/bugtracker

Suspicious data sources during build #774

Closed
EnSec4Git opened this Issue Oct 19, 2017 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
2 participants
@EnSec4Git @thestinger
@EnSec4Git

EnSec4Git commented Oct 19, 2017
edited
Edited 1 time
  • @EnSec4Git EnSec4Git edited Oct 19, 2017

Hi,
While performing the "Extracting vendor files for Nexus and Pixel devices" step during build, in particular in the vendor/android-prepare-vendor/execute-all.sh -d $DEVICE -b $GSBUILD_ID -o vendor/android-prepare-vendor, the script downloads the oatdump tool from pretty weird URLs, including (for me at least):

Both of these appear to be outside of Copperhead's control.
Can you clarify are there any legal reasons for not hosting the required files in GitHub or somewhere else?
@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Oct 19, 2017

Contributor

android-prepare-vendor isn't Copperhead software:

https://github.com/anestisb/android-prepare-vendor

The sha256sum of the oatdump download is verified so I don't see this as an issue.
Contributor

thestinger commented Oct 19, 2017

android-prepare-vendor isn't Copperhead software:

https://github.com/anestisb/android-prepare-vendor

The sha256sum of the oatdump download is verified so I don't see this as an issue.

@thestinger thestinger closed this Oct 19, 2017

@thestinger thestinger added the Type: question label Oct 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment