[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Different xen-3.4.3.tar.gz in Fedora RPM
On 18/06/10 13:10, Joanna Rutkowska wrote: So, the MD5 for the xen-3.4.3.tar.gz I downloaded from: http://bits.xensource.com/oss-xen/release/3.4.3/xen-3.4.3.tar.gz which for me reads: f8d001eb9e08525c451d38deb93908b1 is *different* than expected by Fedora F13 RPM: http://cvs.fedoraproject.org/viewvc/F-13/xen/sources?revision=1.59&view=markup which is: cbe84c44bc156ad1b4a20dc1c73464b8 So, I downloaded xen-3.4.3.tar.gz from fedora mirror (using their original Makefile for RPM building), and diffed the two versions -- changes (cosmetic cleanup mostly) are innocent, but, hey, why would anybody do such a thing? After allm we would expect only one version of xen-XXX.tar.gz, right? Patches should be the proper way for customizing tarballs for packaging, no? Or am I missing something? joanna. I find this quite worrying as well. If one set of source has been tampered with, which one has been tampered with? Did someone modify the Fedora sources rather than patch them? Were the Xensource patches re-generated without incrementing the version number? I'm rather less worried that the changes are malicious knowing your reputation :-) but even so this is still worrying. jch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |