ok
>-----Original Message----- >From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >Sent: Thursday, July 31, 2014 6:46 AM >To: Rifenbark, Scott M >Cc: Tiemo Krüger; yocto@yoctoproject.org >Subject: Re: [yocto] Yocto Project Manual > >On reflection, it could be that the manual verification step is after you get >the >error to make things flow a bit more easily; the critical thing is it should be >before you paste the values into the recipe and continue on with the build. > >Cheers, >Paul > >On Thursday 31 July 2014 13:36:28 Rifenbark, Scott M wrote: >> Ahh... okay. I will adjust. >> >> Thanks, >> Scott >> >> >-----Original Message----- >> >From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >> >Sent: Thursday, July 31, 2014 2:32 AM >> >To: Rifenbark, Scott M >> >Cc: Tiemo Krüger; yocto@yoctoproject.org >> >Subject: Re: [yocto] Yocto Project Manual >> > >> >This isn't quite what I was thinking of. Yes you should probably use >> >the upstream signatures if they provide them, but it's going to be >> >rare that both md5sum and sha256sum will be provided in my >> >experience. That's why I was >> >suggesting: >> > >> >1) Recommend if *any* signatures are provided upstream (e.g. md5, >> >sha1, sha256, GPG, etc.) then you should verify these, by hand if >> >necessary (since we only deal with sha256sum and md5sum). This >> >probably should be a note box so that the importance is highlighted. >> > >> >2) Once that step has been performed if applicable, use the >> >build-fail mechanism to get what you need added to the recipe. >> > >> >Cheers, >> >Paul >> > >> >On Thursday 31 July 2014 06:39:38 Rifenbark, Scott M wrote: >> >> Hi, >> >> >> >> I have modified this paragraph a bit to deal with the best way to >> >> get these checksums. See >> >> http://www.yoctoproject.org/docs/1.7/dev-manual/dev-manual.html#new >> >> -re >> >> cipe-> fetching-code. If there are further concerns just let me >> >> cipe-> know and >> >> I can> >> >address them. >> > >> >> Scott >> >> >> >> >-----Original Message----- >> >> >From: yocto-boun...@yoctoproject.org [mailto:yocto- >> >> >boun...@yoctoproject.org] On Behalf Of Rifenbark, Scott M >> >> >Sent: Tuesday, July 29, 2014 4:25 AM >> >> >To: Paul Eggleton; Tiemo Krüger >> >> >Cc: yocto@yoctoproject.org >> >> >Subject: Re: [yocto] Yocto Project Manual >> >> > >> >> >Paul, >> >> > >> >> >This sounds reasonable. I will modify based on that practice. >> >> > >> >> >Thanks, >> >> >Scott >> >> > >> >> >>-----Original Message----- >> >> >>From: Paul Eggleton [mailto:paul.eggle...@linux.intel.com] >> >> >>Sent: Tuesday, July 29, 2014 3:57 AM >> >> >>To: Rifenbark, Scott M; Tiemo Krüger >> >> >>Cc: yocto@yoctoproject.org >> >> >>Subject: Re: [yocto] Yocto Project Manual >> >> >> >> >> >>On Tuesday 29 July 2014 10:27:23 Rifenbark, Scott M wrote: >> >> >>> Thanks for noting this and contacting me. I am reposting to >> >> >>> the yocto@yoctoproject.org group for additional input. I will >> >> >>> get modifications into the manual. >> >> >>> >> >> >>> Best, >> >> >>> Scott >> >> >>> >> >> >>> >-----Original Message----- >> >> >>> >From: Tiemo Krüger [mailto:t...@mycable.de] >> >> >>> >Sent: Tuesday, July 29, 2014 2:50 AM >> >> >>> >To: Rifenbark, Scott M >> >> >>> >Subject: Yocto Project Manual >> >> >>> > >> >> >>> >Hello Scott, >> >> >>> > >> >> >>> >I just read a little bit in this doc: >> >> >>> > >> >> >>> >http://www.yoctoproject.org/docs/1.6/dev-manual/dev-manual.htm >> >> >>> >l#n >> >> >>> >ew-> >>> > >> >> >>> > >> >> >>> >>recipe-writing-a-new-recipe >> >> >>> > >> >> >>> >and since your eMail is mentioned on top I contact you >> >> >>> >regarding the below paragraph in chapter 5.3.5 >> >> >>> > >> >> >>> >"To find these checksums, you can comment the statements out >> >> >>> >and then attempt to build the software. The build will produce >> >> >>> >an error for each missing checksum and as part of the error >> >> >>> >message provide the correct checksum string. Once you have the >> >> >>> >correct checksums, simply copy them into your recipe for a >> >> >>> >subsequent build." >> >> >>> > >> >> >>> >We here really think this is the wrong way to create the >> >> >>> >checksums for a recipe since downloading them and then >> >> >>> >creating the checksum doesn't protect you against man in the middle >attacks. >> >> >> >> >> >>From that point onwards it does, but not on the initial build >> >> >>when creating the recipe, you are correct. If the upstream >> >> >>website does provide checksums or GPG signatures (and quite a lot >> >> >>don't) then you should use those to verify the source that was fetched. >> >> >> >> >> >>> >The text should be modified >> >> >>> >that the checksums must at least be checked against the >> >> >>> >checksums provided by the original website even if this is >> >> >>> >still not completely safe. And simple command line tools like >> >> >>> >md5sum and sha256sum shall be >> >> >> >> >> >>mentioned. >> >> >> >> >> >>I think the simplest thing is to just add a note which says that >> >> >>you should verify what was fetched against whatever signatures >> >> >>are provided by the upstream (if any). You can still use the >> >> >>build-fail method we currently describe as well so that you get >> >> >>the exact lines you need to put in the recipe rather than having >> >> >>to type those out each time. >> >> >> >> >> >>Cheers, >> >> >>Paul >> >> >> >> >> >>-- >> >> >> >> >> >>Paul Eggleton >> >> >>Intel Open Source Technology Centre >> >> > >> >> >-- >> >> >_______________________________________________ >> >> >yocto mailing list >> >> >yocto@yoctoproject.org >> >> >https://lists.yoctoproject.org/listinfo/yocto >> > >> >-- >> > >> >Paul Eggleton >> >Intel Open Source Technology Centre > >-- > >Paul Eggleton >Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto