[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM



On 18/06/10 13:10, Joanna Rutkowska wrote:
So, the MD5 for the xen-3.4.3.tar.gz I downloaded from:

http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz

which for me reads:

f8d001eb9e08525c451d38deb93908b1

is *different* than expected by Fedora F13 RPM:

http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup

which is:

cbe84c44bc156ad1b4a20dc1c73464b8

So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their
original Makefile for RPM building), and diffed the two versions --
changes (cosmetic cleanup mostly) are innocent, but, hey, why would
anybody do such a thing? After allm we would expect only one version of
xen-XXX.tar.gz, right? Patches should be the proper way for customizing
tarballs for packaging, no?

Or am I missing something?

joanna.

I find this quite worrying as well. If one set of source has been tampered with, which one has been tampered with? Did someone modify the Fedora sources rather than patch them? Were the Xensource patches re-generated without incrementing the version number?

I'm rather less worried that the changes are malicious knowing your reputation :-) but even so this is still worrying.

jch

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.