[Buildroot] [PATCHv2 1/1] package/rustc: add musl as an available Rust libc

Arnout Vandecappelle arnout at mind.be
Thu May 20 06:55:06 UTC 2021



On 19/05/2021 17:01, Yann E. MORIN wrote:
>> Do you test the gpg keys and sha256sums "by hand" or is there a
>> utility used when version update commits occur?
> There is no tooling in the Buildroot tree, no. Verifying signatures is
> done manually. In this case, I think Thomas, after downloading all the
> archives and their .asc, basically did:
>     for i in *.asc; do gpg --verify ${i}; done
> 
> But this case is exceptional; usually, there is only one file for which
> to check the hash and signature, not 16! :-)
> 
> Also, I do not usually verify many signatures, since I have almost zero
> connection in the WoT, so verifying a sig does not bring much benefit.

 I do some kind of TOFU because I store the signing key so next time I update
the same package, the signature should match.

 Of course, I rarely update any package, certainly not twice, so the benefit is
limited in my personal case :-)

 Regards,
 Arnout


> But if my download got compromised (maliciously or accidentally), the
> hash I added will be wrong for someone else, especially the autobuilders,
> and we can act on the issue.
> 
> Of course, this does not work if the remote server was compromised, but
> in that case, checking the signatures without a good trust-chain in the
> WoT is useless too...
> 



More information about the buildroot mailing list