Re: [Qemu-devel] [PATCH for-4.1 v3 00/12] bundle edk2 platform firmware with QEMU

[Wainer dos Santos Moschetta]

On 03/27/2019 01:15 PM, Paolo Bonzini wrote:
> On 27/03/19 17:05, Daniel P. Berrangé wrote:
> > On Wed, Mar 27, 2019 at 04:58:23PM +0100, Paolo Bonzini wrote:
> > > On 27/03/19 16:30, Daniel P. Berrangé wrote:
> > > > Perhaps the VM test scripts should do a "HEAD" request for the image
> > > > every time to discover if it has been changed on the server, before
> > > > honouring the local cache.
> > > Another possibility is to first download the shasum from
> > > download.patchew.org, and compare _that_ against the one that is stored
> > > locally, instead of hardcoding it in QEMU's repository.
> > Personally I prefer the idea of having the shasum stored in the repo.
> >
> > That means that if we update git master to point to a newer image,
> > previous stable branches will stick with their original image, rather
> > than using a new image that may be incompatible with the stable branch
> >
> > Storing hash in git also means that if someone compromised the patchew
> > server, they can't cause developer to run compromised images, without
> > first also compromising git to change the hash.
> The two are not mutually exclusive.  We can warn if the hash doesn't
> match against the one in QEMU, add a --force option, or whatever.

I'm about to send a patch to make vm-test work with Python3. I can work 
on that image checking mechanism you folks have discussed, unless 
someone is already working on it.

- Wainer

> Also, I have now created symlinks by hash at
> http://download.patchew.org/by-sha256sum in case someone finds them useful.
>
> Paolo