Ticket #48 (closed defect: fixed)

Opened 19 months ago

Last modified 9 months ago

xen: get rid of the downloadable *unsigned* components

Reported by: joanna Owned by: joanna
Priority: major Milestone: Release 1 Beta 2
Component: xen Keywords:
Cc:

Description

Xen Makefile downloads and builds some unsigned code, that we don't even use in Qubes (qemu, etc). Those files are downloaded over plaintext connection, so subject to easy subversion by an attacker in the middle. Such an attack might result in a compromised package or developers machine.

It's silly to have a signed xen package, that uses unsigned packages...

Change History

comment:1 Changed 19 months ago by joanna

  • Component changed from core to xen

comment:2 Changed 11 months ago by joanna

  • Milestone changed from Release 1 Beta 1 to Release 1 Beta 2

comment:3 Changed 10 months ago by joanna

  • Status changed from new to closed
  • Resolution set to duplicate

Covered by #217 now.

comment:4 Changed 9 months ago by joanna

  • Status changed from closed to reopened
  • Resolution duplicate deleted

comment:5 Changed 9 months ago by joanna

We should really get rid of all the wgets in the Xen Makefile, not just *hoping* that if we provide pre-downloaded and verified tgzs then those wgets wouldn't download anything.

comment:6 Changed 9 months ago by marmarek

  • Status changed from reopened to closed
  • Resolution set to fixed

Added patch to remove wget invokes (only left in some tests, which isn't run during building).
Also added some more files to download (but looks as unused in our configuration).

 http://git.qubes-os.org/gitweb/?p=marmarek/xen.git;a=commit;h=dcd6c0a4f2c6226a9b706e62469d420579c86975

Note: See TracTickets for help on using tickets.