3 Aug
2016
3 Aug
'16
3:49 p.m.
Trammell Hudson wrote:
I'm worried that this introduces a minor, but potential security issue for the build process.
Yes, it certainly does.
Noone has spent time on solving the problem so far. Distributing and using some trust anchors is difficult without adding many dependencies to the build process.
Some people work with coreboot on Windows, making things even more complicated.
I would like to see individual downloaded files to be verified, as opposed to only a server certificate check.
//Peter