[oe] checksums situation
GNUtoo
GNUtoo at no-log.org
Tue Feb 24 22:10:05 UTC 2009
> Michael 'Mickey' Lauer wrote:
>> Am Montag, den 23.02.2009, 23:46 -0700 schrieb Tom Rini:
>>> I'm going to make a different suggestion. Lets just drop it.
>>
>> I'm in favour of this. I don't think they give us the safety we want and
>> they introduce more inconvenience.
>
> Drop checksum checking? I am not in favour of this. The check does
> provide valuable reassurance that the source's are not changing in
> "funny" ways. This is valuable data for many people.
>
> We have ways of disabling the checks for people who are less concerned
> with image integrity.
>
> I agree the current implementation is not perfect, but it is a good
> compromise.
I totally agree with keeping the checksums for 2 reasons:
*to be shure that the package stays the same over time: upstream could
have the bad idea of changing the tarball to put a fix into it without
changing the tarball's name
*security: that is also very important as threats are growing:
**nasty threats are growing(at least that's what I heard in the press)
such as computer infections(malware etc..)
**intrusion into citizen's computer by the state is legal in some countries:
http://yro.slashdot.org/article.pl?sid=09/01/04/2042242
**sometimes distributions repository get compromised
http://www.vnunet.com/vnunet/news/2224622/red-hat-admits-getting-hacked
And theses people could be interested in tampering some repositories...
I don't know every possible uses of openembedded but some people could:
*run ssh client on it
*have sensitive things on it(such as phones,pdas)
*run services(such as networking on hardware) where the availability is
important
*run industrial/military applications on it
etc...
Denis.
More information about the Openembedded-devel
mailing list