It looks like the util/crossgcc/buildgcc script disables HTTPS cert checks and doesn't have a way to verify the signatures or hashes of the files that it receives.
download_showing_percentage() { url=$1 printf " ..${red} 0%%" wget --no-check-certificate $url 2>&1 | while read line; do printf "${red}" echo $line | grep -o "[0-9]+%" | awk '{printf("\b\b\b\b%4s", $1)}' printf "${NC}" done }
I'm worried that this introduces a minor, but potential security issue for the build process.
Trammell Hudson wrote:
I'm worried that this introduces a minor, but potential security issue for the build process.
Yes, it certainly does.
Noone has spent time on solving the problem so far. Distributing and using some trust anchors is difficult without adding many dependencies to the build process.
Some people work with coreboot on Windows, making things even more complicated.
I would like to see individual downloaded files to be verified, as opposed to only a server certificate check.
//Peter
-
Peter Stuge -
Trammell Hudson