Openembedded Core Discussions
 help / color / mirror / Atom feed
* BlueZ old releases have new checksums
@ 2012-01-04 18:14 Denys Dmytriyenko
  2012-01-04 20:14 ` Chris Larson
  0 siblings, 1 reply; 5+ messages in thread
From: Denys Dmytriyenko @ 2012-01-04 18:14 UTC (permalink / raw)
  To: openembedded-devel, openembedded-core

All,

The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally 
re-appeared after missing for long time since kernel.org compromise. 
Unfortunately, all previous tarballs have new checksums, breaking builds for 
anyone w/o previous copy cached. Old copies were also extensively mirrored, 
so you never know which one you fetch next time...

I pinged the upstream, but I doubt it will be changed or fixed in any way. 
So the proper solution for us would be to upgrade recipes to the latest 
released versions - bluez-4.97, obexd-0.43 and bluez-hcidump-2.2.

Are there any other suggestions?

[1] http://www.kernel.org/pub/linux/bluetooth/

-- 
Denys



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BlueZ old releases have new checksums
  2012-01-04 18:14 BlueZ old releases have new checksums Denys Dmytriyenko
@ 2012-01-04 20:14 ` Chris Larson
  2012-01-04 20:53   ` Khem Raj
  0 siblings, 1 reply; 5+ messages in thread
From: Chris Larson @ 2012-01-04 20:14 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer; +Cc: openembedded-devel

On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> re-appeared after missing for long time since kernel.org compromise.
> Unfortunately, all previous tarballs have new checksums, breaking builds for
> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> so you never know which one you fetch next time...

Heh, checksums changing after a security compromise, that's worrisome
:) should diff their contents to see what's going on, or whether its
just a gzip timestamp change or something.
-- 
Christopher Larson



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BlueZ old releases have new checksums
  2012-01-04 20:14 ` Chris Larson
@ 2012-01-04 20:53   ` Khem Raj
  2012-01-04 22:02     ` [oe] " Denys Dmytriyenko
  0 siblings, 1 reply; 5+ messages in thread
From: Khem Raj @ 2012-01-04 20:53 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer; +Cc: openembedded-devel

On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> re-appeared after missing for long time since kernel.org compromise.
>> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> so you never know which one you fetch next time...
>
> Heh, checksums changing after a security compromise, that's worrisome
> :) should diff their contents to see what's going on, or whether its
> just a gzip timestamp change or something.

exactly. Make sure the tars are sane

> --
> Christopher Larson
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [oe] BlueZ old releases have new checksums
  2012-01-04 20:53   ` Khem Raj
@ 2012-01-04 22:02     ` Denys Dmytriyenko
  2012-01-05  0:16       ` Chris Larson
  0 siblings, 1 reply; 5+ messages in thread
From: Denys Dmytriyenko @ 2012-01-04 22:02 UTC (permalink / raw)
  To: openembedded-devel; +Cc: Patches and discussions about the oe-core layer

On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
> >> re-appeared after missing for long time since kernel.org compromise.
> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
> >> so you never know which one you fetch next time...
> >
> > Heh, checksums changing after a security compromise, that's worrisome
> > :) should diff their contents to see what's going on, or whether its
> > just a gzip timestamp change or something.
> 
> exactly. Make sure the tars are sane

Well, according to BlueZ maintainer[1], he gave the correct tarballs to 
kernel.org people, but for some reason they untarred and re-packed them. 
There's only 4 bytes difference, presumably timestamp...

[1] http://thread.gmane.org/gmane.linux.bluez.kernel/20040/focus=20041

-- 
Denys



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [oe] BlueZ old releases have new checksums
  2012-01-04 22:02     ` [oe] " Denys Dmytriyenko
@ 2012-01-05  0:16       ` Chris Larson
  0 siblings, 0 replies; 5+ messages in thread
From: Chris Larson @ 2012-01-05  0:16 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer; +Cc: openembedded-devel

On Wed, Jan 4, 2012 at 3:02 PM, Denys Dmytriyenko <denis@denix.org> wrote:
> On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
>> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson@kergoth.com> wrote:
>> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis@denix.org> wrote:
>> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> >> re-appeared after missing for long time since kernel.org compromise.
>> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> >> so you never know which one you fetch next time...
>> >
>> > Heh, checksums changing after a security compromise, that's worrisome
>> > :) should diff their contents to see what's going on, or whether its
>> > just a gzip timestamp change or something.
>>
>> exactly. Make sure the tars are sane
>
> Well, according to BlueZ maintainer[1], he gave the correct tarballs to
> kernel.org people, but for some reason they untarred and re-packed them.
> There's only 4 bytes difference, presumably timestamp...

/me thinks maintainers should tar -cvO | gzip -n if they're going to use gzip ;)

But then, we see it from a rather different perspective than upstreams tend to..
-- 
Christopher Larson



^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-01-05  0:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-04 18:14 BlueZ old releases have new checksums Denys Dmytriyenko
2012-01-04 20:14 ` Chris Larson
2012-01-04 20:53   ` Khem Raj
2012-01-04 22:02     ` [oe] " Denys Dmytriyenko
2012-01-05  0:16       ` Chris Larson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox