BlueZ old releases have new checksums

BlueZ old releases have new checksums

[Denys Dmytriyenko]

All,

The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally 
re-appeared after missing for long time since kernel.org compromise. 
Unfortunately, all previous tarballs have new checksums, breaking builds for 
anyone w/o previous copy cached. Old copies were also extensively mirrored, 
so you never know which one you fetch next time...

I pinged the upstream, but I doubt it will be changed or fixed in any way. 
So the proper solution for us would be to upgrade recipes to the latest 
released versions - bluez-4.97, obexd-0.43 and bluez-hcidump-2.2.

Are there any other suggestions?

[1] http://www.kernel.org/pub/linux/bluetooth/

-- 
Denys

Re: BlueZ old releases have new checksums

[Chris Larson]

On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> re-appeared after missing for long time since kernel.org compromise.
> Unfortunately, all previous tarballs have new checksums, breaking builds for
> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> so you never know which one you fetch next time...

Heh, checksums changing after a security compromise, that's worrisome
:) should diff their contents to see what's going on, or whether its
just a gzip timestamp change or something.
-- 
Christopher Larson

Re: [OE-core] BlueZ old releases have new checksums

[Chris Larson]

On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> re-appeared after missing for long time since kernel.org compromise.
> Unfortunately, all previous tarballs have new checksums, breaking builds for
> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> so you never know which one you fetch next time...

Heh, checksums changing after a security compromise, that's worrisome
:) should diff their contents to see what's going on, or whether its
just a gzip timestamp change or something.
-- 
Christopher Larson

Re: [OE-core] BlueZ old releases have new checksums

[Adriano Pallavicino]

Temporaly i've manually changed md5 and sha256sum. If needed i can prepare a patch

Adriano Pallavicino

Il giorno 04/gen/2012, alle ore 21:14, Chris Larson <clarson@kergoth.com> ha scritto:

> On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> re-appeared after missing for long time since kernel.org compromise.
>> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> so you never know which one you fetch next time...
> 
> Heh, checksums changing after a security compromise, that's worrisome
> :) should diff their contents to see what's going on, or whether its
> just a gzip timestamp change or something.
> -- 
> Christopher Larson
> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel

Re: BlueZ old releases have new checksums

[Khem Raj]

On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> re-appeared after missing for long time since kernel.org compromise.
>> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> so you never know which one you fetch next time...
>
> Heh, checksums changing after a security compromise, that's worrisome
> :) should diff their contents to see what's going on, or whether its
> just a gzip timestamp change or something.

exactly. Make sure the tars are sane

> --
> Christopher Larson
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [OE-core] BlueZ old releases have new checksums

[Khem Raj]

On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> re-appeared after missing for long time since kernel.org compromise.
>> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> so you never know which one you fetch next time...
>
> Heh, checksums changing after a security compromise, that's worrisome
> :) should diff their contents to see what's going on, or whether its
> just a gzip timestamp change or something.

exactly. Make sure the tars are sane

> --
> Christopher Larson
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [oe] BlueZ old releases have new checksums

[Denys Dmytriyenko]

On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> >> re-appeared after missing for long time since kernel.org compromise.
> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> >> so you never know which one you fetch next time...
> >
> > Heh, checksums changing after a security compromise, that's worrisome
> > :) should diff their contents to see what's going on, or whether its
> > just a gzip timestamp change or something.
> 
> exactly. Make sure the tars are sane

Well, according to BlueZ maintainer[1], he gave the correct tarballs to 
kernel.org people, but for some reason they untarred and re-packed them. 
There's only 4 bytes difference, presumably timestamp...

[1] http://thread.gmane.org/gmane.linux.bluez.kernel/20040/focus=20041

-- 
Denys

Re: [OE-core] BlueZ old releases have new checksums

[Denys Dmytriyenko]

On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> >> re-appeared after missing for long time since kernel.org compromise.
> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> >> so you never know which one you fetch next time...
> >
> > Heh, checksums changing after a security compromise, that's worrisome
> > :) should diff their contents to see what's going on, or whether its
> > just a gzip timestamp change or something.
> 
> exactly. Make sure the tars are sane

Well, according to BlueZ maintainer[1], he gave the correct tarballs to 
kernel.org people, but for some reason they untarred and re-packed them. 
There's only 4 bytes difference, presumably timestamp...

[1] http://thread.gmane.org/gmane.linux.bluez.kernel/20040/focus=20041

-- 
Denys

Re: [OE-core] BlueZ old releases have new checksums

[Denys Dmytriyenko]

On Wed, Jan 04, 2012 at 09:41:43PM +0100, Adriano Pallavicino wrote:
> Temporaly i've manually changed md5 and sha256sum. If needed i can prepare a 
> patch

That wouldn't work reliably, as some people have an old copy saved locally, 
while others can still download the same old copy from one of the mirrors...

-- 
Denys


> Il giorno 04/gen/2012, alle ore 21:14, Chris Larson <clarson@kergoth.com> ha scritto:
> 
> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> >> re-appeared after missing for long time since kernel.org compromise.
> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> >> so you never know which one you fetch next time...
> > 
> > Heh, checksums changing after a security compromise, that's worrisome
> > :) should diff their contents to see what's going on, or whether its
> > just a gzip timestamp change or something.
> > -- 
> > Christopher Larson
> > 
> > _______________________________________________
> > Openembedded-devel mailing list
> > Openembedded-devel@lists.openembedded.org
> > http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel

Re: [oe] BlueZ old releases have new checksums

[Chris Larson]

On Wed, Jan 4, 2012 at 3:02 PM, Denys Dmytriyenko <denis@denix.org> wrote:
> On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
>> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
>> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> >> re-appeared after missing for long time since kernel.org compromise.
>> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> >> so you never know which one you fetch next time...
>> >
>> > Heh, checksums changing after a security compromise, that's worrisome
>> > :) should diff their contents to see what's going on, or whether its
>> > just a gzip timestamp change or something.
>>
>> exactly. Make sure the tars are sane
>
> Well, according to BlueZ maintainer[1], he gave the correct tarballs to
> kernel.org people, but for some reason they untarred and re-packed them.
> There's only 4 bytes difference, presumably timestamp...

/me thinks maintainers should tar -cvO | gzip -n if they're going to use gzip ;)

But then, we see it from a rather different perspective than upstreams tend to..
-- 
Christopher Larson

Re: [OE-core] BlueZ old releases have new checksums

[Chris Larson]

On Wed, Jan 4, 2012 at 3:02 PM, Denys Dmytriyenko <denis@denix.org> wrote:
> On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
>> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
>> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> >> re-appeared after missing for long time since kernel.org compromise.
>> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> >> so you never know which one you fetch next time...
>> >
>> > Heh, checksums changing after a security compromise, that's worrisome
>> > :) should diff their contents to see what's going on, or whether its
>> > just a gzip timestamp change or something.
>>
>> exactly. Make sure the tars are sane
>
> Well, according to BlueZ maintainer[1], he gave the correct tarballs to
> kernel.org people, but for some reason they untarred and re-packed them.
> There's only 4 bytes difference, presumably timestamp...

/me thinks maintainers should tar -cvO | gzip -n if they're going to use gzip ;)

But then, we see it from a rather different perspective than upstreams tend to..
-- 
Christopher Larson