* [meta-webserver] cherokee: fix SRC_URI
@ 2013-09-05 11:54 Javier Viguera
2013-09-05 12:04 ` Emil R. Petersen
2013-09-05 12:09 ` Eric Bénard
0 siblings, 2 replies; 8+ messages in thread
From: Javier Viguera @ 2013-09-05 11:54 UTC (permalink / raw)
To: openembedded-devel
The package is no longer available in the official cherokee site,
so download it from a mirror.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
Notes:
To be cherry-picked to Dylan as well.
meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
index 265e24e..4b2d68d 100644
--- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
+++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
@@ -9,7 +9,7 @@ PR = "r9"
DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
+SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
file://cherokee.init \
file://cherokee.service \
"
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 11:54 [meta-webserver] cherokee: fix SRC_URI Javier Viguera
@ 2013-09-05 12:04 ` Emil R. Petersen
2013-09-05 12:15 ` Paul Eggleton
2013-09-05 12:09 ` Eric Bénard
1 sibling, 1 reply; 8+ messages in thread
From: Emil R. Petersen @ 2013-09-05 12:04 UTC (permalink / raw)
To: openembedded-devel
I can see that this is hosted on a University website, but is there a
policy for using non-official mirrors?
This seems like it opens up a lot of potential security problems IMO.
Not only could the third-party mirror be easy to compromise, but how
would be assure we don't use a malicious mirror? Or that a malicious
contributer doesn't add a deliberatively tainted mirror?
In short, is there some sort of policy on when and how we use
third-party mirrors? Is security considerations part of the policy?
Kind Regards,
Emil Petersen
On 05/09/13 13:54, Javier Viguera wrote:
> The package is no longer available in the official cherokee site,
> so download it from a mirror.
>
> Signed-off-by: Javier Viguera<javier.viguera@digi.com>
> ---
>
> Notes:
> To be cherry-picked to Dylan as well.
>
> meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> index 265e24e..4b2d68d 100644
> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> @@ -9,7 +9,7 @@ PR = "r9"
>
> DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
> file://cherokee.init \
> file://cherokee.service \
> "
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 11:54 [meta-webserver] cherokee: fix SRC_URI Javier Viguera
2013-09-05 12:04 ` Emil R. Petersen
@ 2013-09-05 12:09 ` Eric Bénard
2013-09-05 12:09 ` Emil R. Petersen
2013-09-05 12:21 ` Javier Viguera
1 sibling, 2 replies; 8+ messages in thread
From: Eric Bénard @ 2013-09-05 12:09 UTC (permalink / raw)
To: javier.viguera; +Cc: openembedded-devel
Hi Javier,
Le Thu, 5 Sep 2013 13:54:28 +0200,
Javier Viguera <javier.viguera@digi.com> a écrit :
> The package is no longer available in the official cherokee site,
> so download it from a mirror.
>
> Signed-off-by: Javier Viguera <javier.viguera@digi.com>
> ---
>
> Notes:
> To be cherry-picked to Dylan as well.
>
> meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> index 265e24e..4b2d68d 100644
> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> @@ -9,7 +9,7 @@ PR = "r9"
>
> DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
> file://cherokee.init \
> file://cherokee.service \
> "
in fact the correct URL is now :
https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
so I think you can switch to :
+SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
Eric
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 12:09 ` Eric Bénard
@ 2013-09-05 12:09 ` Emil R. Petersen
2013-09-05 12:21 ` Javier Viguera
1 sibling, 0 replies; 8+ messages in thread
From: Emil R. Petersen @ 2013-09-05 12:09 UTC (permalink / raw)
To: openembedded-devel
Which would also invalidate my concern about possibly insecure
third-party mirrors. Fantastic.
On 05/09/13 14:09, Eric Bénard wrote:
> Hi Javier,
>
> Le Thu, 5 Sep 2013 13:54:28 +0200,
> Javier Viguera<javier.viguera@digi.com> a écrit :
>
>> The package is no longer available in the official cherokee site,
>> so download it from a mirror.
>>
>> Signed-off-by: Javier Viguera<javier.viguera@digi.com>
>> ---
>>
>> Notes:
>> To be cherry-picked to Dylan as well.
>>
>> meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> index 265e24e..4b2d68d 100644
>> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> @@ -9,7 +9,7 @@ PR = "r9"
>>
>> DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>>
>> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
>> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
>> file://cherokee.init \
>> file://cherokee.service \
>> "
> in fact the correct URL is now :
> https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> so I think you can switch to :
> +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
>
> Eric
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 12:04 ` Emil R. Petersen
@ 2013-09-05 12:15 ` Paul Eggleton
0 siblings, 0 replies; 8+ messages in thread
From: Paul Eggleton @ 2013-09-05 12:15 UTC (permalink / raw)
To: Emil R. Petersen; +Cc: openembedded-devel
Hi Emil,
On Thursday 05 September 2013 14:04:23 Emil R. Petersen wrote:
> I can see that this is hosted on a University website, but is there a
> policy for using non-official mirrors?
>
> This seems like it opens up a lot of potential security problems IMO.
> Not only could the third-party mirror be easy to compromise, but how
> would be assure we don't use a malicious mirror? Or that a malicious
> contributer doesn't add a deliberatively tainted mirror?
The SRC_URI checksums protect against this being a problem. If the tarball was
tampered with it could not pass both the md5sum and sha256sum.
> In short, is there some sort of policy on when and how we use
> third-party mirrors? Is security considerations part of the policy?
We use them if we're forced to; however we also have the option of uploading
files to the openembedded.org mirrors if needed e.g. in the case where upstream
completely goes away and there are no other stable mirrors.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 12:09 ` Eric Bénard
2013-09-05 12:09 ` Emil R. Petersen
@ 2013-09-05 12:21 ` Javier Viguera
2013-09-05 12:45 ` Eric Bénard
2013-09-05 12:46 ` Martin Jansa
1 sibling, 2 replies; 8+ messages in thread
From: Javier Viguera @ 2013-09-05 12:21 UTC (permalink / raw)
To: Eric Bénard; +Cc: openembedded-devel@lists.openembedded.org
Hi Eric
On 05/09/13 14:09, Eric Bénard wrote:
> in fact the correct URL is now :
> https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> so I think you can switch to :
> +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
The problem with the "official" one in github is that it is not the
same. The checksums are different and a basic *diff* verification
between the unpacked packages shows a bunch of differences.
The one in the OSUOSL is exactly the same (same checksums).
Regarding the mirror policies i just don't know. I was bitten by this
problem trying to build cherokee in Dylan branch and tried to find a
mirror. I selected OSUOSL because of its track supporting open source
projects.
--
Javier Viguera
Software Engineer
Digi International® Spain S.A.U.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 12:21 ` Javier Viguera
@ 2013-09-05 12:45 ` Eric Bénard
2013-09-05 12:46 ` Martin Jansa
1 sibling, 0 replies; 8+ messages in thread
From: Eric Bénard @ 2013-09-05 12:45 UTC (permalink / raw)
To: Javier Viguera; +Cc: openembedded-devel@lists.openembedded.org
Hi Javier,
Le Thu, 5 Sep 2013 14:21:44 +0200,
Javier Viguera <javier.viguera@digi.com> a écrit :
> On 05/09/13 14:09, Eric Bénard wrote:
> > in fact the correct URL is now :
> > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> > so I think you can switch to :
> > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
>
> The problem with the "official" one in github is that it is not the
> same. The checksums are different and a basic *diff* verification
> between the unpacked packages shows a bunch of differences.
>
interesting :-(
> The one in the OSUOSL is exactly the same (same checksums).
>
> Regarding the mirror policies i just don't know. I was bitten by this
> problem trying to build cherokee in Dylan branch and tried to find a
> mirror. I selected OSUOSL because of its track supporting open source
> projects.
>
while you keep the same checksum there is no risk to get a wrong source
base so I don't see a problem here.
Eric
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [meta-webserver] cherokee: fix SRC_URI
2013-09-05 12:21 ` Javier Viguera
2013-09-05 12:45 ` Eric Bénard
@ 2013-09-05 12:46 ` Martin Jansa
1 sibling, 0 replies; 8+ messages in thread
From: Martin Jansa @ 2013-09-05 12:46 UTC (permalink / raw)
To: openembedded-devel; +Cc: Eric Bénard
[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]
On Thu, Sep 05, 2013 at 02:21:44PM +0200, Javier Viguera wrote:
> Hi Eric
>
> On 05/09/13 14:09, Eric Bénard wrote:
> > in fact the correct URL is now :
> > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> > so I think you can switch to :
> > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
>
> The problem with the "official" one in github is that it is not the
> same. The checksums are different and a basic *diff* verification
> between the unpacked packages shows a bunch of differences.
Yes and github tarballs seem to be regenerated on-demand or at least
sometimes, so checksums don't stay the same even if we update them now.
> The one in the OSUOSL is exactly the same (same checksums).
>
> Regarding the mirror policies i just don't know. I was bitten by this
> problem trying to build cherokee in Dylan branch and tried to find a
> mirror. I selected OSUOSL because of its track supporting open source
> projects.
>
> --
> Javier Viguera
> Software Engineer
> Digi International® Spain S.A.U.
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-09-05 12:45 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-05 11:54 [meta-webserver] cherokee: fix SRC_URI Javier Viguera
2013-09-05 12:04 ` Emil R. Petersen
2013-09-05 12:15 ` Paul Eggleton
2013-09-05 12:09 ` Eric Bénard
2013-09-05 12:09 ` Emil R. Petersen
2013-09-05 12:21 ` Javier Viguera
2013-09-05 12:45 ` Eric Bénard
2013-09-05 12:46 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.