This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Moritz Klammler <moritz at klammler dot eu>
- Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>, Richard Biener <richard dot guenther at gmail dot com>
- Date: Wed, 14 Sep 2016 17:07:28 +0000
- Subject: Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)
- Authentication-results: sourceware.org; auth=none
- References: <87twdifmpb.fsf@klammler.eu>
On Wed, 14 Sep 2016, Moritz Klammler wrote:
> be cleaner to only include those checksums that are actually needed. On
> the other hand, it means an increased maintenance burden each time the
> version of the dependency is changed. In order to mitigate this and
I really don't see it as an increased burden. The maintainer shouldn't be
using the checksum files on the server at all. What they should do is:
* Download the tar file from ftp.gnu.org (at least for GMP / MPFR / MPC),
*verify the GPG signature* and test with it. (I'm not sure if the GNU
keyring is currently published.) The GPG signatures on ftp.gnu.org are
from the maintainer who uploaded the package, whereas the checksum files
on gcc.gnu.org are automatically generated from cron. (I don't know if a
secure way to download ISL from its origin has been added since
<https://gcc.gnu.org/ml/gcc/2016-07/msg00003.html> raised the issue.)
* Update the script and the to-be-checked-in checksums, using the file
they just downloaded and verified the signature of.
* Add the new file to the server before the script changes get checked in.
--
Joseph S. Myers
joseph@codesourcery.com