[coreboot] It appears the build process still uses unverified http wget sources
Nico Huber
nico.h at gmx.de
Sun Nov 6 23:47:09 CET 2016
On 06.11.2016 23:30, Taiidan at gmx.com wrote:
> I suppose you are correct, but would you have rather I didn't mention it?
No, but you could have chosen kindlier words.
>
> I would love to, however I do not have the scripting skills required to
> ensure proper verification and unfortunately there are multiple
> dependencies that don't publish gpg signatures.
>
> It isn't an easy task if we want close to 100% assurance.
If you want that, best option would be to pay an expert.
>
> https://blog.invisiblethings.org/2016/05/30/build-security.html
>
> Simply changing the build process to https is an improvement over what
> we have now but I do would rather not do a half baked solution that
> depends on on the goodwill of every CA.
I agree. I haven't seen any hierarchical PKI I'd trust so far.
Nico
>
> GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-${GMP_VERSION}.tar.xz"
> MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-${MPFR_VERSION}.tar.xz"
>
> MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz"
> LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-${LIBELF_VERSION}.tar.gz"
>
> GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2"
>
> BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-${BINUTILS_VERSION}.tar.bz2"
>
> GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-${GDB_VERSION}.tar.xz"
> IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz"
>
> PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz"
>
> EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2"
>
> MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-${MAKE_VERSION}.tar.bz2"
>
>
> On 11/06/2016 05:02 PM, Nico Huber wrote:
>
>> On 06.11.2016 22:44, Taiidan at gmx.com wrote:
>>> It is 2016 not 2001 and MITM's are a regular thing so this is a serious
>>> issue.
>> Yes, YOU haven't fixed that yet.
More information about the coreboot
mailing list