When building appliances should check download against a checksum or GPG key #681

JedMeister · 2016-08-04T11:51:20Z

As suggested by @ashkulz on his recent PR against the limesurvey appliance appliances should check validity of download at build time.

JedMeister · 2017-08-09T03:46:35Z

Let's start introducing this into v15.0?! Thoughts?

JedMeister · 2020-10-13T23:12:01Z

Still haven't implemented this so bumping to v17.0.

Part of the issue is that we're often downloading files dynamically (so as to download the latest version) so we'd also need to discover the checksum and/or key to check against. Signed downloads would be easier in general (would only need to be updated when keys rotated) but it still doesn't seem that common...

JedMeister added feature security labels Aug 4, 2016

JedMeister added this to the 14.2 milestone Aug 4, 2016

JedMeister added the core label Jun 21, 2017

JedMeister modified the milestones: 15.0, 14.2 Jun 21, 2017

JedMeister added the discussion label Aug 9, 2017

JedMeister mentioned this issue Dec 17, 2017

Discussion: Conventions in /overlay/usr/local/src/ folder estevaocm/bitkey#21

Closed

JedMeister modified the milestones: 15.0, 15.1 Apr 18, 2018

JedMeister modified the milestones: 15.1, 16.0 Jan 12, 2020

JedMeister modified the milestones: 16.0, 17.0 Oct 13, 2020

JedMeister modified the milestones: 17.0, 18.0 Jul 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

When building appliances should check download against a checksum or GPG key #681

When building appliances should check download against a checksum or GPG key #681

JedMeister commented Aug 4, 2016

JedMeister commented Aug 9, 2017

JedMeister commented Oct 13, 2020

When building appliances should check download against a checksum or GPG key #681

When building appliances should check download against a checksum or GPG key #681

Comments

JedMeister commented Aug 4, 2016

JedMeister commented Aug 9, 2017

JedMeister commented Oct 13, 2020