Hi, I have modified this paragraph a bit to deal with the best way to get these checksums. See http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-recipe-fetching-code. If there are further concerns just let me know and I can address them.
Scott >-----Original Message----- >From: yocto-boun...@yoctoproject.org [mailto:yocto- >boun...@yoctoproject.org] On Behalf Of Rifenbark, Scott M >Sent: Tuesday, July 29, 2014 4:25 AM >To: Paul Eggleton; Tiemo Krüger >Cc: yocto@yoctoproject.org >Subject: Re: [yocto] Yocto Project Manual > >Paul, > >This sounds reasonable. I will modify based on that practice. > >Thanks, >Scott > >>-----Original Message----- >>From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >>Sent: Tuesday, July 29, 2014 3:57 AM >>To: Rifenbark, Scott M; Tiemo Krüger >>Cc: yocto@yoctoproject.org >>Subject: Re: [yocto] Yocto Project Manual >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: >>> Thanks for noting this and contacting me. I am reposting to the >>> yocto@yoctoproject.org group for additional input. I will get >>> modifications into the manual. >>> >>> Best, >>> Scott >>> >>> >>> >-----Original Message----- >>> >From: Tiemo Krüger [mailto:t...@mycable.de] >>> >Sent: Tuesday, July 29, 2014 2:50 AM >>> >To: Rifenbark, Scott M >>> >Subject: Yocto Project Manual >>> > >>> >Hello Scott, >>> > >>> >I just read a little bit in this doc: >>> > >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new- >>> >> >>> >>recipe-writing-a-new-recipe >>> > >>> >and since your eMail is mentioned on top I contact you regarding the >>> >below paragraph in chapter 5.3.5 >>> > >>> >"To find these checksums, you can comment the statements out and >>> >then attempt to build the software. The build will produce an error >>> >for each missing checksum and as part of the error message provide >>> >the correct checksum string. Once you have the correct checksums, >>> >simply copy them into your recipe for a subsequent build." >>> > >>> >We here really think this is the wrong way to create the checksums >>> >for a recipe since downloading them and then creating the checksum >>> >doesn't protect you against man in the middle attacks. >> >>From that point onwards it does, but not on the initial build when >>creating the recipe, you are correct. If the upstream website does >>provide checksums or GPG signatures (and quite a lot don't) then you >>should use those to verify the source that was fetched. >> >>> >The text should be modified >>> >that the checksums must at least be checked against the checksums >>> >provided by the original website even if this is still not >>> >completely safe. And simple command line tools like md5sum and >>> >sha256sum shall be >>mentioned. >> >>I think the simplest thing is to just add a note which says that you >>should verify what was fetched against whatever signatures are provided >>by the upstream (if any). You can still use the build-fail method we >>currently describe as well so that you get the exact lines you need to >>put in the recipe rather than having to type those out each time. >> >>Cheers, >>Paul >> >>-- >> >>Paul Eggleton >>Intel Open Source Technology Centre >-- >_______________________________________________ >yocto mailing list >yocto@yoctoproject.org >https://lists.yoctoproject.org/listinfo/yocto -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto