From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: Different xen-3.4.3.tar.gz in Fedora RPM Date: Fri, 18 Jun 2010 15:07:40 +0200 Message-ID: <4C1B6F9C.3080300@invisiblethingslab.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0722208575==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Keir Fraser Cc: "xen-devel@lists.xensource.com" List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0722208575== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1CC984574019DB187029C6A8" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1CC984574019DB187029C6A8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 06/18/2010 02:57 PM, Keir Fraser wrote: > On 18/06/2010 13:10, "Joanna Rutkowska" = > wrote: >=20 >> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their >> original Makefile for RPM building), and diffed the two versions -- >> changes (cosmetic cleanup mostly) are innocent, but, hey, why would >> anybody do such a thing? After allm we would expect only one version o= f >> xen-XXX.tar.gz, right? Patches should be the proper way for customizin= g >> tarballs for packaging, no? >> >> Or am I missing something? >=20 > Well, I think this and your other point have one simple answer. If I wa= nted > the maximum possible confidence in the bits I was building, I would obt= ain > them from the original source, as it were. In this case that means, for= > example: > # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testin= g.hg > If you want your own tarball for some reason: > # hg archive -t tgz xen-3.4.3.tar.gz >=20 > It doesn't seem very hard to me. I maintain the repo and sign the relea= ses > myself. But you *do* publish sigs for Xen 4: http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig So, why can't you do the same for 3.4.3 tarball? Sure, I could use hg in my RPM Makefile, but this would require me to install hg first, and also the download process I think takes longer than if it was a simply tar, and also requires to create a tmp directory that later must be removed. > Downloading tarballs from Fedora, or even from our own xen.org=20 > website, introduces more people between you and me. And it seems you > very likely care about that. >=20 =46rom the security point of view it doesn't matter, as long as both are signed by one of the keys signed by xen.org. j. --------------enig1CC984574019DB187029C6A8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkwbb6EACgkQORdkotfEW85+ggCfcYKzHj/UFoOT0Q9VAl2XRgps R5sAoLFQcb+lAqi5m8L9iSFX/lQgV5A+ =C11k -----END PGP SIGNATURE----- --------------enig1CC984574019DB187029C6A8-- --===============0722208575== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============0722208575==--