packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pull: Verify checksums from static deltas unless gpg signed summary 

Otherwise untrusted repos can lie about the commit ids.
This commit is contained in:
Alexander Larsson 2015-10-19 09:23:52 +02:00
parent ec56fea821
commit 598afd5030
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libostree/ostree-repo-pull.c
View File

@ -977,7 +977,8 @@ static_deltapart_fetch_on_complete (GObject *object,
_ostree_static_delta_part_execute_async (pull_data->repo, _ostree_static_delta_part_execute_async (pull_data->repo,
fetch_data->objects, fetch_data->objects,
delta_data, delta_data,
TRUE, /* Trust checksums if summary was gpg signed */
pull_data->gpg_verify_summary && pull_data->summary_data_sig,
pull_data->cancellable, pull_data->cancellable,
on_static_delta_written, on_static_delta_written,
fetch_data); fetch_data);
@ -1629,7 +1630,8 @@ process_one_static_delta (OtPullData *pull_data,
_ostree_static_delta_part_execute_async (pull_data->repo, _ostree_static_delta_part_execute_async (pull_data->repo,
fetch_data->objects, fetch_data->objects,
delta_data, delta_data,
TRUE, /* Trust checksums if summary was gpg signed */
pull_data->gpg_verify_summary && pull_data->summary_data_sig,
pull_data->cancellable, pull_data->cancellable,
on_static_delta_written, on_static_delta_written,
fetch_data); fetch_data);