Different xen-3.4.3.tar.gz in Fedora RPM

Different xen-3.4.3.tar.gz in Fedora RPM

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 791 bytes --]

So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:

http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz

which for me reads:

f8d001eb9e08525c451d38deb93908b1

is *different* than expected by Fedora F13 RPM:

http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup

which is:

cbe84c44bc156ad1b4a20dc1c73464b8

So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
original Makefile for RPM building), and diffed the two versions --
changes (cosmetic cleanup mostly) are innocent, but, hey, why would
anybody do such a thing? After allm we would expect only one version of
xen-XXX.tar.gz, right? Patches should be the proper way for customizing
tarballs for packaging, no?

Or am I missing something?

joanna.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]

On 06/18/2010 02:10 PM, Joanna Rutkowska wrote:
> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:
> 
> http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz
> 
> which for me reads:
> 
> f8d001eb9e08525c451d38deb93908b1
> 
> is *different* than expected by Fedora F13 RPM:
> 
> http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup
> 
> which is:
> 
> cbe84c44bc156ad1b4a20dc1c73464b8
> 
> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
> original Makefile for RPM building), and diffed the two versions --

You can also download the fedora version of xen-3.4.3.tar.gz using this
direct link:

http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz

j.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Pasi Kärkkäinen]

On Fri, Jun 18, 2010 at 02:23:10PM +0200, Joanna Rutkowska wrote:
> On 06/18/2010 02:10 PM, Joanna Rutkowska wrote:
> > So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:
> > 
> > http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz
> > 
> > which for me reads:
> > 
> > f8d001eb9e08525c451d38deb93908b1
> > 
> > is *different* than expected by Fedora F13 RPM:
> > 
> > http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup
> > 
> > which is:
> > 
> > cbe84c44bc156ad1b4a20dc1c73464b8
> > 
> > So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
> > original Makefile for RPM building), and diffed the two versions --
> 
> You can also download the fedora version of xen-3.4.3.tar.gz using this
> direct link:
> 
> http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz
> 

Michael (CC) might know more about it..

-- Pasi

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Keir Fraser]

On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
wrote:

> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
> original Makefile for RPM building), and diffed the two versions --
> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
> anybody do such a thing? After allm we would expect only one version of
> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
> tarballs for packaging, no?
> 
> Or am I missing something?

Well, I think this and your other point have one simple answer. If I wanted
the maximum possible confidence in the bits I was building, I would obtain
them from the original source, as it were. In this case that means, for
example:
# hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg
If you want your own tarball for some reason:
# hg archive -t tgz xen-3.4.3.tar.gz

It doesn't seem very hard to me. I maintain the repo and sign the releases
myself. Downloading tarballs from Fedora, or even from our own xen.org
website, introduces more people between you and me. And it seems you very
likely care about that.

 -- Keir

> joanna.
> 

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 1790 bytes --]

On 06/18/2010 02:57 PM, Keir Fraser wrote:
> On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
> wrote:
> 
>> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
>> original Makefile for RPM building), and diffed the two versions --
>> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
>> anybody do such a thing? After allm we would expect only one version of
>> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
>> tarballs for packaging, no?
>>
>> Or am I missing something?
> 
> Well, I think this and your other point have one simple answer. If I wanted
> the maximum possible confidence in the bits I was building, I would obtain
> them from the original source, as it were. In this case that means, for
> example:
> # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg
> If you want your own tarball for some reason:
> # hg archive -t tgz xen-3.4.3.tar.gz
> 
> It doesn't seem very hard to me. I maintain the repo and sign the releases
> myself.

But you *do* publish sigs for Xen 4:

http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig

So, why can't you do the same for 3.4.3 tarball?

Sure, I could use hg in my RPM Makefile, but this would require me to
install hg first, and also the download process I think takes longer
than if it was a simply tar, and also requires to create a tmp directory
that later must be removed.

> Downloading tarballs from Fedora, or even from our own xen.org 
> website, introduces more people between you and me. And it seems you
> very likely care about that.
> 

From the security point of view it doesn't matter, as long as both are
signed by one of the keys signed by xen.org.

j.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Keir Fraser]

On 18/06/2010 14:07, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
wrote:

>> It doesn't seem very hard to me. I maintain the repo and sign the releases
>> myself.
> 
> But you *do* publish sigs for Xen 4:
> 
> http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig
> 
> So, why can't you do the same for 3.4.3 tarball?

I imagine Ian can publish one.

 -- Keir

Re: Re: Different xen-3.4.3.tar.gz in Fedora RPM

[M A Young]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1444 bytes --]

On Fri, 18 Jun 2010, Pasi Kärkkäinen wrote:

> On Fri, Jun 18, 2010 at 02:23:10PM +0200, Joanna Rutkowska wrote:
>> On 06/18/2010 02:10 PM, Joanna Rutkowska wrote:
>>> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:
>>>
>>> http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz
>>>
>>> which for me reads:
>>>
>>> f8d001eb9e08525c451d38deb93908b1
>>>
>>> is *different* than expected by Fedora F13 RPM:
>>>
>>> http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup
>>>
>>> which is:
>>>
>>> cbe84c44bc156ad1b4a20dc1c73464b8
>>>
>>> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
>>> original Makefile for RPM building), and diffed the two versions --
>>
>> You can also download the fedora version of xen-3.4.3.tar.gz using this
>> direct link:
>>
>> http://cvs.fedoraproject.org/repo/pkgs/xen/xen-3.4.3.tar.gz/cbe84c44bc156ad1b4a20dc1c73464b8/xen-3.4.3.tar.gz
>>
>
> Michael (CC) might know more about it..

Yes, they will be different. I failed to find an offical xen-3.4.3.tar.gz 
when I built the rpm so I glued one together myself from the git and hg 
repositories (Judging by the dates of the unpacked tar file I think the 
official file was created after mine).
I have compared the two now, and although there are slight differences 
(eg. more hg/git files left in the offical ones), they are functionally 
equivalent.

 	Michael Young

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[John Haxby]

On 18/06/10 13:10, Joanna Rutkowska wrote:
> So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:
>
> http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz
>
> which for me reads:
>
> f8d001eb9e08525c451d38deb93908b1
>
> is *different* than expected by Fedora F13 RPM:
>
> http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup
>
> which is:
>
> cbe84c44bc156ad1b4a20dc1c73464b8
>
> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
> original Makefile for RPM building), and diffed the two versions --
> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
> anybody do such a thing? After allm we would expect only one version of
> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
> tarballs for packaging, no?
>
> Or am I missing something?
>
> joanna.
>    

I find this quite worrying as well.   If one set of source has been 
tampered with, which one has been tampered with?   Did someone modify 
the Fedora sources rather than patch them?  Were the Xensource patches 
re-generated without incrementing the version number?

I'm rather less worried that the changes are malicious knowing your 
reputation :-)  but even so this is still worrying.

jch

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[M A Young]

On Fri, 18 Jun 2010, Keir Fraser wrote:

> On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
> wrote:
>
>> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
>> original Makefile for RPM building), and diffed the two versions --
>> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
>> anybody do such a thing? After allm we would expect only one version of
>> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
>> tarballs for packaging, no?
>>
>> Or am I missing something?
>
> Well, I think this and your other point have one simple answer. If I wanted
> the maximum possible confidence in the bits I was building, I would obtain
> them from the original source, as it were. In this case that means, for
> example:
> # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg
> If you want your own tarball for some reason:
> # hg archive -t tgz xen-3.4.3.tar.gz
>
> It doesn't seem very hard to me. I maintain the repo and sign the releases
> myself. Downloading tarballs from Fedora, or even from our own xen.org
> website, introduces more people between you and me. And it seems you very
> likely care about that.

Though bear in mind that producing xen-3.4.3.tar.gz in this way means you 
will download the qemu parts from 
http://xenbits.xensource.com/git-http/qemu-xen-3.4-testing.git at build 
time, which might not be what you want.

 	Michael Young

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Ian Jackson]

Keir Fraser writes ("Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM"):
> On 18/06/2010 14:07, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
> wrote:
> > But you *do* publish sigs for Xen 4:
> > http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig
> > So, why can't you do the same for 3.4.3 tarball?

Well spotted.  This was a mistake; my release script failed to do "vcs
add" to add the signature (which I did generate at the time) to the
tree which got uploaded to the distribution site.

I have now uploaded the signature and added a link to it on the
archive release webpage for 3.4.4

Ian.

Re: Different xen-3.4.3.tar.gz in Fedora RPM

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 872 bytes --]

On 06/18/2010 05:42 PM, Ian Jackson wrote:
> Keir Fraser writes ("Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM"):
>> On 18/06/2010 14:07, "Joanna Rutkowska" <joanna@invisiblethingslab.com>
>> wrote:
>>> But you *do* publish sigs for Xen 4:
>>> http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig
>>> So, why can't you do the same for 3.4.3 tarball?
> 
> Well spotted.  This was a mistake; my release script failed to do "vcs
> add" to add the signature (which I did generate at the time) to the
> tree which got uploaded to the distribution site.
> 
> I have now uploaded the signature and added a link to it on the
> archive release webpage for 3.4.4
> 
Many thanks Ian! My Makefile is happy now [1] :)

joanna.

[1]
https://qubes-os.org/gitweb/?p=joanna/xen.git;a=commitdiff;h=ab1a74c5c40bb83253830c82815d8e5cc6a5de12


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel