[coreboot] It appears the build process still uses unverified http wget sources

Taiidan at gmx.com Taiidan at gmx.com
Mon Nov 14 00:06:24 CET 2016


Shouldn't we be using sha256 or sha512? I am not a crypto expert but 
AFIAK couldn't sha1 collisions could be easily generated with the type 
of resources available to someone who would want to attack coreboot?


On 11/06/2016 07:15 PM, Iru Cai wrote:
> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is
> cloned from the git repository via HTTPS or SSH, so I think we don't need
> to worry.
>
> On Mon, Nov 7, 2016 at 5:44 AM, Taiidan at gmx.com <Taiidan at gmx.com> wrote:
>
>> It is 2016 not 2001 and MITM's are a regular thing so this is a serious
>> issue.
>>
>> --
>> coreboot mailing list: coreboot at coreboot.org
>> https://www.coreboot.org/mailman/listinfo/coreboot
>>
>
>




More information about the coreboot mailing list