[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM

On 06/18/2010 02:57 PM, Keir Fraser wrote:
> On 18/06/2010 13:10, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx>
> wrote:
> 
>> So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
>> original Makefile for RPM building), and diffed the two versions --
>> changes (cosmetic cleanup mostly) are innocent, but, hey, why would
>> anybody do such a thing? After allm we would expect only one version of
>> xen-XXX.tar.gz, right? Patches should be the proper way for customizing
>> tarballs for packaging, no?
>>
>> Or am I missing something?
> 
> Well, I think this and your other point have one simple answer. If I wanted
> the maximum possible confidence in the bits I was building, I would obtain
> them from the original source, as it were. In this case that means, for
> example:
> # hg clone -r RELEASE-3.4.3 http://xenbits.xensource.com/xen-3.4-testing.hg
> If you want your own tarball for some reason:
> # hg archive -t tgz xen-3.4.3.tar.gz
> 
> It doesn't seem very hard to me. I maintain the repo and sign the releases
> myself.

But you *do* publish sigs for Xen 4:

http://bits.xensource.com/oss-xen/release/4.0.0/xen-4.0.0.tar.gz.sig

So, why can't you do the same for 3.4.3 tarball?

Sure, I could use hg in my RPM Makefile, but this would require me to
install hg first, and also the download process I think takes longer
than if it was a simply tar, and also requires to create a tmp directory
that later must be removed.

> Downloading tarballs from Fedora, or even from our own xen.org 
> website, introduces more people between you and me. And it seems you
> very likely care about that.
> 

From the security point of view it doesn't matter, as long as both are
signed by one of the keys signed by xen.org.

j.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.