Ahh... okay. I will adjust. Thanks, Scott
>-----Original Message----- >From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >Sent: Thursday, July 31, 2014 2:32 AM >To: Rifenbark, Scott M >Cc: Tiemo Krüger; yocto@yoctoproject.org >Subject: Re: [yocto] Yocto Project Manual > >This isn't quite what I was thinking of. Yes you should probably use the >upstream >signatures if they provide them, but it's going to be rare that both md5sum and >sha256sum will be provided in my experience. That's why I was >suggesting: > >1) Recommend if *any* signatures are provided upstream (e.g. md5, sha1, >sha256, GPG, etc.) then you should verify these, by hand if necessary (since we >only deal with sha256sum and md5sum). This probably should be a note box so >that the importance is highlighted. > >2) Once that step has been performed if applicable, use the build-fail >mechanism to get what you need added to the recipe. > >Cheers, >Paul > >On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote: >> Hi, >> >> I have modified this paragraph a bit to deal with the best way to get >> these checksums. See >> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-re >> cipe-> fetching-code. If there are further concerns just let me know and I >> can >address them. >> >> Scott >> >> >-----Original Message----- >> >From: yocto-boun...@yoctoproject.org [mailto:yocto- >> >boun...@yoctoproject.org] On Behalf Of Rifenbark, Scott M >> >Sent: Tuesday, July 29, 2014 4:25 AM >> >To: Paul Eggleton; Tiemo Krüger >> >Cc: yocto@yoctoproject.org >> >Subject: Re: [yocto] Yocto Project Manual >> > >> >Paul, >> > >> >This sounds reasonable. I will modify based on that practice. >> > >> >Thanks, >> >Scott >> > >> >>-----Original Message----- >> >>From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >> >>Sent: Tuesday, July 29, 2014 3:57 AM >> >>To: Rifenbark, Scott M; Tiemo Krüger >> >>Cc: yocto@yoctoproject.org >> >>Subject: Re: [yocto] Yocto Project Manual >> >> >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: >> >>> Thanks for noting this and contacting me. I am reposting to the >> >>> yocto@yoctoproject.org group for additional input. I will get >> >>> modifications into the manual. >> >>> >> >>> Best, >> >>> Scott >> >>> >> >>> >-----Original Message----- >> >>> >From: Tiemo Krüger [mailto:t...@mycable.de] >> >>> >Sent: Tuesday, July 29, 2014 2:50 AM >> >>> >To: Rifenbark, Scott M >> >>> >Subject: Yocto Project Manual >> >>> > >> >>> >Hello Scott, >> >>> > >> >>> >I just read a little bit in this doc: >> >>> > >> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#n >> >>> >ew-> >>> > >> >>> >>recipe-writing-a-new-recipe >> >>> > >> >>> >and since your eMail is mentioned on top I contact you regarding >> >>> >the below paragraph in chapter 5.3.5 >> >>> > >> >>> >"To find these checksums, you can comment the statements out and >> >>> >then attempt to build the software. The build will produce an >> >>> >error for each missing checksum and as part of the error message >> >>> >provide the correct checksum string. Once you have the correct >> >>> >checksums, simply copy them into your recipe for a subsequent build." >> >>> > >> >>> >We here really think this is the wrong way to create the >> >>> >checksums for a recipe since downloading them and then creating >> >>> >the checksum doesn't protect you against man in the middle attacks. >> >> >> >>From that point onwards it does, but not on the initial build when >> >>creating the recipe, you are correct. If the upstream website does >> >>provide checksums or GPG signatures (and quite a lot don't) then you >> >>should use those to verify the source that was fetched. >> >> >> >>> >The text should be modified >> >>> >that the checksums must at least be checked against the checksums >> >>> >provided by the original website even if this is still not >> >>> >completely safe. And simple command line tools like md5sum and >> >>> >sha256sum shall be >> >> >> >>mentioned. >> >> >> >>I think the simplest thing is to just add a note which says that you >> >>should verify what was fetched against whatever signatures are >> >>provided by the upstream (if any). You can still use the build-fail >> >>method we currently describe as well so that you get the exact lines >> >>you need to put in the recipe rather than having to type those out each >> >>time. >> >> >> >>Cheers, >> >>Paul >> >> >> >>-- >> >> >> >>Paul Eggleton >> >>Intel Open Source Technology Centre >> > >> >-- >> >_______________________________________________ >> >yocto mailing list >> >yocto@yoctoproject.org >> >https://lists.yoctoproject.org/listinfo/yocto > >-- > >Paul Eggleton >Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto