[oe] [meta-webserver] cherokee: fix SRC_URI

[Paul Eggleton]

Hi Emil,

On Thursday 05 September 2013 14:04:23 Emil R. Petersen wrote:
> I can see that this is hosted on a University website, but is there a
> policy for using non-official mirrors?
> 
> This seems like it opens up a lot of potential security problems IMO.
> Not only could the third-party mirror be easy to compromise, but how
> would be assure we don't use a malicious mirror? Or that a malicious
> contributer doesn't add a deliberatively tainted mirror?

The SRC_URI checksums protect against this being a problem. If the tarball was 
tampered with it could not pass both the md5sum and sha256sum.

> In short, is there some sort of policy on when and how we use
> third-party mirrors? Is security considerations part of the policy?

We use them if we're forced to; however we also have the option of uploading 
files to the openembedded.org mirrors if needed e.g. in the case where upstream 
completely goes away and there are no other stable mirrors.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre