Hi Heinrich, On Wed, 27 Oct 2021 at 08:23, Heinrich Schuchardt <heinrich.schucha...@canonical.com> wrote: > > On 10/27/21 16:05, Simon Glass wrote: > > Hi Heinrich, > > > > On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt > > <heinrich.schucha...@canonical.com> wrote: > >> > >> Downloading binaries and executing without checking the authenticity is > >> at least unwise. > >> > >> When binman downloads GCC it should also download and verify the GPG > >> signatures. > >> > >> Additionally binman could hold a list of the SHA256 hashes of all > >> binaries in question for a further check. > > > > Buildman? Yes that sounds like a nice feature. Did you hit a problem, > > or just come up with this idea? You could try the new issue tracker! > > tools/buildman/toolchain.py > > I have seen this script downloading binaries and executing them on my > machine without verification. This makes me feel insecure.
This should only happen with --fetch-arch but if you see it happening without that, there is some kind of bug. > > test/run invokes buildman. > > The same is true for tools/docker/Dockerfile. As Docker does not use its > own kernel you should avoid running untrusted binaries in a container. OK I will leave this as an exercise for the reader. Regards, Simon