More Secure Route to Install LLVM 4.0

[ghost]

I was troubled that LLVM:

• Has no HTTPS on the release downloads
• Offers no SSL-protected way to access secure hashes or GPG keys for verification

For Ubuntu 16.04 I found that the Rust PPA provides LLVM / Clang 4.0, so this might make a useful alternative for installing the toolchains in a secure way:

sudo add-apt-repository ppa:ubuntu-toolchain-r/rust
sudo apt-get update
sudo apt-get install llvm-4.0 llvm-4.0-dev clang-4.0

[hughperkins]

Cool. Pull requests welcome :-) . Ideally, would be good to update in a few places :-)

• build from source instructions
• the default llvm-4.0 path, in the cmakelists.txt file

for the latter, you can do something like:

if(APPLE)
set(CLANG_HOME /usr/local/opt/llvm-4.0 ...)
elseif()
set(CLANG_HOME /wherever/the/ppa/above/installs/it ... )
endif(APPLE)

I cant remember if the path is specified in the tensorflow build somewhere. Might want to try a grep -r '/usr/local/opt/llvm-4.0' */, or similar.

[hughperkins]

(it'd also be neat to have a check in the cmakelists, that the version of llvm is correct. Maybe based somehow on:

$ /usr/local/opt/llvm-4.0/bin/clang++ --version
clang version 4.0.0 (tags/RELEASE_400/final)
Target: x86_64-apple-darwin16.6.0
Thread model: posix
InstalledDir: /usr/local/opt/llvm-4.0/bin

)

[hughperkins]

(Hmmm. Seeing as llvm is the underlyijng compiler of a ton of software, there is becoming ubiquitous, might be worth pointing out the lack of https with the llvm guys perhaps?)

[ghost]

Even Ubuntu do this for their system images, years after an actual attack-in-the-wild was observed against Linux Mint's unsecured download page. It's maddening; these aren't speculative attacks, they're easy to mount and they have already happened to large, well-known projects..

[hughperkins]

Open to a PR on this :-) . Basically, I think this would comprise:

• update build document
• update the default in the cmakelists
• ditto for tf-coriander
• update the dockerfiles, in both coriander, and tf-coriander
• update the jenkins scripts, in both coriander, and tf-coriander
• update the install scripts in tf-coriander

I guess it's about 2-4 hours work, plus another 4-12 hours for testing.

[ghost]

I'm on hols, so I may have time to try this! I'll look at it presently.. although I won't be able to test any GPU ops on my laptop, when it comes to TF-coriander.

…

On 17 June 2017 11:55:26 CEST, Hugh Perkins ***@***.***> wrote: Open to a PR on this :-) . Basically, I think this would comprise: - update build document - update the default in the cmakelists - ditto for tf-coriander - update the dockerfiles, in both coriander, and tf-coriander - update the jenkins scripts, in both coriander, and tf-coriander - update the install scripts in tf-coriander I guess it's about 2-4 hours work, plus another 4-12 hours for testing. -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #31 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[hughperkins]

I have a jenkins I can use to test stuff. It doesnt run automatically though, because of the cost of firing up a g2 instance, but I can run it on-demand occasionally. Gives output like https://s3.amazonaws.com/hughperkins-ci/tf-coriander/15-48e2a91.d/index.html