mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Bruno Thomsen <bth@kamstrup.com>
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Subject: Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
Date: Mon, 3 Aug 2015 08:06:35 +0000	[thread overview]
Message-ID: <915054555B5659448ACF8A70E114824D01BD2D2FA7@Exchange2010.kamstrup.dk> (raw)
In-Reply-To: <20150721101633.GB14386@pengutronix.de>

Hi Michael,

> Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to download them all.
> And the first step must be to support checking md5 or sha256, whichever is available. We still need md5 so we don't break BSPs with local packages during the transition.
>
> > Sounds like a good idea, but then I would prefer that 2-3 ppl run the 
> > script, just to make sure different proxies are used.
>
> While this is a nice idea, this only works for the existing packages. I can't do the same for new packages or new versions of existing packages.

I don't expect we do this for new packages, only on exiting due to the sheer number of packages.

> So far the checksum has only been a protection against broken archives or stupid upstream. It is not a security feature. If we change that, then we need a way to verify, that the initial checksums are correct. I don't know how I can do that for new packages.

Ideally all upstream packages should include a SHA256 hash when they are releasing new versions.
Unfortunate we can't change the whole world in day :)
So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download.

Suggested actions:
1) include SHA256 hash in rules
2) include audit info in commit message (hash source + date)
3) push upstream packages to include SHA256
4) prefer HTTPS/FTPS as source URL in rules


/Bruno

-- 
ptxdist mailing list
ptxdist@pengutronix.de

      reply	other threads:[~2015-08-03  6:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-19 12:44 Clemens Gruber
2015-07-21  5:26 ` Bruno Thomsen
2015-07-21 10:16   ` Michael Olbrich
2015-08-03  8:06     ` Bruno Thomsen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=915054555B5659448ACF8A70E114824D01BD2D2FA7@Exchange2010.kamstrup.dk \
    --to=bth@kamstrup.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox