Patchwork [meta-webserver] cherokee: fix SRC_URI

login
register
mail settings
Submitter Javier Viguera
Date Sept. 5, 2013, 11:54 a.m.
Message ID <1378382068-24795-1-git-send-email-javier.viguera@digi.com>
Download mbox | patch
Permalink /patch/57455/
State Accepted, archived
Commit 3000970fcd979ac2d68ef406778dbc4da86da73f
Headers show

Comments

Javier Viguera - Sept. 5, 2013, 11:54 a.m.
The package is no longer available in the official cherokee site,
so download it from a mirror.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---

Notes:
    To be cherry-picked to Dylan as well.

 meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Emil Petersen - Sept. 5, 2013, 12:04 p.m.
I can see that this is hosted on a University website, but is there a 
policy for using non-official mirrors?

This seems like it opens up a lot of potential security problems IMO. 
Not only could the third-party mirror be easy to compromise, but how 
would be assure we don't use a malicious mirror? Or that a malicious 
contributer doesn't add a deliberatively tainted mirror?

In short, is there some sort of policy on when and how we use 
third-party mirrors? Is security considerations part of the policy?

Kind Regards,
Emil Petersen

On 05/09/13 13:54, Javier Viguera wrote:
> The package is no longer available in the official cherokee site,
> so download it from a mirror.
>
> Signed-off-by: Javier Viguera<javier.viguera@digi.com>
> ---
>
> Notes:
>      To be cherry-picked to Dylan as well.
>
>   meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> index 265e24e..4b2d68d 100644
> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> @@ -9,7 +9,7 @@ PR = "r9"
>
>   DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
>              file://cherokee.init \
>              file://cherokee.service \
>   "
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Eric BENARD - Sept. 5, 2013, 12:09 p.m.
Hi Javier,

Le Thu, 5 Sep 2013 13:54:28 +0200,
Javier Viguera <javier.viguera@digi.com> a écrit :

> The package is no longer available in the official cherokee site,
> so download it from a mirror.
> 
> Signed-off-by: Javier Viguera <javier.viguera@digi.com>
> ---
> 
> Notes:
>     To be cherry-picked to Dylan as well.
> 
>  meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> index 265e24e..4b2d68d 100644
> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
> @@ -9,7 +9,7 @@ PR = "r9"
>  
>  DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>  
> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
>             file://cherokee.init \
>             file://cherokee.service \
>  "

in fact the correct URL is now :
https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
so I think you can switch to :
+SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz

Eric
Emil Petersen - Sept. 5, 2013, 12:09 p.m.
Which would also invalidate my concern about possibly insecure 
third-party mirrors. Fantastic.

On 05/09/13 14:09, Eric Bénard wrote:
> Hi Javier,
>
> Le Thu, 5 Sep 2013 13:54:28 +0200,
> Javier Viguera<javier.viguera@digi.com>  a écrit :
>
>> The package is no longer available in the official cherokee site,
>> so download it from a mirror.
>>
>> Signed-off-by: Javier Viguera<javier.viguera@digi.com>
>> ---
>>
>> Notes:
>>      To be cherry-picked to Dylan as well.
>>
>>   meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> index 265e24e..4b2d68d 100644
>> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
>> @@ -9,7 +9,7 @@ PR = "r9"
>>
>>   DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>>
>> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
>> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
>>              file://cherokee.init \
>>              file://cherokee.service \
>>   "
> in fact the correct URL is now :
> https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> so I think you can switch to :
> +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
>
> Eric
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Paul Eggleton - Sept. 5, 2013, 12:15 p.m.
Hi Emil,

On Thursday 05 September 2013 14:04:23 Emil R. Petersen wrote:
> I can see that this is hosted on a University website, but is there a
> policy for using non-official mirrors?
> 
> This seems like it opens up a lot of potential security problems IMO.
> Not only could the third-party mirror be easy to compromise, but how
> would be assure we don't use a malicious mirror? Or that a malicious
> contributer doesn't add a deliberatively tainted mirror?

The SRC_URI checksums protect against this being a problem. If the tarball was 
tampered with it could not pass both the md5sum and sha256sum.

> In short, is there some sort of policy on when and how we use
> third-party mirrors? Is security considerations part of the policy?

We use them if we're forced to; however we also have the option of uploading 
files to the openembedded.org mirrors if needed e.g. in the case where upstream 
completely goes away and there are no other stable mirrors.

Cheers,
Paul
Javier Viguera - Sept. 5, 2013, 12:21 p.m.
Hi Eric

On 05/09/13 14:09, Eric Bénard wrote:
> in fact the correct URL is now :
> https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> so I think you can switch to :
> +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz

The problem with the "official" one in github is that it is not the 
same. The checksums are different and a basic *diff* verification 
between the unpacked packages shows a bunch of differences.

The one in the OSUOSL is exactly the same (same checksums).

Regarding the mirror policies i just don't know. I was bitten by this 
problem trying to build cherokee in Dylan branch and tried to find a 
mirror. I selected OSUOSL because of its track supporting open source 
projects.
Eric BENARD - Sept. 5, 2013, 12:45 p.m.
Hi Javier,

Le Thu, 5 Sep 2013 14:21:44 +0200,
Javier Viguera <javier.viguera@digi.com> a écrit :
> On 05/09/13 14:09, Eric Bénard wrote:
> > in fact the correct URL is now :
> > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> > so I think you can switch to :
> > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
> 
> The problem with the "official" one in github is that it is not the 
> same. The checksums are different and a basic *diff* verification 
> between the unpacked packages shows a bunch of differences.
> 
interesting :-(

> The one in the OSUOSL is exactly the same (same checksums).
> 
> Regarding the mirror policies i just don't know. I was bitten by this 
> problem trying to build cherokee in Dylan branch and tried to find a 
> mirror. I selected OSUOSL because of its track supporting open source 
> projects.
> 
while you keep the same checksum there is no risk to get a wrong source
base so I don't see a problem here.

Eric
Martin Jansa - Sept. 5, 2013, 12:46 p.m.
On Thu, Sep 05, 2013 at 02:21:44PM +0200, Javier Viguera wrote:
> Hi Eric
> 
> On 05/09/13 14:09, Eric Bénard wrote:
> > in fact the correct URL is now :
> > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz
> > so I think you can switch to :
> > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz
> 
> The problem with the "official" one in github is that it is not the 
> same. The checksums are different and a basic *diff* verification 
> between the unpacked packages shows a bunch of differences.

Yes and github tarballs seem to be regenerated on-demand or at least
sometimes, so checksums don't stay the same even if we update them now.

> The one in the OSUOSL is exactly the same (same checksums).
> 
> Regarding the mirror policies i just don't know. I was bitten by this 
> problem trying to build cherokee in Dylan branch and tried to find a 
> mirror. I selected OSUOSL because of its track supporting open source 
> projects.
> 
> -- 
> Javier Viguera
> Software Engineer
> Digi International® Spain S.A.U.
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

Patch

diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
index 265e24e..4b2d68d 100644
--- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
+++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb
@@ -9,7 +9,7 @@  PR = "r9"
 
 DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
-SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \
+SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \
            file://cherokee.init \
            file://cherokee.service \
 "