[oe] Recent wordpress attacks and md5sum
Holger Freyther
zecke at selfish.org
Sun Mar 4 17:27:44 UTC 2007
Am 04.03.2007 um 18:02 schrieb Koen Kooi:
> I have a bunch of sources, but how do I know that these have the
> correct md5sum? Should we
> all run md5sum on our DL_DIR and compare results?
1. go to the HOMEPAGE of the software and compare their md5sum with
yours
2. write down a list of known and good md5sums and send them here
>
>
>> PS: I wonder if bitbake should refuse to fetch code without md5sum/
>> shasum
>
> Another extension for insane.bbclass? How do we handle mirrors for
> svn/cvs checkouts?
This is the tricky part with varying solutions. The best one is to
use git, mtn or a similiar solution with some sort of builtin
security. From my understanding it is not easy to checkout a cracked
revision. And one could verify it.
For recipes with fixed revision/date we can add md5sum and then
compare the md5sum with the tarball we have created. There are some
issues with svn though. The .svn directories like to change and if
you have a different version of svn installed the md5sum will not
match. The same might apply to cvs. To get around with that we could
add a flag to the SRC_URI (e.g. export=1) to use svn export which
will not contain a .svn directory. This can be a good compromise with
people developing inside the workdir.
Distributions should not build packages from a svn/cvs host unless
ssl/ssh is used and the certificate/key is checked. Additionally
using the export flag and md5sum should be checked.
E.g. we could toggle the export flag on distributions builds to not
conflict with people developing inside the workdir?
comments?
Agent z.
More information about the Openembedded-devel
mailing list