Re: [Qemu-devel] [PATCH for-4.1 v3 00/12] bundle edk2 platform firmware with QEMU

[Paolo Bonzini]

On 27/03/19 17:24, Laszlo Ersek wrote:
> On 03/27/19 17:15, Paolo Bonzini wrote:
>> On 27/03/19 17:05, Daniel P. Berrangé wrote:
>>> On Wed, Mar 27, 2019 at 04:58:23PM +0100, Paolo Bonzini wrote:
>>>> On 27/03/19 16:30, Daniel P. Berrangé wrote:
>>>>> Perhaps the VM test scripts should do a "HEAD" request for the image
>>>>> every time to discover if it has been changed on the server, before
>>>>> honouring the local cache.
>>>>
>>>> Another possibility is to first download the shasum from
>>>> download.patchew.org, and compare _that_ against the one that is stored
>>>> locally, instead of hardcoding it in QEMU's repository.
>>>
>>> Personally I prefer the idea of having the shasum stored in the repo.
>>>
>>> That means that if we update git master to point to a newer image,
>>> previous stable branches will stick with their original image, rather
>>> than using a new image that may be incompatible with the stable branch
>>>
>>> Storing hash in git also means that if someone compromised the patchew
>>> server, they can't cause developer to run compromised images, without
>>> first also compromising git to change the hash.
>>
>> The two are not mutually exclusive.  We can warn if the hash doesn't
>> match against the one in QEMU, add a --force option, or whatever.
>>
>> Also, I have now created symlinks by hash at
>> http://download.patchew.org/by-sha256sum in case someone finds them useful.
> 
> Isn't this risky? If someone replaces an image file (keeping its name),
> the old symlink will continue "working", but the hash stated by the
> symlink's name will not match the pointed-to image file.

Well, the idea is that if you use them you also double-check what you
downloaded. :)

Paolo