[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 2/3] Build system: Replace git:// and http:// with https://

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Feb 2023 15:18:17 -0500
Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 27 Feb 2023 20:18:37 +0000
Feedback-id: iac594737:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Feb 27, 2023 at 09:25:32AM +0100, Jan Beulich wrote:
> On 24.02.2023 23:55, Demi Marie Obenour wrote:
> > On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote:
> >> On 19.02.2023 03:46, Demi Marie Obenour wrote:
> >>> --- a/stubdom/configure
> >>> +++ b/stubdom/configure
> >>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> >>>   if test "x$extfiles" = "xy"; then :
> >>>    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> >>>  else
> >>> -  ZLIB_URL="http://www.zlib.net";
> >>> +  ZLIB_URL="https://www.zlib.net";
> >>>  fi
> >>
> >> In v3 you said that this URL can't be used anymore for the version we're
> >> trying to fetch (which I can confirm). Leaving aside the question of why
> >> stubdom was never updated in that regard, what use is it to update URL
> >> (without even mentioning the aspect in the description) in such a case?
> >> (I haven't gone through any of the other URLs again, so there may well
> >> be more similar cases.)
> > 
> > Main advantage is that it will fail securely rather than downloading
> > whatever random code an MITM attacker put in there.
> 
> As said before (and implied here): At the very least you need to mention
> the aspect in the description. But then wouldn't things be failing equally
> securely if no (non-working) URL was put in place, or one which is
> guaranteed to yield an error but makes obvious that no real URL is meant?

https://lists.xenproject.org/archives/html/xen-devel/2023-02/msg01439.html
("[PATCH v5 3/5] Build system: Do not try to use broken links") does
exactly that.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

References:
- [PATCH v4 0/3] Stop using insecure transports
  - From: Demi Marie Obenour
- [PATCH v4 2/3] Build system: Replace git:// and http:// with https://
  - From: Demi Marie Obenour
- Re: [PATCH v4 2/3] Build system: Replace git:// and http:// with https://
  - From: Jan Beulich
- Re: [PATCH v4 2/3] Build system: Replace git:// and http:// with https://
  - From: Demi Marie Obenour
- Re: [PATCH v4 2/3] Build system: Replace git:// and http:// with https://
  - From: Jan Beulich

Prev by Date: Re: [PATCH 1/2] docs/about: Deprecate 32-bit x86 hosts and qemu-system-i386
Next by Date: Re: [PATCH 1/2] docs/about: Deprecate 32-bit x86 hosts and qemu-system-i386
Previous by thread: Re: [PATCH v4 2/3] Build system: Replace git:// and http:// with https://
Next by thread: [PATCH v4 1/3] Use HTTPS for all xenbits.xen.org Git repos
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.