On 10/27/21 16:05, Simon Glass wrote:
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
<heinrich.schucha...@canonical.com> wrote:
Downloading binaries and executing without checking the authenticity is
at least unwise.
When binman downloads GCC it should also download and verify the GPG
signatures.
Additionally binman could hold a list of the SHA256 hashes of all
binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem,
or just come up with this idea? You could try the new issue tracker!
tools/buildman/toolchain.py
I have seen this script downloading binaries and executing them on my
machine without verification. This makes me feel insecure.
test/run invokes buildman.
The same is true for tools/docker/Dockerfile. As Docker does not use its
own kernel you should avoid running untrusted binaries in a container.
Best regards
Heinrich
