On reflection, it could be that the manual verification step is after you get the error to make things flow a bit more easily; the critical thing is it should be before you paste the values into the recipe and continue on with the build.
Cheers, Paul On Thursday 31 July 2014 13:36:28 Rifenbark, Scott M wrote: > Ahh... okay. I will adjust. > > Thanks, > Scott > > >-----Original Message----- > >From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] > >Sent: Thursday, July 31, 2014 2:32 AM > >To: Rifenbark, Scott M > >Cc: Tiemo Krüger; yocto@yoctoproject.org > >Subject: Re: [yocto] Yocto Project Manual > > > >This isn't quite what I was thinking of. Yes you should probably use the > >upstream signatures if they provide them, but it's going to be rare that > >both md5sum and sha256sum will be provided in my experience. That's why I > >was > >suggesting: > > > >1) Recommend if *any* signatures are provided upstream (e.g. md5, sha1, > >sha256, GPG, etc.) then you should verify these, by hand if necessary > >(since we only deal with sha256sum and md5sum). This probably should be a > >note box so that the importance is highlighted. > > > >2) Once that step has been performed if applicable, use the build-fail > >mechanism to get what you need added to the recipe. > > > >Cheers, > >Paul > > > >On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote: > >> Hi, > >> > >> I have modified this paragraph a bit to deal with the best way to get > >> these checksums. See > >> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new-re > >> cipe-> fetching-code. If there are further concerns just let me know and > >> I can> > >address them. > > > >> Scott > >> > >> >-----Original Message----- > >> >From: yocto-boun...@yoctoproject.org [mailto:yocto- > >> >boun...@yoctoproject.org] On Behalf Of Rifenbark, Scott M > >> >Sent: Tuesday, July 29, 2014 4:25 AM > >> >To: Paul Eggleton; Tiemo Krüger > >> >Cc: yocto@yoctoproject.org > >> >Subject: Re: [yocto] Yocto Project Manual > >> > > >> >Paul, > >> > > >> >This sounds reasonable. I will modify based on that practice. > >> > > >> >Thanks, > >> >Scott > >> > > >> >>-----Original Message----- > >> >>From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] > >> >>Sent: Tuesday, July 29, 2014 3:57 AM > >> >>To: Rifenbark, Scott M; Tiemo Krüger > >> >>Cc: yocto@yoctoproject.org > >> >>Subject: Re: [yocto] Yocto Project Manual > >> >> > >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: > >> >>> Thanks for noting this and contacting me. I am reposting to the > >> >>> yocto@yoctoproject.org group for additional input. I will get > >> >>> modifications into the manual. > >> >>> > >> >>> Best, > >> >>> Scott > >> >>> > >> >>> >-----Original Message----- > >> >>> >From: Tiemo Krüger [mailto:t...@mycable.de] > >> >>> >Sent: Tuesday, July 29, 2014 2:50 AM > >> >>> >To: Rifenbark, Scott M > >> >>> >Subject: Yocto Project Manual > >> >>> > > >> >>> >Hello Scott, > >> >>> > > >> >>> >I just read a little bit in this doc: > >> >>> > > >> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.html#n > >> >>> >ew-> >>> > > >> >>> > > >> >>> >>recipe-writing-a-new-recipe > >> >>> > > >> >>> >and since your eMail is mentioned on top I contact you regarding > >> >>> >the below paragraph in chapter 5.3.5 > >> >>> > > >> >>> >"To find these checksums, you can comment the statements out and > >> >>> >then attempt to build the software. The build will produce an > >> >>> >error for each missing checksum and as part of the error message > >> >>> >provide the correct checksum string. Once you have the correct > >> >>> >checksums, simply copy them into your recipe for a subsequent > >> >>> >build." > >> >>> > > >> >>> >We here really think this is the wrong way to create the > >> >>> >checksums for a recipe since downloading them and then creating > >> >>> >the checksum doesn't protect you against man in the middle attacks. > >> >> > >> >>From that point onwards it does, but not on the initial build when > >> >>creating the recipe, you are correct. If the upstream website does > >> >>provide checksums or GPG signatures (and quite a lot don't) then you > >> >>should use those to verify the source that was fetched. > >> >> > >> >>> >The text should be modified > >> >>> >that the checksums must at least be checked against the checksums > >> >>> >provided by the original website even if this is still not > >> >>> >completely safe. And simple command line tools like md5sum and > >> >>> >sha256sum shall be > >> >> > >> >>mentioned. > >> >> > >> >>I think the simplest thing is to just add a note which says that you > >> >>should verify what was fetched against whatever signatures are > >> >>provided by the upstream (if any). You can still use the build-fail > >> >>method we currently describe as well so that you get the exact lines > >> >>you need to put in the recipe rather than having to type those out each > >> >>time. > >> >> > >> >>Cheers, > >> >>Paul > >> >> > >> >>-- > >> >> > >> >>Paul Eggleton > >> >>Intel Open Source Technology Centre > >> > > >> >-- > >> >_______________________________________________ > >> >yocto mailing list > >> >yocto@yoctoproject.org > >> >https://lists.yoctoproject.org/listinfo/yocto > > > >-- > > > >Paul Eggleton > >Intel Open Source Technology Centre -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto