| Message ID | 1378382068-24795-1-git-send-email-javier.viguera@digi.com |
|---|---|
| State | Accepted, archived |
| Commit | 3000970fcd979ac2d68ef406778dbc4da86da73f |
| Headers | show |
diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb index 265e24e..4b2d68d 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb @@ -9,7 +9,7 @@ PR = "r9" DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \ +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \ file://cherokee.init \ file://cherokee.service \ "
I can see that this is hosted on a University website, but is there a policy for using non-official mirrors? This seems like it opens up a lot of potential security problems IMO. Not only could the third-party mirror be easy to compromise, but how would be assure we don't use a malicious mirror? Or that a malicious contributer doesn't add a deliberatively tainted mirror? In short, is there some sort of policy on when and how we use third-party mirrors? Is security considerations part of the policy? Kind Regards, Emil Petersen On 05/09/13 13:54, Javier Viguera wrote: > The package is no longer available in the official cherokee site, > so download it from a mirror. > > Signed-off-by: Javier Viguera<javier.viguera@digi.com> > --- > > Notes: > To be cherry-picked to Dylan as well. > > meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > index 265e24e..4b2d68d 100644 > --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > @@ -9,7 +9,7 @@ PR = "r9" > > DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" > > -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \ > +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \ > file://cherokee.init \ > file://cherokee.service \ > " > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Hi Javier, Le Thu, 5 Sep 2013 13:54:28 +0200, Javier Viguera <javier.viguera@digi.com> a écrit : > The package is no longer available in the official cherokee site, > so download it from a mirror. > > Signed-off-by: Javier Viguera <javier.viguera@digi.com> > --- > > Notes: > To be cherry-picked to Dylan as well. > > meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > index 265e24e..4b2d68d 100644 > --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb > @@ -9,7 +9,7 @@ PR = "r9" > > DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" > > -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \ > +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \ > file://cherokee.init \ > file://cherokee.service \ > " in fact the correct URL is now : https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz so I think you can switch to : +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz Eric
Which would also invalidate my concern about possibly insecure third-party mirrors. Fantastic. On 05/09/13 14:09, Eric Bénard wrote: > Hi Javier, > > Le Thu, 5 Sep 2013 13:54:28 +0200, > Javier Viguera<javier.viguera@digi.com> a écrit : > >> The package is no longer available in the official cherokee site, >> so download it from a mirror. >> >> Signed-off-by: Javier Viguera<javier.viguera@digi.com> >> --- >> >> Notes: >> To be cherry-picked to Dylan as well. >> >> meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb >> index 265e24e..4b2d68d 100644 >> --- a/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb >> +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb >> @@ -9,7 +9,7 @@ PR = "r9" >> >> DEPENDS = "libpcre openssl mysql5 ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" >> >> -SRC_URI = "http://www.cherokee-project.com/download/1.2/${PV}/cherokee-${PV}.tar.gz \ >> +SRC_URI = "ftp://ftp.osuosl.org/.1/cherokee/1.2/${PV}/cherokee-${PV}.tar.gz \ >> file://cherokee.init \ >> file://cherokee.service \ >> " > in fact the correct URL is now : > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz > so I think you can switch to : > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz > > Eric > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Hi Emil, On Thursday 05 September 2013 14:04:23 Emil R. Petersen wrote: > I can see that this is hosted on a University website, but is there a > policy for using non-official mirrors? > > This seems like it opens up a lot of potential security problems IMO. > Not only could the third-party mirror be easy to compromise, but how > would be assure we don't use a malicious mirror? Or that a malicious > contributer doesn't add a deliberatively tainted mirror? The SRC_URI checksums protect against this being a problem. If the tarball was tampered with it could not pass both the md5sum and sha256sum. > In short, is there some sort of policy on when and how we use > third-party mirrors? Is security considerations part of the policy? We use them if we're forced to; however we also have the option of uploading files to the openembedded.org mirrors if needed e.g. in the case where upstream completely goes away and there are no other stable mirrors. Cheers, Paul
Hi Eric On 05/09/13 14:09, Eric Bénard wrote: > in fact the correct URL is now : > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz > so I think you can switch to : > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz The problem with the "official" one in github is that it is not the same. The checksums are different and a basic *diff* verification between the unpacked packages shows a bunch of differences. The one in the OSUOSL is exactly the same (same checksums). Regarding the mirror policies i just don't know. I was bitten by this problem trying to build cherokee in Dylan branch and tried to find a mirror. I selected OSUOSL because of its track supporting open source projects.
Hi Javier, Le Thu, 5 Sep 2013 14:21:44 +0200, Javier Viguera <javier.viguera@digi.com> a écrit : > On 05/09/13 14:09, Eric Bénard wrote: > > in fact the correct URL is now : > > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz > > so I think you can switch to : > > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz > > The problem with the "official" one in github is that it is not the > same. The checksums are different and a basic *diff* verification > between the unpacked packages shows a bunch of differences. > interesting :-( > The one in the OSUOSL is exactly the same (same checksums). > > Regarding the mirror policies i just don't know. I was bitten by this > problem trying to build cherokee in Dylan branch and tried to find a > mirror. I selected OSUOSL because of its track supporting open source > projects. > while you keep the same checksum there is no risk to get a wrong source base so I don't see a problem here. Eric
On Thu, Sep 05, 2013 at 02:21:44PM +0200, Javier Viguera wrote: > Hi Eric > > On 05/09/13 14:09, Eric Bénard wrote: > > in fact the correct URL is now : > > https://github.com/cherokee/webserver/archive/v1.2.98.tar.gz > > so I think you can switch to : > > +SRC_URI = "https://github.com/cherokee/webserver/archive/v${PV}.tar.gz > > The problem with the "official" one in github is that it is not the > same. The checksums are different and a basic *diff* verification > between the unpacked packages shows a bunch of differences. Yes and github tarballs seem to be regenerated on-demand or at least sometimes, so checksums don't stay the same even if we update them now. > The one in the OSUOSL is exactly the same (same checksums). > > Regarding the mirror policies i just don't know. I was bitten by this > problem trying to build cherokee in Dylan branch and tried to find a > mirror. I selected OSUOSL because of its track supporting open source > projects. > > -- > Javier Viguera > Software Engineer > Digi International® Spain S.A.U. > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
The package is no longer available in the official cherokee site, so download it from a mirror. Signed-off-by: Javier Viguera <javier.viguera@digi.com> --- Notes: To be cherry-picked to Dylan as well. meta-webserver/recipes-httpd/cherokee/cherokee_1.2.98.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)