSION}.tar.xz";
> MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-${MPFR_VERSION}.tar.xz";
>
> MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz";
> LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-${LIBELF_VERSION}.tar.gz";
>
> GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2";
>
> BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-${BINUTILS_VERSION}.tar.bz2";
>
> GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-${GDB_VERSION}.tar.xz";
> IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz";
>
> PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz";
>
> EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2";
>
> MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-${MAKE_VERSION}.tar.bz2";
>
>
> On 11/06/2016 05:02 PM, Nico Huber wrote:
>
>> On 06.11.2016 22:44, taii...@gmx.com wrote:
>>> It is 2016 not 2001 and MITM's are a regular thing so this is a serious
>>> issue.
>> Yes, YOU haven't fixed that yet.


-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Reply via email to