This is an archive of the discontinued LLVM Phabricator instance.

Getting started docs: https, and check signature
ClosedPublic

Authored by jfb on Jun 30 2015, 11:34 AM.

Download Raw Diff

Details

Reviewers

Commits

rGfa31f9f89f32: Getting started docs: https, and check signature
rL241138: Getting started docs: https, and check signature

Summary

Download should be over https, not insecure ftp at least for the signature and key files. The signature should also get verified.

Diff Detail

Repository: rL LLVM

Event Timeline

jfb updated this revision to Diff 28803.Jun 30 2015, 11:34 AM

jfb retitled this revision from to Getting started docs: https, and check signature.

jfb updated this object.

jfb edited the test plan for this revision. (Show Details)

jfb added a reviewer: chandlerc.

jfb added a subscriber: Unknown Object (MLST).

Closed by commit rL241138: Getting started docs: https, and check signature (authored by jfb). · Explain WhyJun 30 2015, 8:32 PM

This revision was automatically updated to reflect the committed changes.

I mean, this looks good.

But why ask me to review only to commit without waiting? =[ If this were code, I'd be rather annoyed as you know better. As it's just documentation, I'm just a bit annoyed because I pulled up the page to write "LGTM" without any purpose.

jyasskin added a subscriber: jyasskin.Jul 1 2015, 10:38 AM

jyasskin added inline comments.

llvm/trunk/docs/GettingStarted.rst
331	There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else.

Revision Contents

Path

Size

llvm/

trunk/

docs/

GettingStarted.rst

6 lines

Diff 28840

llvm/trunk/docs/GettingStarted.rst

Show First 20 Lines • Show All 320 Lines • ▼ Show 20 Lines	.. _toolchain testing PPA:
https://launchpad.net/~ubuntu-toolchain-r/+archive/test		https://launchpad.net/~ubuntu-toolchain-r/+archive/test
.. _ask ubuntu stack exchange:		.. _ask ubuntu stack exchange:
http://askubuntu.com/questions/271388/how-to-install-gcc-4-8-in-ubuntu-12-04-from-the-terminal		http://askubuntu.com/questions/271388/how-to-install-gcc-4-8-in-ubuntu-12-04-from-the-terminal

Easy steps for installing GCC 4.8.2:		Easy steps for installing GCC 4.8.2:

.. code-block:: console		.. code-block:: console

% wget ftp://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2		% wget https://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2
		% wget https://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2.sig
		% wget https://ftp.gnu.org/gnu/gnu-keyring.gpg
		jyasskinUnsubmitted Not Done Reply Inline Actions There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else. jyasskin: There's not much point fetching the signing key over exactly the same transport as the data. If…
		% signature_invalid=`gpg --verify --no-default-keyring --keyring ./gnu-keyring.gpg gcc-4.8.2.tar.bz2.sig`
		% if [ $signature_invalid ]; then echo "Invalid signature" ; exit 1 ; fi
% tar -xvjf gcc-4.8.2.tar.bz2		% tar -xvjf gcc-4.8.2.tar.bz2
% cd gcc-4.8.2		% cd gcc-4.8.2
% ./contrib/download_prerequisites		% ./contrib/download_prerequisites
% cd ..		% cd ..
% mkdir gcc-4.8.2-build		% mkdir gcc-4.8.2-build
% cd gcc-4.8.2-build		% cd gcc-4.8.2-build
% $PWD/../gcc-4.8.2/configure --prefix=$HOME/toolchains --enable-languages=c,c++		% $PWD/../gcc-4.8.2/configure --prefix=$HOME/toolchains --enable-languages=c,c++
% make -j$(nproc)		% make -j$(nproc)
▲ Show 20 Lines • Show All 939 Lines • Show Last 20 Lines