Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upsecurity review qubes-template-whonix Makefile #1319
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Oct 10, 2015
Member
TL;DR: it's ok
While make get-sources Qubes builder does the following things:
- downloads sources from git repository - this includes git tag verification
- download and verify (detached signatures, checsums) additional sources if component requires it - done by calling
get-sourcesandverify-sourcestargets in that repo (if exists)
The above is done by this script.
If get-sources target is implemented, verify-sources is also called. So if you don't need anything in verify-sources, you need just something like the above.
And indeed in this repo you don't need it, because get-sources target calls the get-sources script from qubes-builder, which takes care of signatures verification.
All that is coded to not require to calling make get-sources multiple times. When you execute initial make get-sources, the qubes-template-whonix component isn't downloaded yet so qubes-builder doesn't know about additional components. To solve this, those components are downloaded in get-sources stage here.
The alternative solution would be to add not just qubes-template-whonix to builder.conf, but the full list of components - not a big problem, but it makes dependency tracking somehow harder (you'd have Whonix template configuration partially in qubes-template-whonix and partially in qubes-builder).
|
TL;DR: it's ok While
The above is done by this script. All that is coded to not require to calling The alternative solution would be to add not just |
adrelanos commentedOct 10, 2015
Please have a look at:
I don't understand Qubes Builder well enough to make head or tail of if the following is sane.
Please have a lock at that file and close this ticket if it looks good overall.