Re: [Qemu-devel] [PATCH for-4.1 v3 00/12] bundle edk2 platform firmware with QEMU

[Paolo Bonzini]

On 27/03/19 21:27, Philippe Mathieu-Daudé wrote:
> 
> 
> Le mer. 27 mars 2019 17:06, Daniel P. Berrangé <address@hidden
> <mailto:address@hidden>> a écrit :
> 
>     On Wed, Mar 27, 2019 at 04:58:23PM +0100, Paolo Bonzini wrote:
>     > On 27/03/19 16:30, Daniel P. Berrangé wrote:
>     > > Perhaps the VM test scripts should do a "HEAD" request for the image
>     > > every time to discover if it has been changed on the server, before
>     > > honouring the local cache.
>     >
>     > Another possibility is to first download the shasum from
>     > download.patchew.org <http://download.patchew.org>, and compare
>     _that_ against the one that is stored
>     > locally, instead of hardcoding it in QEMU's repository.
> 
>     Personally I prefer the idea of having the shasum stored in the repo.
> 
>     That means that if we update git master to point to a newer image,
>     previous stable branches will stick with their original image, rather
>     than using a new image that may be incompatible with the stable branch
> 
>     Storing hash in git also means that if someone compromised the patchew
>     server, they can't cause developer to run compromised images, without
>     first also compromising git to change the hash.
> 
> 
> And we can git bisect too, right?

Only if the image is never overwritten with another one with the same
name (which was also the idea behind storing the files by hash on the
server).

Paolo