Paul, This sounds reasonable. I will modify based on that practice.
Thanks, Scott >-----Original Message----- >From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >Sent: Tuesday, July 29, 2014 3:57 AM >To: Rifenbark, Scott M; Tiemo Krüger >Cc: yocto@yoctoproject.org >Subject: Re: [yocto] Yocto Project Manual > >On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: >> Thanks for noting this and contacting me. I am reposting to the >> yocto@yoctoproject.org group for additional input. I will get >> modifications into the manual. >> >> Best, >> Scott >> >> >> >-----Original Message----- >> >From: Tiemo Krüger [mailto:t...@mycable.de] >> >Sent: Tuesday, July 29, 2014 2:50 AM >> >To: Rifenbark, Scott M >> >Subject: Yocto Project Manual >> > >> >Hello Scott, >> > >> >I just read a little bit in this doc: >> > >> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new-> >> >>recipe-writing-a-new-recipe >> > >> >and since your eMail is mentioned on top I contact you regarding the >> >below paragraph in chapter 5.3.5 >> > >> >"To find these checksums, you can comment the statements out and then >> >attempt to build the software. The build will produce an error for >> >each missing checksum and as part of the error message provide the >> >correct checksum string. Once you have the correct checksums, simply >> >copy them into your recipe for a subsequent build." >> > >> >We here really think this is the wrong way to create the checksums >> >for a recipe since downloading them and then creating the checksum >> >doesn't protect you against man in the middle attacks. > >From that point onwards it does, but not on the initial build when creating the >recipe, you are correct. If the upstream website does provide checksums or GPG >signatures (and quite a lot don't) then you should use those to verify the >source >that was fetched. > >> >The text should be modified >> >that the checksums must at least be checked against the checksums >> >provided by the original website even if this is still not completely >> >safe. And simple command line tools like md5sum and sha256sum shall be >mentioned. > >I think the simplest thing is to just add a note which says that you should >verify >what was fetched against whatever signatures are provided by the upstream (if >any). You can still use the build-fail method we currently describe as well so >that >you get the exact lines you need to put in the recipe rather than having to >type >those out each time. > >Cheers, >Paul > >-- > >Paul Eggleton >Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto