Joanna Rutkowska
2010-Jun-18 12:10 UTC
[Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz which for me reads: f8d001eb9e08525c451d38deb93908b1 is *different* than expected by Fedora F13 RPM: http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup which is: cbe84c44bc156ad1b4a20dc1c73464b8 So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their original Makefile for RPM building), and diffed the two versions -- changes (cosmetic cleanup mostly) are innocent, but, hey, why would anybody do such a thing? After allm we would expect only one version of xen-XXX.tar.gz, right? Patches should be the proper way for customizing tarballs for packaging, no? Or am I missing something? joanna. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Joanna Rutkowska
2010-Jun-18 12:23 UTC
[Xen-devel] Re: Different xen-3.4.3.tar.gz in Fedora RPM
On 06/18/2010 02:10 PM, Joanna Rutkowska wrote:> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: > > http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz > > which for me reads: > > f8d001eb9e08525c451d38deb93908b1 > > is *different* than expected by Fedora F13 RPM: > > http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup > > which is: > > cbe84c44bc156ad1b4a20dc1c73464b8 > > So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their > original Makefile for RPM building), and diffed the two versions --You can also download the fedora version of xen-3.4.3.tar.gz using this direct link: http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz j. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Pasi Kärkkäinen
2010-Jun-18 12:39 UTC
Re: [Xen-devel] Re: Different xen-3.4.3.tar.gz in Fedora RPM
On Fri, Jun 18, 2010 at 02:23:10PM +0200, Joanna Rutkowska wrote:> On 06/18/2010 02:10 PM, Joanna Rutkowska wrote: > > So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: > > > > http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz > > > > which for me reads: > > > > f8d001eb9e08525c451d38deb93908b1 > > > > is *different* than expected by Fedora F13 RPM: > > > > http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup > > > > which is: > > > > cbe84c44bc156ad1b4a20dc1c73464b8 > > > > So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their > > original Makefile for RPM building), and diffed the two versions -- > > You can also download the fedora version of xen-3.4.3.tar.gz using this > direct link: > > http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz >Michael (CC) might know more about it.. -- Pasi _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-18 12:57 UTC
Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com> wrote:> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their > original Makefile for RPM building), and diffed the two versions -- > changes (cosmetic cleanup mostly) are innocent, but, hey, why would > anybody do such a thing? After allm we would expect only one version of > xen-XXX.tar.gz, right? Patches should be the proper way for customizing > tarballs for packaging, no? > > Or am I missing something?Well, I think this and your other point have one simple answer. If I wanted the maximum possible confidence in the bits I was building, I would obtain them from the original source, as it were. In this case that means, for example: # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg If you want your own tarball for some reason: # hg archive -t tgz xen-3.4.3.tar.gz It doesn''t seem very hard to me. I maintain the repo and sign the releases myself. Downloading tarballs from Fedora, or even from our own xen.org website, introduces more people between you and me. And it seems you very likely care about that. -- Keir> joanna. >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Joanna Rutkowska
2010-Jun-18 13:07 UTC
Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
On 06/18/2010 02:57 PM, Keir Fraser wrote:> On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com> > wrote: > >> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their >> original Makefile for RPM building), and diffed the two versions -- >> changes (cosmetic cleanup mostly) are innocent, but, hey, why would >> anybody do such a thing? After allm we would expect only one version of >> xen-XXX.tar.gz, right? Patches should be the proper way for customizing >> tarballs for packaging, no? >> >> Or am I missing something? > > Well, I think this and your other point have one simple answer. If I wanted > the maximum possible confidence in the bits I was building, I would obtain > them from the original source, as it were. In this case that means, for > example: > # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg > If you want your own tarball for some reason: > # hg archive -t tgz xen-3.4.3.tar.gz > > It doesn''t seem very hard to me. I maintain the repo and sign the releases > myself.But you *do* publish sigs for Xen 4: http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig So, why can''t you do the same for 3.4.3 tarball? Sure, I could use hg in my RPM Makefile, but this would require me to install hg first, and also the download process I think takes longer than if it was a simply tar, and also requires to create a tmp directory that later must be removed.> Downloading tarballs from Fedora, or even from our own xen.org > website, introduces more people between you and me. And it seems you > very likely care about that. >From the security point of view it doesn''t matter, as long as both are signed by one of the keys signed by xen.org. j. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-18 13:19 UTC
Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
On 18/06/2010 14:07, "Joanna Rutkowska" <joanna@invisiblethingslab.com> wrote:>> It doesn''t seem very hard to me. I maintain the repo and sign the releases >> myself. > > But you *do* publish sigs for Xen 4: > > http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig > > So, why can''t you do the same for 3.4.3 tarball?I imagine Ian can publish one. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
M A Young
2010-Jun-18 13:25 UTC
Re: [Xen-devel] Re: Different xen-3.4.3.tar.gz in Fedora RPM
On Fri, 18 Jun 2010, Pasi Kärkkäinen wrote:> On Fri, Jun 18, 2010 at 02:23:10PM +0200, Joanna Rutkowska wrote: >> On 06/18/2010 02:10 PM, Joanna Rutkowska wrote: >>> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: >>> >>> http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz >>> >>> which for me reads: >>> >>> f8d001eb9e08525c451d38deb93908b1 >>> >>> is *different* than expected by Fedora F13 RPM: >>> >>> http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup >>> >>> which is: >>> >>> cbe84c44bc156ad1b4a20dc1c73464b8 >>> >>> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their >>> original Makefile for RPM building), and diffed the two versions -- >> >> You can also download the fedora version of xen-3.4.3.tar.gz using this >> direct link: >> >> http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz >> > > Michael (CC) might know more about it..Yes, they will be different. I failed to find an offical xen-3.4.3.tar.gz when I built the rpm so I glued one together myself from the git and hg repositories (Judging by the dates of the unpacked tar file I think the official file was created after mine). I have compared the two now, and although there are slight differences (eg. more hg/git files left in the offical ones), they are functionally equivalent. Michael Young _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 18/06/10 13:10, Joanna Rutkowska wrote:> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: > > http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz > > which for me reads: > > f8d001eb9e08525c451d38deb93908b1 > > is *different* than expected by Fedora F13 RPM: > > http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup > > which is: > > cbe84c44bc156ad1b4a20dc1c73464b8 > > So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their > original Makefile for RPM building), and diffed the two versions -- > changes (cosmetic cleanup mostly) are innocent, but, hey, why would > anybody do such a thing? After allm we would expect only one version of > xen-XXX.tar.gz, right? Patches should be the proper way for customizing > tarballs for packaging, no? > > Or am I missing something? > > joanna. >I find this quite worrying as well. If one set of source has been tampered with, which one has been tampered with? Did someone modify the Fedora sources rather than patch them? Were the Xensource patches re-generated without incrementing the version number? I''m rather less worried that the changes are malicious knowing your reputation :-) but even so this is still worrying. jch _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On Fri, 18 Jun 2010, Keir Fraser wrote:> On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com> > wrote: > >> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their >> original Makefile for RPM building), and diffed the two versions -- >> changes (cosmetic cleanup mostly) are innocent, but, hey, why would >> anybody do such a thing? After allm we would expect only one version of >> xen-XXX.tar.gz, right? Patches should be the proper way for customizing >> tarballs for packaging, no? >> >> Or am I missing something? > > Well, I think this and your other point have one simple answer. If I wanted > the maximum possible confidence in the bits I was building, I would obtain > them from the original source, as it were. In this case that means, for > example: > # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg > If you want your own tarball for some reason: > # hg archive -t tgz xen-3.4.3.tar.gz > > It doesn''t seem very hard to me. I maintain the repo and sign the releases > myself. Downloading tarballs from Fedora, or even from our own xen.org > website, introduces more people between you and me. And it seems you very > likely care about that.Though bear in mind that producing xen-3.4.3.tar.gz in this way means you will download the qemu parts from http://xenbits.xensource.com/git-http/qemu-xen-3.4-testing.git at build time, which might not be what you want. Michael Young _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Ian Jackson
2010-Jun-18 15:42 UTC
Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
Keir Fraser writes ("Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora
RPM"):> On 18/06/2010 14:07, "Joanna Rutkowska"
<joanna@invisiblethingslab.com>
> wrote:
> > But you *do* publish sigs for Xen 4:
> > http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig
> > So, why can''t you do the same for 3.4.3 tarball?
Well spotted. This was a mistake; my release script failed to do "vcs
add" to add the signature (which I did generate at the time) to the
tree which got uploaded to the distribution site.
I have now uploaded the signature and added a link to it on the
archive release webpage for 3.4.4
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Joanna Rutkowska
2010-Jun-18 16:00 UTC
Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
On 06/18/2010 05:42 PM, Ian Jackson wrote:> Keir Fraser writes ("Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM"): >> On 18/06/2010 14:07, "Joanna Rutkowska" <joanna@invisiblethingslab.com> >> wrote: >>> But you *do* publish sigs for Xen 4: >>> http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig >>> So, why can''t you do the same for 3.4.3 tarball? > > Well spotted. This was a mistake; my release script failed to do "vcs > add" to add the signature (which I did generate at the time) to the > tree which got uploaded to the distribution site. > > I have now uploaded the signature and added a link to it on the > archive release webpage for 3.4.4 >Many thanks Ian! My Makefile is happy now [1] :) joanna. [1] https://qubes-os.org/gitweb/?p=joanna/xen.git;a=commitdiff;h=ab1a74c5c40bb83253830c82815d8e5cc6a5de12 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel