I suppose you are correct, but would you have rather I didn't mention it?
I would love to, however I do not have the scripting skills required to
ensure proper verification and unfortunately there are multiple
dependencies that don't publish gpg signatures.
It isn't an easy task if we want close to 100% assurance.
https://blog.invisiblethings.org/2016/05/30/build-security.html
Simply changing the build process to https is an improvement over what
we have now but I do would rather not do a half baked solution that
depends on on the goodwill of every CA.
GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-${GMP_VERSION}.tar.xz";
MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-${MPFR_VERSION}.tar.xz";
MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz";
LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-${LIBELF_VERSION}.tar.gz";
GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2";
BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-${BINUTILS_VERSION}.tar.bz2";
GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-${GDB_VERSION}.tar.xz";
IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz";
PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz";
EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2";
MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-${MAKE_VERSION}.tar.bz2";
On 11/06/2016 05:02 PM, Nico Huber wrote:
On 06.11.2016 22:44, taii...@gmx.com wrote:
It is 2016 not 2001 and MITM's are a regular thing so this is a serious
issue.
Yes, YOU haven't fixed that yet.
--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot
