Re: [PATCH v2 1/4] Build system: Replace git:// and http:// with https://

[Demi Marie Obenour <demi@invisiblethingslab.com>]

[-- Attachment #1: Type: text/plain, Size: 1604 bytes --]

On Thu, Feb 09, 2023 at 02:01:52PM +0000, George Dunlap wrote:
> On Wed, Feb 8, 2023 at 8:58 PM Demi Marie Obenour <
> demi@invisiblethingslab.com> wrote:
> 
> > Obtaining code over an insecure transport is a terrible idea for
> > blatently obvious reasons.  Even for non-executable data, insecure
> > transports are considered deprecated.
> >
> > This patch enforces the use of secure transports in the build system.
> >
> > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> >
> 
> Hey Demi,
> 
> Thanks for this series -- we definitely want the build system to use secure
> transports when available.  Can you confirm that you've tested the "+s"
> versions of all the URLs in this patch, and verified that they actually
> work?

I had not, but a subsequent review indicated that most do work.  The
exceptions are:

- Neither the PolarSSL nor TPM emulator links work, but the http://
  verison of these links is also broken.  I added an AC_MSG_ERROR to
  fail the TPM emulator build if they would be used, but a Xen committer
  will need to regenerate configure.

- the newlib url should be https://sourceware.org/ftp/newlib, not
  https://source.redhat.com/ftp/newlib.  This was changed in
  configure.ac but not in configure.

> If you haven't, I realize that may be somewhat tedious, but I think it's
> pretty important.  You should be able to automate  a lot of it using `curl
> --head --fail`. [1]

That does not work for the Xen git repositories, but those all do work.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]