From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Haxby Subject: Re: Different xen-3.4.3.tar.gz in Fedora RPM Date: Fri, 18 Jun 2010 14:31:57 +0100 Message-ID: <4C1B754D.50603@oracle.com> References: <4C1B6232.1050705@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4C1B6232.1050705@invisiblethingslab.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org On 18/06/10 13:10, Joanna Rutkowska wrote: > So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: > > http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz > > which for me reads: > > f8d001eb9e08525c451d38deb93908b1 > > is *different* than expected by Fedora F13 RPM: > > http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup > > which is: > > cbe84c44bc156ad1b4a20dc1c73464b8 > > So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their > original Makefile for RPM building), and diffed the two versions -- > changes (cosmetic cleanup mostly) are innocent, but, hey, why would > anybody do such a thing? After allm we would expect only one version of > xen-XXX.tar.gz, right? Patches should be the proper way for customizing > tarballs for packaging, no? > > Or am I missing something? > > joanna. > I find this quite worrying as well. If one set of source has been tampered with, which one has been tampered with? Did someone modify the Fedora sources rather than patch them? Were the Xensource patches re-generated without incrementing the version number? I'm rather less worried that the changes are malicious knowing your reputation :-) but even so this is still worrying. jch