The Makefiles do not automatically perform the check that I expected them to perform when running a build. They check if the source tarballs are all present, but they don't check whether they match the checksum. This is only being done when "./make.sh downloadsrc" is being run.
In case of the automated builds, we explicitely run "./make.sh downloadsrc", so I don't think that this might have introduced any malicious source into the published builds.
Reported-by: Stephen Cuka stephen@firemypi.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- make.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/make.sh b/make.sh index ee098d9a3..4f2a66b09 100755 --- a/make.sh +++ b/make.sh @@ -939,7 +939,7 @@ lfsmake1() { exiterror "Downloading ${pkg}" fi
- if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" "$@"; then + if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" b2 "$@"; then print_status FAIL
exiterror "Building ${pkg}" @@ -962,7 +962,7 @@ lfsmake2() { fi
# Run install on the package - if ! make_pkg --chroot --timer="update_runtime" "${pkg}" install "$@"; then + if ! make_pkg --chroot --timer="update_runtime" "${pkg}" b2 install "$@"; then print_status FAIL
exiterror "Building ${pkg}"