This isn't quite what I was thinking of. Yes you should probably use the upstream signatures if they provide them, but it's going to be rare that both md5sum and sha256sum will be provided in my experience. That's why I was suggesting:
1) Recommend if *any* signatures are provided upstream (e.g. md5, sha1, sha256, GPG, etc.) then you should verify these, by hand if necessary (since we only deal with sha256sum and md5sum). This probably should be a note box so that the importance is highlighted. 2) Once that step has been performed if applicable, use the build-fail mechanism to get what you need added to the recipe. Cheers, Paul On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote: > Hi, > > I have modified this paragraph a bit to deal with the best way to get these > checksums. See > http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-recipe-> > fetching-code. If there are further concerns just let me know and I can > address them. > > Scott > > >-----Original Message----- > >From: yocto-boun...@yoctoproject.org [mailto:yocto- > >boun...@yoctoproject.org] On Behalf Of Rifenbark, Scott M > >Sent: Tuesday, July 29, 2014 4:25 AM > >To: Paul Eggleton; Tiemo Krüger > >Cc: yocto@yoctoproject.org > >Subject: Re: [yocto] Yocto Project Manual > > > >Paul, > > > >This sounds reasonable. I will modify based on that practice. > > > >Thanks, > >Scott > > > >>-----Original Message----- > >>From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] > >>Sent: Tuesday, July 29, 2014 3:57 AM > >>To: Rifenbark, Scott M; Tiemo Krüger > >>Cc: yocto@yoctoproject.org > >>Subject: Re: [yocto] Yocto Project Manual > >> > >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: > >>> Thanks for noting this and contacting me. I am reposting to the > >>> yocto@yoctoproject.org group for additional input. I will get > >>> modifications into the manual. > >>> > >>> Best, > >>> Scott > >>> > >>> >-----Original Message----- > >>> >From: Tiemo Krüger [mailto:t...@mycable.de] > >>> >Sent: Tuesday, July 29, 2014 2:50 AM > >>> >To: Rifenbark, Scott M > >>> >Subject: Yocto Project Manual > >>> > > >>> >Hello Scott, > >>> > > >>> >I just read a little bit in this doc: > >>> > > >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#new-> > >>> >>>> > > >>> >>recipe-writing-a-new-recipe > >>> > > >>> >and since your eMail is mentioned on top I contact you regarding the > >>> >below paragraph in chapter 5.3.5 > >>> > > >>> >"To find these checksums, you can comment the statements out and > >>> >then attempt to build the software. The build will produce an error > >>> >for each missing checksum and as part of the error message provide > >>> >the correct checksum string. Once you have the correct checksums, > >>> >simply copy them into your recipe for a subsequent build." > >>> > > >>> >We here really think this is the wrong way to create the checksums > >>> >for a recipe since downloading them and then creating the checksum > >>> >doesn't protect you against man in the middle attacks. > >> > >>From that point onwards it does, but not on the initial build when > >>creating the recipe, you are correct. If the upstream website does > >>provide checksums or GPG signatures (and quite a lot don't) then you > >>should use those to verify the source that was fetched. > >> > >>> >The text should be modified > >>> >that the checksums must at least be checked against the checksums > >>> >provided by the original website even if this is still not > >>> >completely safe. And simple command line tools like md5sum and > >>> >sha256sum shall be > >> > >>mentioned. > >> > >>I think the simplest thing is to just add a note which says that you > >>should verify what was fetched against whatever signatures are provided > >>by the upstream (if any). You can still use the build-fail method we > >>currently describe as well so that you get the exact lines you need to > >>put in the recipe rather than having to type those out each time. > >> > >>Cheers, > >>Paul > >> > >>-- > >> > >>Paul Eggleton > >>Intel Open Source Technology Centre > > > >-- > >_______________________________________________ > >yocto mailing list > >yocto@yoctoproject.org > >https://lists.yoctoproject.org/listinfo/yocto -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
