[coreboot] It appears the build process still uses unverified http wget sources

Taiidan at gmx.com Taiidan at gmx.com
Mon Nov 14 00:29:05 CET 2016

True, but quality security is about planning for the theoretical and not 
just closing the barn door after the animals have left already.

I am sure there are quite a lot of things that the public doesn't know 
about, kept secret by the shady people and organizations of the world

On 11/13/2016 06:26 PM, Nico Huber wrote:
> On 14.11.2016 00:06, Taiidan at gmx.com wrote:
>> Shouldn't we be using sha256 or sha512? I am not a crypto expert but
>> AFIAK couldn't sha1 collisions could be easily generated with the type
>> of resources available to someone who would want to attack coreboot?
> AFAIK, there is no known attack on SHA-1 yet that could break security
> in this scenario (the attacker wouldn't only have to find any collision
> but a collision for a given hash which takes a power of 2 in time).
> Anyway, there is a patch on review, that makes use of SHA-384 and should
> make the checksum generation trustworthy:
> https://review.coreboot.org/#/c/15170/
>> On 11/06/2016 07:15 PM, Iru Cai wrote:
>>> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is
>>> cloned from the git repository via HTTPS or SSH, so I think we don't need
>>> to worry.
> Alas, the current checksum is only verified for already downloaded
> files.
> Nico

More information about the coreboot mailing list