[coreboot] It appears the build process still uses unverified http wget sources
Taiidan at gmx.com
Taiidan at gmx.com
Sun Nov 6 23:31:26 CET 2016
I suppose you are correct, but would you have rather I didn't mention it?
I would love to, however I do not have the scripting skills required to
ensure proper verification and unfortunately there are multiple
dependencies that don't publish gpg signatures.
It isn't an easy task if we want close to 100% assurance.
https://blog.invisiblethings.org/2016/05/30/build-security.html
Simply changing the build process to https is an improvement over what
we have now but I do would rather not do a half baked solution that
depends on on the goodwill of every CA.
GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-${GMP_VERSION}.tar.xz"
MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-${MPFR_VERSION}.tar.xz"
MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz"
LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-${LIBELF_VERSION}.tar.gz"
GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2"
BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-${BINUTILS_VERSION}.tar.bz2"
GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-${GDB_VERSION}.tar.xz"
IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz"
PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz"
EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2"
MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-${MAKE_VERSION}.tar.bz2"
On 11/06/2016 05:02 PM, Nico Huber wrote:
> On 06.11.2016 22:44, Taiidan at gmx.com wrote:
>> It is 2016 not 2001 and MITM's are a regular thing so this is a serious
>> issue.
> Yes, YOU haven't fixed that yet.
More information about the coreboot
mailing list