[Buildroot] [PATCHv2 1/1] package/rustc: add musl as an available Rust libc
Arnout Vandecappelle
arnout at mind.be
Thu May 20 06:55:06 UTC 2021
On 19/05/2021 17:01, Yann E. MORIN wrote:
>> Do you test the gpg keys and sha256sums "by hand" or is there a
>> utility used when version update commits occur?
> There is no tooling in the Buildroot tree, no. Verifying signatures is
> done manually. In this case, I think Thomas, after downloading all the
> archives and their .asc, basically did:
> for i in *.asc; do gpg --verify ${i}; done
>
> But this case is exceptional; usually, there is only one file for which
> to check the hash and signature, not 16! :-)
>
> Also, I do not usually verify many signatures, since I have almost zero
> connection in the WoT, so verifying a sig does not bring much benefit.
I do some kind of TOFU because I store the signing key so next time I update
the same package, the signature should match.
Of course, I rarely update any package, certainly not twice, so the benefit is
limited in my personal case :-)
Regards,
Arnout
> But if my download got compromised (maliciously or accidentally), the
> hash I added will be wrong for someone else, especially the autobuilders,
> and we can act on the issue.
>
> Of course, this does not work if the remote server was compromised, but
> in that case, checking the signatures without a good trust-chain in the
> WoT is useless too...
>
More information about the buildroot
mailing list