Hi Heinrich,
On Wed, 27 Oct 2021 at 08:23, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
On 10/27/21 16:05, Simon Glass wrote:
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker!
tools/buildman/toolchain.py
I have seen this script downloading binaries and executing them on my machine without verification. This makes me feel insecure.
This should only happen with --fetch-arch but if you see it happening without that, there is some kind of bug.
test/run invokes buildman.
The same is true for tools/docker/Dockerfile. As Docker does not use its own kernel you should avoid running untrusted binaries in a container.
OK I will leave this as an exercise for the reader.
Regards, Simon