WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM

from [John Haxby] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
From: John Haxby <john.haxby@xxxxxxxxxx>
Date: Fri, 18 Jun 2010 14:31:57 +0100
Delivery-date: Fri, 18 Jun 2010 06:38:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C1B6232.1050705@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4C1B6232.1050705@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-3.fc13 Lightning/1.0b2pre Thunderbird/3.0.4 
On 18/06/10 13:10, Joanna Rutkowska wrote:

So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:

http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz

which for me reads:

f8d001eb9e08525c451d38deb93908b1

is *different* than expected by Fedora F13 RPM:

http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup

which is:

cbe84c44bc156ad1b4a20dc1c73464b8

So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
original Makefile for RPM building), and diffed the two versions --
changes (cosmetic cleanup mostly) are innocent, but, hey, why would
anybody do such a thing? After allm we would expect only one version of
xen-XXX.tar.gz, right? Patches should be the proper way for customizing
tarballs for packaging, no?

Or am I missing something?

joanna.
I find this quite worrying as well. If one set of source has been tampered with, which one has been tampered with? Did someone modify the Fedora sources rather than patch them? Were the Xensource patches re-generated without incrementing the version number?
I'm rather less worried that the changes are malicious knowing your reputation :-) but even so this is still worrying. 

jch

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Re: Different xen-3.4.3.tar.gz in Fedora RPM, M A Young
Next by Date:  Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM, M A Young
Previous by Thread:  Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM, M A Young
Next by Thread:  [Xen-devel] VGA Passthrough with Nvidia GeForce 7900GS and Asus P7P55D-E, some problems, Thomas Richard
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy