/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xen: get rid of the downloadable *unsigned* components #48

Closed
marmarek opened this Issue Mar 8, 2015 · 6 comments

Comments

Assignees

@rootkovska rootkovska

Labels
Projects
None yet
Milestone
  Release 1 Beta 2
2 participants
@marmarek @rootkovska
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 30 Jun 2010 10:11 UTC
Xen Makefile downloads and builds some unsigned code, that we don't even use in Qubes (qemu, etc). Those files are downloaded over plaintext connection, so subject to easy subversion by an attacker in the middle. Such an attack might result in a compromised package or developers machine.

It's silly to have a signed xen package, that uses unsigned packages...

Migrated-From: https://wiki.qubes-os.org/ticket/48

@marmarek marmarek assigned rootkovska Mar 8, 2015

@marmarek marmarek added this to the Release 1 Beta 1 milestone Mar 8, 2015

@marmarek marmarek added bug C: core P: major labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by joanna on 4 Jul 2010 15:19 UTC
Member

marmarek commented Mar 8, 2015

Modified by joanna on 4 Jul 2010 15:19 UTC

@marmarek marmarek added C: xen and removed C: core labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by joanna on 1 Mar 2011 09:34 UTC
Member

marmarek commented Mar 8, 2015

Modified by joanna on 1 Mar 2011 09:34 UTC

@marmarek marmarek modified the milestones: Release 1 Beta 2, Release 1 Beta 1 Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 11 Apr 2011 12:04 UTC
Covered by #217 now.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 11 Apr 2011 12:04 UTC
Covered by #217 now.

@marmarek marmarek added the R: duplicate label Mar 8, 2015

@marmarek marmarek closed this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by joanna on 2 May 2011 11:46 UTC
Member

marmarek commented Mar 8, 2015

Modified by joanna on 2 May 2011 11:46 UTC

@marmarek marmarek removed the R: duplicate label Mar 8, 2015

@marmarek marmarek reopened this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 2 May 2011 11:46 UTC
We should really get rid of all the wgets in the Xen Makefile, not just hoping that if we provide pre-downloaded and verified tgzs then those wgets wouldn't download anything.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 2 May 2011 11:46 UTC
We should really get rid of all the wgets in the Xen Makefile, not just hoping that if we provide pre-downloaded and verified tgzs then those wgets wouldn't download anything.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 12 May 2011 16:23 UTC
Added patch to remove wget invokes (only left in some tests, which isn't run during building).
Also added some more files to download (but looks as unused in our configuration).

http://git.qubes-os.org/gitweb/?p=marmarek/xen.git;a=commit;h=dcd6c0a4f2c6226a9b706e62469d420579c86975
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 12 May 2011 16:23 UTC
Added patch to remove wget invokes (only left in some tests, which isn't run during building).
Also added some more files to download (but looks as unused in our configuration).

http://git.qubes-os.org/gitweb/?p=marmarek/xen.git;a=commit;h=dcd6c0a4f2c6226a9b706e62469d420579c86975

@marmarek marmarek closed this Mar 8, 2015

@marmarek marmarek referenced this issue Mar 8, 2015

Closed

Xen update #217

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment