From: John Haxby <john.haxby@oracle.com>
To: xen-devel@lists.xensource.com
Subject: Re: Different xen-3.4.3.tar.gz in Fedora RPM
Date: Fri, 18 Jun 2010 14:31:57 +0100 [thread overview]
Message-ID: <4C1B754D.50603@oracle.com> (raw)
In-Reply-To: <4C1B6232.1050705@invisiblethingslab.com>
On 18/06/10 13:10, Joanna Rutkowska wrote:
> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:
>
> http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz
>
> which for me reads:
>
> f8d001eb9e08525c451d38deb93908b1
>
> is *different* than expected by Fedora F13 RPM:
>
> http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup
>
> which is:
>
> cbe84c44bc156ad1b4a20dc1c73464b8
>
> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
> original Makefile for RPM building), and diffed the two versions --
> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
> anybody do such a thing? After allm we would expect only one version of
> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
> tarballs for packaging, no?
>
> Or am I missing something?
>
> joanna.
>
I find this quite worrying as well. If one set of source has been
tampered with, which one has been tampered with? Did someone modify
the Fedora sources rather than patch them? Were the Xensource patches
re-generated without incrementing the version number?
I'm rather less worried that the changes are malicious knowing your
reputation :-) but even so this is still worrying.
jch
prev parent reply other threads:[~2010-06-18 13:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-18 12:10 Different xen-3.4.3.tar.gz in Fedora RPM Joanna Rutkowska
2010-06-18 12:23 ` Joanna Rutkowska
2010-06-18 12:39 ` Pasi Kärkkäinen
2010-06-18 13:25 ` M A Young
2010-06-18 12:57 ` Keir Fraser
2010-06-18 13:07 ` Joanna Rutkowska
2010-06-18 13:19 ` Keir Fraser
2010-06-18 15:42 ` Ian Jackson
2010-06-18 16:00 ` Joanna Rutkowska
2010-06-18 13:47 ` M A Young
2010-06-18 13:31 ` John Haxby [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C1B754D.50603@oracle.com \
--to=john.haxby@oracle.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).