diff mbox series

[1/2] ncurses: switch to new mirror

Message ID 20240518212954.788524-1-peter.marko@siemens.com
State Accepted, archived
Commit ea801be31d051b558fde52f7d6dccf2cd416afb9
Headers show
Series [1/2] ncurses: switch to new mirror | expand

Commit Message

Marko, Peter May 18, 2024, 9:29 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

github.com/mirror/ncurses is not updated for over a year.
Switch to new mirror from Thomas Dickey (ncurses maintainer).

Sources are identical.

Updated upstream check regex by:
* changed dot to underscore as this repo is tagged like this
* added v prefix to not propose updates to some old tags
* removed third part to not propose updates to development snapshots

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-core/ncurses/ncurses.inc    | 2 +-
 meta/recipes-core/ncurses/ncurses_6.4.bb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

Comments

Alexander Kanavin May 21, 2024, 10:16 a.m. UTC | #1 
On Sat, 18 May 2024 at 23:30, Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:
>  # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
> -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
> +SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master"

After the xz backdoor I'm nervous about switching upstream sources
with no verification of their authenticity. Is this referenced
anywhere from ncurses homepage or ncurses tarball download? Should we
take that tarball rather?

Alex
Marko, Peter May 21, 2024, 7:17 p.m. UTC | #2 
-----Original Message-----
From: Alexander Kanavin <alex.kanavin@gmail.com> 
Sent: Tuesday, May 21, 2024 12:17
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror

> On Sat, 18 May 2024 at 23:30, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote:
> >  # Upstream has useful patches at times at 
> > ftp://invisible-island.net/ncurses/
> > -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
> > +SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master"
>
> After the xz backdoor I'm nervous about switching upstream sources with no verification of their authenticity. Is this referenced anywhere from ncurses homepage or ncurses tarball download? Should we take that tarball rather?
>
> Alex

The "new" mirror is maintained by the same github account as the old mirror.
So the trust should be the same and this patch should not decrease the security.
I have also verified that both old and new version matches the source tarballs (as stated in my commit message).
But you're right that it's not referenced on homepage, at least my google queries yielded 0 relevant hits.

Looking at the recipe history, reason for switching to mirrors is instability of the upstream homepage paths.
https://git.openembedded.org/openembedded-core/commit/?id=4d3f84f84147145cfd786362d9cd754bbb93873e
Not sure if we want to return to that situation.

I already thought about the xz situation before submitting my patch.
One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex.
If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time...

Peter
Alexander Kanavin May 21, 2024, 7:31 p.m. UTC | #3 
On Tue, 21 May 2024 at 21:17, Marko, Peter <Peter.Marko@siemens.com> wrote:
> I already thought about the xz situation before submitting my patch.
> One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex.
> If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time...

Can you tell me where the tarballs are? Then I can check if the regex
is even needed, and what it should be if so.

And, this is kinda obvious, but maybe you could email the maintainer
and ask if the new github URI is really them?

Alex
Marko, Peter May 21, 2024, 8:27 p.m. UTC | #4 
-----Original Message-----
From: Alexander Kanavin <alex.kanavin@gmail.com> 
Sent: Tuesday, May 21, 2024 21:31
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror

> On Tue, 21 May 2024 at 21:17, Marko, Peter <Peter.Marko@siemens.com> wrote:
> > I already thought about the xz situation before submitting my patch.
> > One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex.
> > If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time...
>
> Can you tell me where the tarballs are? Then I can check if the regex is even needed, and what it should be if so.
>
> And, this is kinda obvious, but maybe you could email the maintainer and ask if the new github URI is really them?
>
> Alex

I have to correct myself. I'm not so familiar with how github presents things; the two mirrors are managed by different accounts.

However I finally found reference that this is the right mirror.
https://invisible-island.net/#ftp (Archives) lists https://github.com/ThomasDickey (on github) as official place for snapshot mirrors for invisible-island archives.

Peter
Alexander Kanavin May 21, 2024, 8:34 p.m. UTC | #5 
On Tue, 21 May 2024 at 22:27, Marko, Peter <Peter.Marko@siemens.com> wrote:
> I have to correct myself. I'm not so familiar with how github presents things; the two mirrors are managed by different accounts.
>
> However I finally found reference that this is the right mirror.
> https://invisible-island.net/#ftp (Archives) lists https://github.com/ThomasDickey (on github) as official place for snapshot mirrors for invisible-island archives.

Thanks, then there is no issue.

Alex
diff mbox series

Patch

diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 761b6a3d31..3b72f3efdd 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@  BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
+SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master"
 
 EXTRA_AUTORECONF = "-I m4"
 
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 97130c06d6..61558ecfa8 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -10,10 +10,10 @@  SRC_URI += "file://0001-tic-hang.patch \
            file://CVE-2023-45918.patch \
            "
 # commit id corresponds to the revision in package version
-SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
+SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"
 S = "${WORKDIR}/git"
 EXTRA_OECONF += "--with-abi-version=5"
-UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+_\d+)$"
 
 # This is needed when using patchlevel versions like 6.1+20181013
 #CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"