Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

Demi Marie Obenour (4):
  Build system: Replace git:// and http:// with https://
  Automation and CI: Replace git:// and http:// with https://
  Miscellaneous and documentation: Only use TLS-protected transports
  GPL License Boilerplate: Switch from HTTP to HTTPS

 COPYING                                       |  4 ++--
 CREDITS                                       |  2 +-
 Config.mk                                     | 20 +++++-----------
 README                                        |  8 +++----
 SUPPORT.md                                    |  2 +-
 automation/build/centos/CentOS-7.2.repo       |  8 +++----
 automation/build/debian/stretch-llvm-8.list   |  4 ++--
 automation/build/debian/unstable-llvm-8.list  |  4 ++--
 automation/scripts/qemu-smoke-dom0-arm32.sh   |  2 +-
 docs/README.remus                             |  2 +-
 docs/conf.py                                  |  2 +-
 docs/features/feature-levelling.pandoc        |  4 ++--
 docs/features/intel_psr_cat_cdp.pandoc        |  2 +-
 docs/features/intel_psr_mba.pandoc            |  2 +-
 docs/features/migration.pandoc                |  2 +-
 docs/features/sched_credit.pandoc             |  4 ++--
 docs/features/sched_credit2.pandoc            |  6 ++---
 docs/features/sched_rtds.pandoc               |  4 ++--
 docs/misc/amd-ucode-container.txt             |  4 ++--
 docs/misc/arm/booting.txt                     |  4 ++--
 docs/misc/arm/passthrough.txt                 |  2 +-
 docs/misc/kconfig-language.rst                | 14 +++++------
 docs/misc/livepatch.pandoc                    |  2 +-
 docs/misc/netif-staging-grants.pandoc         | 10 ++++----
 docs/misc/pvcalls.pandoc                      | 18 +++++++-------
 docs/misc/status-override-table-spec.fodt     |  2 +-
 docs/misc/vtd-pi.txt                          |  6 ++---
 docs/misc/vtd.txt                             |  4 ++--
 docs/misc/xen-env-table-spec.fodt             |  2 +-
 docs/misc/xenstore-paths.pandoc               |  2 +-
 docs/misc/xl-psr.pandoc                       |  2 +-
 docs/misc/xsm-flask.txt                       |  2 +-
 docs/process/release-technician-checklist.txt |  2 +-
 docs/process/sending-patches.pandoc           |  2 +-
 docs/process/xen-release-management.pandoc    |  2 +-
 m4/README.source                              |  4 ++--
 m4/ax_compare_version.m4                      |  4 ++--
 m4/ocaml.m4                                   |  2 +-
 m4/pkg.m4                                     |  4 ++--
 m4/systemd.m4                                 |  2 +-
 misc/coverity/model.c                         |  2 +-
 scripts/get_maintainer.pl                     |  2 +-
 stubdom/configure                             | 18 +++++++-------
 stubdom/configure.ac                          | 24 ++++++++++++-------
 stubdom/grub.patches/10graphics.diff          |  4 ++--
 stubdom/grub.patches/61btrfs.diff             |  4 ++--
 stubdom/vtpmmgr/tpmrsa.c                      |  6 ++---
 stubdom/vtpmmgr/tpmrsa.h                      |  4 ++--
 tools/configure                               | 16 ++++++-------
 tools/console/client/main.c                   |  2 +-
 tools/console/daemon/io.c                     |  2 +-
 tools/console/daemon/io.h                     |  2 +-
 tools/console/daemon/main.c                   |  2 +-
 tools/console/daemon/utils.c                  |  2 +-
 tools/console/daemon/utils.h                  |  2 +-
 tools/debugger/gdbsx/gx/gx.h                  |  2 +-
 tools/debugger/gdbsx/gx/gx_comm.c             |  4 ++--
 tools/debugger/gdbsx/gx/gx_local.c            |  2 +-
 tools/debugger/gdbsx/gx/gx_main.c             |  2 +-
 tools/debugger/gdbsx/gx/gx_utils.c            |  2 +-
 tools/debugger/gdbsx/gx/xg_dummy.c            |  2 +-
 tools/debugger/gdbsx/xg/xg_main.c             |  2 +-
 tools/debugger/gdbsx/xg/xg_public.h           |  2 +-
 tools/examples/xeninfo.pl                     |  4 ++--
 tools/firmware/Makefile                       |  2 +-
 tools/firmware/etherboot/Makefile             |  6 +----
 tools/firmware/etherboot/README               | 23 +-----------------
 tools/firmware/hvmloader/32bitbios_support.c  |  2 +-
 tools/firmware/hvmloader/Makefile             |  2 +-
 tools/firmware/hvmloader/cacheattr.c          |  2 +-
 tools/firmware/hvmloader/e820.c               |  2 +-
 tools/firmware/hvmloader/hvmloader.c          |  2 +-
 tools/firmware/hvmloader/mp_tables.c          |  2 +-
 tools/firmware/hvmloader/optionroms.c         |  2 +-
 tools/firmware/hvmloader/ovmf.c               |  2 +-
 tools/firmware/hvmloader/pci.c                |  2 +-
 tools/firmware/hvmloader/pci_regs.h           |  2 +-
 tools/firmware/hvmloader/pir.c                |  2 +-
 tools/firmware/hvmloader/pir_types.h          |  4 ++--
 tools/firmware/hvmloader/rombios.c            |  2 +-
 tools/firmware/hvmloader/seabios.c            |  2 +-
 tools/firmware/hvmloader/smbios.c             |  2 +-
 tools/firmware/hvmloader/smbios_types.h       |  4 ++--
 tools/firmware/hvmloader/smp.c                |  2 +-
 tools/firmware/hvmloader/tests.c              |  2 +-
 tools/firmware/hvmloader/util.c               |  2 +-
 tools/firmware/rombios/32bit/32bitbios.c      |  2 +-
 tools/firmware/rombios/32bit/mkhex            |  2 +-
 tools/firmware/rombios/32bit/pmm.c            |  4 ++--
 .../firmware/rombios/32bit/tcgbios/tcgbios.c  |  2 +-
 .../rombios/32bit/tcgbios/tpm_drivers.c       |  2 +-
 tools/firmware/rombios/32bit/util.c           |  2 +-
 tools/firmware/rombios/32bitgateway.c         |  2 +-
 tools/firmware/rombios/apmbios.S              |  2 +-
 tools/firmware/rombios/rombios.c              |  6 ++---
 tools/firmware/rombios/rombios.h              |  2 +-
 tools/firmware/rombios/tcgbios.c              |  2 +-
 tools/firmware/vgabios/COPYING                |  2 +-
 tools/firmware/vgabios/README                 | 10 ++++----
 tools/firmware/vgabios/biossums.c             |  2 +-
 tools/firmware/vgabios/clext.c                |  2 +-
 tools/firmware/vgabios/vbe.c                  |  4 ++--
 tools/firmware/vgabios/vbe_display_api.txt    |  8 +++----
 tools/firmware/vgabios/vgabios.c              | 10 ++++----
 tools/fuzz/README.afl                         |  2 +-
 tools/golang/xenlight/xenlight.go             |  2 +-
 tools/hotplug/Linux/block-common.sh           |  2 +-
 tools/hotplug/Linux/block-drbd-probe          |  2 +-
 tools/hotplug/Linux/external-device-migrate   |  2 +-
 tools/hotplug/Linux/launch-xenstore.in        |  2 +-
 tools/hotplug/Linux/locking.sh                |  2 +-
 tools/hotplug/Linux/logging.sh                |  2 +-
 tools/hotplug/Linux/vif-common.sh             |  2 +-
 tools/hotplug/Linux/xen-hotplug-common.sh.in  |  2 +-
 tools/hotplug/Linux/xen-network-common.sh     |  2 +-
 tools/hotplug/Linux/xen-script-common.sh      |  2 +-
 tools/hotplug/Linux/xendomains.in             |  2 +-
 tools/hotplug/NetBSD/locking.sh               |  2 +-
 tools/include/libxenvchan.h                   |  4 ++--
 tools/include/libxl.h                         |  2 +-
 tools/include/xencall.h                       |  2 +-
 tools/include/xenctrl.h                       |  2 +-
 tools/include/xendevicemodel.h                |  2 +-
 tools/include/xenevtchn.h                     |  2 +-
 tools/include/xenforeignmemory.h              |  2 +-
 tools/include/xengnttab.h                     |  2 +-
 tools/include/xenguest.h                      |  2 +-
 tools/include/xenhypfs.h                      |  2 +-
 tools/include/xenstore.h                      |  2 +-
 tools/include/xenstore_lib.h                  |  2 +-
 tools/include/xentoolcore.h                   |  2 +-
 tools/include/xentoolcore_internal.h          |  2 +-
 tools/include/xentoollog.h                    |  2 +-
 tools/libacpi/build.c                         |  2 +-
 tools/libfsimage/ext2fs/fsys_ext2fs.c         |  2 +-
 tools/libfsimage/fat/fat.h                    |  2 +-
 tools/libfsimage/fat/fsys_fat.c               |  2 +-
 tools/libfsimage/iso9660/fsys_iso9660.c       |  2 +-
 tools/libfsimage/iso9660/iso9660.h            |  2 +-
 tools/libfsimage/reiserfs/fsys_reiserfs.c     |  4 ++--
 tools/libfsimage/ufs/fsys_ufs.c               |  2 +-
 tools/libfsimage/xfs/fsys_xfs.c               |  2 +-
 tools/libfsimage/xfs/xfs.h                    |  6 ++---
 tools/libfsimage/zfs/Makefile                 |  2 +-
 tools/libfsimage/zfs/filesys.h                |  2 +-
 tools/libfsimage/zfs/fsi_zfs.c                |  2 +-
 tools/libfsimage/zfs/fsi_zfs.h                |  2 +-
 tools/libfsimage/zfs/fsys_zfs.c               |  2 +-
 tools/libfsimage/zfs/fsys_zfs.h               |  2 +-
 tools/libfsimage/zfs/mb_info.h                |  2 +-
 tools/libfsimage/zfs/shared.h                 |  2 +-
 tools/libfsimage/zfs/zfs-include/dmu.h        |  2 +-
 tools/libfsimage/zfs/zfs-include/dmu_objset.h |  2 +-
 tools/libfsimage/zfs/zfs-include/dnode.h      |  2 +-
 .../libfsimage/zfs/zfs-include/dsl_dataset.h  |  2 +-
 tools/libfsimage/zfs/zfs-include/dsl_dir.h    |  2 +-
 tools/libfsimage/zfs/zfs-include/sa_impl.h    |  2 +-
 tools/libfsimage/zfs/zfs-include/spa.h        |  2 +-
 .../zfs/zfs-include/uberblock_impl.h          |  2 +-
 tools/libfsimage/zfs/zfs-include/vdev_impl.h  |  2 +-
 tools/libfsimage/zfs/zfs-include/zap_impl.h   |  2 +-
 tools/libfsimage/zfs/zfs-include/zap_leaf.h   |  2 +-
 tools/libfsimage/zfs/zfs-include/zfs.h        |  2 +-
 tools/libfsimage/zfs/zfs-include/zfs_acl.h    |  2 +-
 tools/libfsimage/zfs/zfs-include/zfs_znode.h  |  2 +-
 tools/libfsimage/zfs/zfs-include/zil.h        |  2 +-
 tools/libfsimage/zfs/zfs-include/zio.h        |  2 +-
 .../libfsimage/zfs/zfs-include/zio_checksum.h |  2 +-
 tools/libfsimage/zfs/zfs_fletcher.c           |  2 +-
 tools/libfsimage/zfs/zfs_lzjb.c               |  2 +-
 tools/libfsimage/zfs/zfs_sha256.c             |  4 ++--
 tools/libs/call/buffer.c                      |  2 +-
 tools/libs/call/core.c                        |  2 +-
 tools/libs/call/freebsd.c                     |  2 +-
 tools/libs/call/linux.c                       |  2 +-
 tools/libs/call/minios.c                      |  2 +-
 tools/libs/call/netbsd.c                      |  2 +-
 tools/libs/call/solaris.c                     |  2 +-
 tools/libs/ctrl/xc_altp2m.c                   |  2 +-
 tools/libs/ctrl/xc_cpu_hotplug.c              |  2 +-
 tools/libs/ctrl/xc_cpupool.c                  |  2 +-
 tools/libs/ctrl/xc_csched.c                   |  2 +-
 tools/libs/ctrl/xc_csched2.c                  |  2 +-
 tools/libs/ctrl/xc_domain.c                   |  2 +-
 tools/libs/ctrl/xc_evtchn.c                   |  2 +-
 tools/libs/ctrl/xc_flask.c                    |  2 +-
 tools/libs/ctrl/xc_foreign_memory.c           |  2 +-
 tools/libs/ctrl/xc_freebsd.c                  |  2 +-
 tools/libs/ctrl/xc_gnttab.c                   |  2 +-
 tools/libs/ctrl/xc_hcall_buf.c                |  2 +-
 tools/libs/ctrl/xc_linux.c                    |  2 +-
 tools/libs/ctrl/xc_mem_access.c               |  2 +-
 tools/libs/ctrl/xc_mem_paging.c               |  2 +-
 tools/libs/ctrl/xc_memshr.c                   |  2 +-
 tools/libs/ctrl/xc_minios.c                   |  2 +-
 tools/libs/ctrl/xc_misc.c                     |  2 +-
 tools/libs/ctrl/xc_monitor.c                  |  2 +-
 tools/libs/ctrl/xc_netbsd.c                   |  2 +-
 tools/libs/ctrl/xc_pagetab.c                  |  2 +-
 tools/libs/ctrl/xc_physdev.c                  |  2 +-
 tools/libs/ctrl/xc_pm.c                       |  2 +-
 tools/libs/ctrl/xc_private.c                  |  2 +-
 tools/libs/ctrl/xc_private.h                  |  2 +-
 tools/libs/ctrl/xc_rt.c                       |  2 +-
 tools/libs/ctrl/xc_solaris.c                  |  2 +-
 tools/libs/ctrl/xc_tbuf.c                     |  2 +-
 tools/libs/ctrl/xc_vm_event.c                 |  2 +-
 tools/libs/ctrl/xc_vmtrace.c                  |  2 +-
 tools/libs/devicemodel/common.c               |  2 +-
 tools/libs/devicemodel/compat.c               |  2 +-
 tools/libs/devicemodel/core.c                 |  2 +-
 tools/libs/evtchn/core.c                      |  2 +-
 tools/libs/evtchn/freebsd.c                   |  2 +-
 tools/libs/evtchn/linux.c                     |  2 +-
 tools/libs/evtchn/minios.c                    |  2 +-
 tools/libs/evtchn/netbsd.c                    |  2 +-
 tools/libs/evtchn/solaris.c                   |  2 +-
 tools/libs/foreignmemory/compat.c             |  2 +-
 tools/libs/foreignmemory/core.c               |  2 +-
 tools/libs/foreignmemory/freebsd.c            |  2 +-
 tools/libs/foreignmemory/linux.c              |  2 +-
 tools/libs/foreignmemory/minios.c             |  2 +-
 tools/libs/foreignmemory/netbsd.c             |  2 +-
 tools/libs/foreignmemory/solaris.c            |  2 +-
 tools/libs/gnttab/freebsd.c                   |  2 +-
 tools/libs/gnttab/gntshr_core.c               |  2 +-
 tools/libs/gnttab/gntshr_unimp.c              |  2 +-
 tools/libs/gnttab/gnttab_core.c               |  2 +-
 tools/libs/gnttab/gnttab_unimp.c              |  2 +-
 tools/libs/gnttab/linux.c                     |  2 +-
 tools/libs/gnttab/minios.c                    |  2 +-
 tools/libs/gnttab/netbsd.c                    |  2 +-
 tools/libs/guest/xg_core.c                    |  2 +-
 tools/libs/guest/xg_core.h                    |  2 +-
 tools/libs/guest/xg_core_arm.c                |  2 +-
 tools/libs/guest/xg_core_arm.h                |  2 +-
 tools/libs/guest/xg_core_x86.c                |  2 +-
 tools/libs/guest/xg_core_x86.h                |  2 +-
 tools/libs/guest/xg_cpuid_x86.c               |  2 +-
 tools/libs/guest/xg_dom_arm.c                 |  2 +-
 tools/libs/guest/xg_dom_armzimageloader.c     |  2 +-
 tools/libs/guest/xg_dom_binloader.c           |  2 +-
 tools/libs/guest/xg_dom_boot.c                |  2 +-
 tools/libs/guest/xg_dom_bzimageloader.c       |  2 +-
 tools/libs/guest/xg_dom_compat_linux.c        |  2 +-
 tools/libs/guest/xg_dom_core.c                |  2 +-
 tools/libs/guest/xg_dom_elfloader.c           |  2 +-
 tools/libs/guest/xg_dom_hvmloader.c           |  2 +-
 tools/libs/guest/xg_dom_x86.c                 |  2 +-
 tools/libs/guest/xg_domain.c                  |  2 +-
 tools/libs/guest/xg_nomigrate.c               |  2 +-
 tools/libs/guest/xg_offline_page.c            |  2 +-
 tools/libs/guest/xg_private.c                 |  2 +-
 tools/libs/guest/xg_private.h                 |  2 +-
 tools/libs/guest/xg_resume.c                  |  2 +-
 tools/libs/guest/xg_save_restore.h            |  2 +-
 tools/libs/guest/xg_suspend.c                 |  2 +-
 tools/libs/hypfs/core.c                       |  2 +-
 tools/libs/light/libxl_genid.c                |  2 +-
 tools/libs/stat/COPYING                       |  2 +-
 tools/libs/stat/xenstat_qmp.c                 |  2 +-
 tools/libs/store/xs.c                         |  2 +-
 tools/libs/toolcore/handlereg.c               |  2 +-
 tools/libs/toollog/xtl_core.c                 |  2 +-
 tools/libs/toollog/xtl_logger_stdio.c         |  2 +-
 tools/libs/util/libxlu_cfg_y.c                |  2 +-
 tools/libs/util/libxlu_cfg_y.h                |  2 +-
 tools/libs/vchan/init.c                       |  2 +-
 tools/libs/vchan/io.c                         |  2 +-
 tools/libs/vchan/vchan.h                      |  2 +-
 tools/misc/mkhex                              |  2 +-
 tools/misc/mkrpm                              |  2 +-
 tools/misc/xen-mceinj.c                       |  2 +-
 tools/misc/xen-vmtrace.c                      |  2 +-
 tools/misc/xencov.c                           |  2 +-
 tools/misc/xenpm.c                            |  2 +-
 tools/misc/xenpvnetboot                       |  2 +-
 tools/ocaml/LICENSE                           |  2 +-
 .../ocaml/libs/xentoollog/xentoollog_stubs.c  |  2 +-
 tools/ocaml/libs/xl/xenlight_stubs.c          |  2 +-
 tools/pygrub/src/ExtLinuxConf.py              |  2 +-
 tools/pygrub/src/GrubConf.py                  |  2 +-
 tools/pygrub/src/pygrub                       |  2 +-
 tools/python/xen/lowlevel/xs/xs.c             |  2 +-
 tools/tests/depriv/depriv-fd-checker.c        |  2 +-
 tools/tests/vhpet/emul.h                      |  2 +-
 tools/tests/vhpet/main.c                      |  4 ++--
 tools/tests/vpci/emul.h                       |  2 +-
 tools/tests/vpci/main.c                       |  2 +-
 tools/tests/x86_emulator/blowfish.c           |  2 +-
 tools/tests/xenstore/test-xenstore.c          |  2 +-
 tools/vchan/node-select.c                     |  2 +-
 tools/vchan/node.c                            |  2 +-
 tools/vchan/vchan-socket-proxy.c              |  2 +-
 tools/xenmon/COPYING                          |  2 +-
 tools/xenmon/setmask.c                        |  2 +-
 tools/xenmon/xenbaked.c                       |  2 +-
 tools/xenmon/xenbaked.h                       |  2 +-
 tools/xenmon/xenmon.py                        |  2 +-
 tools/xenpaging/file_ops.c                    |  2 +-
 tools/xenpaging/file_ops.h                    |  2 +-
 tools/xenpaging/policy.h                      |  2 +-
 tools/xenpaging/policy_default.c              |  2 +-
 tools/xenpaging/xenpaging.c                   |  2 +-
 tools/xenpaging/xenpaging.h                   |  2 +-
 tools/xenpmd/xenpmd.c                         |  2 +-
 tools/xenstore/COPYING                        |  2 +-
 tools/xenstore/include/xenstore_state.h       |  2 +-
 tools/xenstore/talloc.c                       |  4 ++--
 tools/xenstore/talloc.h                       |  2 +-
 tools/xenstore/talloc_guide.txt               |  2 +-
 tools/xenstore/tdb.c                          |  2 +-
 tools/xenstore/tdb.h                          |  2 +-
 tools/xenstore/xenstored_control.c            |  2 +-
 tools/xenstore/xenstored_control.h            |  2 +-
 tools/xenstore/xenstored_core.c               |  2 +-
 tools/xenstore/xenstored_core.h               |  2 +-
 tools/xenstore/xenstored_domain.c             |  2 +-
 tools/xenstore/xenstored_domain.h             |  2 +-
 tools/xenstore/xenstored_minios.c             |  2 +-
 tools/xenstore/xenstored_posix.c              |  2 +-
 tools/xenstore/xenstored_transaction.c        |  2 +-
 tools/xenstore/xenstored_transaction.h        |  2 +-
 tools/xenstore/xenstored_watch.c              |  2 +-
 tools/xenstore/xenstored_watch.h              |  2 +-
 tools/xenstore/xs_lib.c                       |  2 +-
 tools/xenstore/xs_lib.h                       |  2 +-
 tools/xentop/xentop.c                         |  2 +-
 tools/xentrace/xenalyze.c                     |  2 +-
 tools/xl/check-xl-disk-parse                  |  6 ++---
 xen/COPYING                                   |  2 +-
 xen/arch/arm/acpi/boot.c                      |  2 +-
 xen/arch/arm/acpi/lib.c                       |  2 +-
 xen/arch/arm/arm32/head.S                     |  2 +-
 xen/arch/arm/arm32/insn.c                     |  2 +-
 xen/arch/arm/arm32/lib/bitops.c               |  2 +-
 xen/arch/arm/arm32/lib/lib1funcs.S            |  2 +-
 xen/arch/arm/arm32/lib/lshrdi3.S              |  2 +-
 xen/arch/arm/arm64/bpi.S                      |  2 +-
 xen/arch/arm/arm64/cache.S                    |  2 +-
 xen/arch/arm/arm64/debug-meson.inc            |  2 +-
 xen/arch/arm/arm64/debug-mvebu.inc            |  2 +-
 xen/arch/arm/arm64/head.S                     |  2 +-
 xen/arch/arm/arm64/insn.c                     |  2 +-
 xen/arch/arm/arm64/lib/bitops.c               |  2 +-
 xen/arch/arm/arm64/lib/clear_page.S           |  2 +-
 xen/arch/arm/arm64/lib/memchr.S               |  2 +-
 xen/arch/arm/arm64/lib/memcmp.S               |  5 ++--
 xen/arch/arm/arm64/lib/memcpy.S               |  4 ++--
 xen/arch/arm/arm64/lib/memmove.S              |  4 ++--
 xen/arch/arm/arm64/lib/memset.S               |  4 ++--
 xen/arch/arm/arm64/lib/strchr.S               |  2 +-
 xen/arch/arm/arm64/lib/strcmp.S               |  4 ++--
 xen/arch/arm/arm64/lib/strlen.S               |  4 ++--
 xen/arch/arm/arm64/lib/strncmp.S              |  4 ++--
 xen/arch/arm/arm64/lib/strnlen.S              |  4 ++--
 xen/arch/arm/arm64/lib/strrchr.S              |  2 +-
 xen/arch/arm/efi/efi-dom0.c                   |  2 +-
 xen/arch/arm/include/asm/acpi.h               |  2 +-
 xen/arch/arm/include/asm/altp2m.h             |  2 +-
 xen/arch/arm/include/asm/arm32/insn.h         |  2 +-
 xen/arch/arm/include/asm/arm64/atomic.h       |  2 +-
 xen/arch/arm/include/asm/arm64/insn.h         |  2 +-
 xen/arch/arm/include/asm/arm64/io.h           |  2 +-
 xen/arch/arm/include/asm/gic_v3_its.h         |  2 +-
 xen/arch/arm/include/asm/iommu.h              |  2 +-
 xen/arch/arm/include/asm/iommu_fwspec.h       |  2 +-
 xen/arch/arm/include/asm/ioreq.h              |  2 +-
 xen/arch/arm/include/asm/mem_access.h         |  2 +-
 xen/arch/arm/include/asm/monitor.h            |  2 +-
 xen/arch/arm/include/asm/new_vgic.h           |  2 +-
 xen/arch/arm/include/asm/pci.h                |  2 +-
 xen/arch/arm/include/asm/smccc.h              |  2 +-
 xen/arch/arm/include/asm/tee/optee_smc.h      |  2 +-
 xen/arch/arm/include/asm/vm_event.h           |  2 +-
 xen/arch/arm/include/asm/vpl011.h             |  2 +-
 xen/arch/arm/include/asm/vpsci.h              |  2 +-
 xen/arch/arm/pci/ecam.c                       |  2 +-
 xen/arch/arm/pci/pci-access.c                 |  2 +-
 xen/arch/arm/pci/pci-host-common.c            |  2 +-
 xen/arch/arm/pci/pci-host-generic.c           |  2 +-
 xen/arch/arm/pci/pci-host-zynqmp.c            |  2 +-
 xen/arch/arm/pci/pci.c                        |  2 +-
 xen/arch/arm/platforms/thunderx.c             |  2 +-
 xen/arch/arm/vgic/vgic-init.c                 |  2 +-
 xen/arch/arm/vgic/vgic-mmio.h                 |  2 +-
 xen/arch/arm/vgic/vgic-v2.c                   |  2 +-
 xen/arch/arm/vgic/vgic.c                      |  2 +-
 xen/arch/arm/vgic/vgic.h                      |  2 +-
 xen/arch/x86/acpi/boot.c                      |  2 +-
 xen/arch/x86/acpi/cpu_idle.c                  |  2 +-
 xen/arch/x86/acpi/cpufreq/cpufreq.c           |  2 +-
 xen/arch/x86/acpi/cpufreq/powernow.c          |  2 +-
 xen/arch/x86/acpi/cpuidle_menu.c              |  2 +-
 xen/arch/x86/acpi/lib.c                       |  2 +-
 xen/arch/x86/alternative.c                    |  2 +-
 xen/arch/x86/boot/build32.lds                 |  2 +-
 xen/arch/x86/boot/cmdline.c                   |  2 +-
 xen/arch/x86/boot/defs.h                      |  2 +-
 xen/arch/x86/cpu/mcheck/amd_nonfatal.c        |  8 +++----
 xen/arch/x86/cpu/mcheck/mce-apei.c            |  2 +-
 xen/arch/x86/cpu/mcheck/mce_amd.c             | 10 ++++----
 xen/arch/x86/cpu/mcheck/vmce.c                |  2 +-
 xen/arch/x86/cpu/mcheck/x86_mca.h             |  2 +-
 xen/arch/x86/cpu/microcode/core.c             |  4 +---
 xen/arch/x86/cpu/microcode/intel.c            |  4 ++--
 xen/arch/x86/cpu/mtrr/main.c                  |  2 +-
 xen/arch/x86/cpu/mwait-idle.c                 |  2 +-
 xen/arch/x86/cpu/vpmu.c                       |  2 +-
 xen/arch/x86/cpu/vpmu_amd.c                   |  2 +-
 xen/arch/x86/cpu/vpmu_intel.c                 |  2 +-
 xen/arch/x86/dmi_scan.c                       |  5 ++++
 xen/arch/x86/gdbstub.c                        |  2 +-
 xen/arch/x86/gdbsx.c                          |  2 +-
 xen/arch/x86/genapic/x2apic.c                 |  2 +-
 xen/arch/x86/guest/hyperv/hyperv.c            |  2 +-
 xen/arch/x86/guest/hyperv/private.h           |  2 +-
 xen/arch/x86/guest/hyperv/tlb.c               |  2 +-
 xen/arch/x86/guest/hyperv/util.c              |  2 +-
 xen/arch/x86/guest/hypervisor.c               |  2 +-
 xen/arch/x86/guest/xen/pvh-boot.c             |  2 +-
 xen/arch/x86/guest/xen/xen.c                  |  2 +-
 xen/arch/x86/hvm/asid.c                       |  2 +-
 xen/arch/x86/hvm/dm.c                         |  2 +-
 xen/arch/x86/hvm/dom0_build.c                 |  2 +-
 xen/arch/x86/hvm/domain.c                     |  2 +-
 xen/arch/x86/hvm/grant_table.c                |  2 +-
 xen/arch/x86/hvm/hpet.c                       |  2 +-
 xen/arch/x86/hvm/hvm.c                        |  2 +-
 xen/arch/x86/hvm/hypercall.c                  |  2 +-
 xen/arch/x86/hvm/intercept.c                  |  2 +-
 xen/arch/x86/hvm/io.c                         |  2 +-
 xen/arch/x86/hvm/ioreq.c                      |  2 +-
 xen/arch/x86/hvm/irq.c                        |  2 +-
 xen/arch/x86/hvm/monitor.c                    |  2 +-
 xen/arch/x86/hvm/mtrr.c                       |  2 +-
 xen/arch/x86/hvm/nestedhvm.c                  |  2 +-
 xen/arch/x86/hvm/pmtimer.c                    |  2 +-
 xen/arch/x86/hvm/quirks.c                     |  2 +-
 xen/arch/x86/hvm/save.c                       |  2 +-
 xen/arch/x86/hvm/svm/asid.c                   |  2 +-
 xen/arch/x86/hvm/svm/emulate.c                |  2 +-
 xen/arch/x86/hvm/svm/entry.S                  |  2 +-
 xen/arch/x86/hvm/svm/intr.c                   |  2 +-
 xen/arch/x86/hvm/svm/nestedsvm.c              |  2 +-
 xen/arch/x86/hvm/svm/svm.c                    |  2 +-
 xen/arch/x86/hvm/svm/svmdebug.c               |  2 +-
 xen/arch/x86/hvm/svm/vmcb.c                   |  2 +-
 xen/arch/x86/hvm/vioapic.c                    |  2 +-
 xen/arch/x86/hvm/vlapic.c                     |  2 +-
 xen/arch/x86/hvm/vm_event.c                   |  2 +-
 xen/arch/x86/hvm/vmsi.c                       |  2 +-
 xen/arch/x86/hvm/vmx/entry.S                  |  2 +-
 xen/arch/x86/hvm/vmx/intr.c                   |  2 +-
 xen/arch/x86/hvm/vmx/vmcs.c                   |  2 +-
 xen/arch/x86/hvm/vmx/vmx.c                    |  2 +-
 xen/arch/x86/hvm/vmx/vvmx.c                   |  2 +-
 xen/arch/x86/hvm/vpt.c                        |  2 +-
 xen/arch/x86/hypercall.c                      |  2 +-
 xen/arch/x86/include/asm/acpi.h               |  2 +-
 xen/arch/x86/include/asm/altp2m.h             |  2 +-
 xen/arch/x86/include/asm/edd.h                |  4 ++--
 xen/arch/x86/include/asm/endbr.h              |  2 +-
 xen/arch/x86/include/asm/guest.h              |  2 +-
 xen/arch/x86/include/asm/guest/hyperv-hcall.h |  2 +-
 xen/arch/x86/include/asm/guest/hyperv.h       |  2 +-
 xen/arch/x86/include/asm/guest/hypervisor.h   |  2 +-
 xen/arch/x86/include/asm/guest/pvh-boot.h     |  2 +-
 xen/arch/x86/include/asm/guest/xen-hcall.h    |  2 +-
 xen/arch/x86/include/asm/guest/xen.h          |  2 +-
 xen/arch/x86/include/asm/guest_pt.h           |  2 +-
 xen/arch/x86/include/asm/hap.h                |  2 +-
 xen/arch/x86/include/asm/hpet.h               |  2 +-
 xen/arch/x86/include/asm/hvm/asid.h           |  2 +-
 xen/arch/x86/include/asm/hvm/domain.h         |  2 +-
 xen/arch/x86/include/asm/hvm/grant_table.h    |  2 +-
 xen/arch/x86/include/asm/hvm/hvm.h            |  2 +-
 xen/arch/x86/include/asm/hvm/io.h             |  2 +-
 xen/arch/x86/include/asm/hvm/ioreq.h          |  2 +-
 xen/arch/x86/include/asm/hvm/irq.h            |  2 +-
 xen/arch/x86/include/asm/hvm/monitor.h        |  2 +-
 xen/arch/x86/include/asm/hvm/nestedhvm.h      |  2 +-
 xen/arch/x86/include/asm/hvm/save.h           |  2 +-
 xen/arch/x86/include/asm/hvm/support.h        |  2 +-
 xen/arch/x86/include/asm/hvm/svm/asid.h       |  2 +-
 xen/arch/x86/include/asm/hvm/svm/emulate.h    |  2 +-
 xen/arch/x86/include/asm/hvm/svm/intr.h       |  2 +-
 xen/arch/x86/include/asm/hvm/svm/nestedsvm.h  |  2 +-
 xen/arch/x86/include/asm/hvm/svm/svm.h        |  2 +-
 xen/arch/x86/include/asm/hvm/svm/svmdebug.h   |  2 +-
 xen/arch/x86/include/asm/hvm/svm/vmcb.h       |  2 +-
 xen/arch/x86/include/asm/hvm/vcpu.h           |  2 +-
 xen/arch/x86/include/asm/hvm/vioapic.h        |  2 +-
 xen/arch/x86/include/asm/hvm/vlapic.h         |  2 +-
 xen/arch/x86/include/asm/hvm/vm_event.h       |  2 +-
 xen/arch/x86/include/asm/hvm/vmx/vmcs.h       |  2 +-
 xen/arch/x86/include/asm/hvm/vmx/vmx.h        |  2 +-
 xen/arch/x86/include/asm/hvm/vmx/vvmx.h       |  2 +-
 xen/arch/x86/include/asm/hvm/vpt.h            |  2 +-
 xen/arch/x86/include/asm/iommu.h              |  2 +-
 xen/arch/x86/include/asm/ioreq.h              |  2 +-
 xen/arch/x86/include/asm/mem_access.h         |  2 +-
 xen/arch/x86/include/asm/mem_paging.h         |  2 +-
 xen/arch/x86/include/asm/mem_sharing.h        |  2 +-
 xen/arch/x86/include/asm/monitor.h            |  2 +-
 xen/arch/x86/include/asm/p2m.h                |  2 +-
 xen/arch/x86/include/asm/paging.h             |  2 +-
 xen/arch/x86/include/asm/pv/domain.h          |  2 +-
 xen/arch/x86/include/asm/pv/grant_table.h     |  2 +-
 xen/arch/x86/include/asm/pv/mm.h              |  2 +-
 xen/arch/x86/include/asm/pv/shim.h            |  2 +-
 xen/arch/x86/include/asm/pv/traps.h           |  2 +-
 xen/arch/x86/include/asm/shadow.h             |  2 +-
 xen/arch/x86/include/asm/shstk.h              |  2 +-
 xen/arch/x86/include/asm/spec_ctrl.h          |  2 +-
 xen/arch/x86/include/asm/spec_ctrl_asm.h      |  2 +-
 xen/arch/x86/include/asm/traps.h              |  2 +-
 xen/arch/x86/include/asm/vm_event.h           |  2 +-
 xen/arch/x86/include/asm/vpmu.h               |  2 +-
 xen/arch/x86/include/asm/xenoprof.h           |  2 +-
 xen/arch/x86/mm.c                             |  2 +-
 xen/arch/x86/mm/altp2m.c                      |  2 +-
 xen/arch/x86/mm/guest_walk.c                  |  2 +-
 xen/arch/x86/mm/hap/guest_walk.c              |  2 +-
 xen/arch/x86/mm/hap/hap.c                     |  2 +-
 xen/arch/x86/mm/hap/nested_ept.c              |  2 +-
 xen/arch/x86/mm/hap/nested_hap.c              |  2 +-
 xen/arch/x86/mm/hap/private.h                 |  2 +-
 xen/arch/x86/mm/mem_access.c                  |  2 +-
 xen/arch/x86/mm/mem_paging.c                  |  2 +-
 xen/arch/x86/mm/mem_sharing.c                 |  2 +-
 xen/arch/x86/mm/mm-locks.h                    |  2 +-
 xen/arch/x86/mm/nested.c                      |  2 +-
 xen/arch/x86/mm/p2m-basic.c                   |  2 +-
 xen/arch/x86/mm/p2m-ept.c                     |  2 +-
 xen/arch/x86/mm/p2m-pod.c                     |  2 +-
 xen/arch/x86/mm/p2m-pt.c                      |  2 +-
 xen/arch/x86/mm/p2m.c                         |  2 +-
 xen/arch/x86/mm/p2m.h                         |  2 +-
 xen/arch/x86/mm/paging.c                      |  2 +-
 xen/arch/x86/mm/physmap.c                     |  2 +-
 xen/arch/x86/mm/shadow/common.c               |  2 +-
 xen/arch/x86/mm/shadow/hvm.c                  |  2 +-
 xen/arch/x86/mm/shadow/multi.c                |  2 +-
 xen/arch/x86/mm/shadow/multi.h                |  2 +-
 xen/arch/x86/mm/shadow/private.h              |  2 +-
 xen/arch/x86/mm/shadow/pv.c                   |  2 +-
 xen/arch/x86/mm/shadow/set.c                  |  2 +-
 xen/arch/x86/mm/shadow/types.h                |  2 +-
 xen/arch/x86/monitor.c                        |  2 +-
 xen/arch/x86/msr.c                            |  2 +-
 xen/arch/x86/pv/callback.c                    |  2 +-
 xen/arch/x86/pv/descriptor-tables.c           |  2 +-
 xen/arch/x86/pv/emul-gate-op.c                |  2 +-
 xen/arch/x86/pv/emul-inv-op.c                 |  2 +-
 xen/arch/x86/pv/emul-priv-op.c                |  2 +-
 xen/arch/x86/pv/emulate.c                     |  2 +-
 xen/arch/x86/pv/grant_table.c                 |  2 +-
 xen/arch/x86/pv/hypercall.c                   |  2 +-
 xen/arch/x86/pv/iret.c                        |  2 +-
 xen/arch/x86/pv/misc-hypercalls.c             |  2 +-
 xen/arch/x86/pv/mm.c                          |  2 +-
 xen/arch/x86/pv/ro-page-fault.c               |  2 +-
 xen/arch/x86/pv/shim.c                        |  2 +-
 xen/arch/x86/pv/traps.c                       |  2 +-
 xen/arch/x86/smpboot.c                        |  2 +-
 xen/arch/x86/spec_ctrl.c                      |  2 +-
 xen/arch/x86/traps.c                          |  2 +-
 xen/arch/x86/vm_event.c                       |  2 +-
 xen/arch/x86/x86_64/acpi_mmcfg.c              |  2 +-
 xen/arch/x86/x86_64/cpu_idle.c                |  2 +-
 xen/arch/x86/x86_64/cpufreq.c                 |  2 +-
 xen/arch/x86/x86_64/gdbstub.c                 |  2 +-
 xen/arch/x86/x86_64/mm.c                      |  2 +-
 xen/arch/x86/x86_64/mmconfig.h                |  2 +-
 xen/arch/x86/x86_emulate/x86_emulate.c        |  2 +-
 xen/arch/x86/x86_emulate/x86_emulate.h        |  2 +-
 xen/common/README.source                      |  6 ++---
 xen/common/argo.c                             |  2 +-
 xen/common/bunzip2.c                          |  7 +++---
 xen/common/coverage/coverage.c                |  2 +-
 xen/common/dm.c                               |  2 +-
 xen/common/event_channel.c                    |  2 +-
 xen/common/gdbstub.c                          |  2 +-
 xen/common/grant_table.c                      |  2 +-
 xen/common/ioreq.c                            |  2 +-
 xen/common/libelf/libelf-dominfo.c            |  2 +-
 xen/common/libelf/libelf-loader.c             |  2 +-
 xen/common/libelf/libelf-private.h            |  2 +-
 xen/common/libelf/libelf-tools.c              |  2 +-
 xen/common/lz4/decompress.c                   |  6 ++---
 xen/common/lzo.c                              |  8 +++----
 xen/common/mem_access.c                       |  2 +-
 xen/common/monitor.c                          |  2 +-
 xen/common/page_alloc.c                       |  2 +-
 xen/common/pdx.c                              |  2 +-
 xen/common/preempt.c                          |  2 +-
 xen/common/radix-tree.c                       |  2 +-
 xen/common/rcupdate.c                         |  8 +++----
 xen/common/sched/null.c                       |  2 +-
 xen/common/stop_machine.c                     |  2 +-
 xen/common/time.c                             |  2 +-
 xen/common/unlzma.c                           |  8 +++----
 xen/common/unlzo.c                            |  4 ++--
 xen/common/vm_event.c                         |  2 +-
 xen/common/wait.c                             |  2 +-
 xen/common/xmalloc_tlsf.c                     |  4 ++--
 xen/common/xz/crc32.c                         |  2 +-
 xen/common/xz/dec_bcj.c                       |  2 +-
 xen/common/xz/dec_lzma2.c                     |  2 +-
 xen/common/xz/lzma2.h                         |  2 +-
 xen/common/xz/stream.h                        |  2 +-
 xen/common/zstd/bitstream.h                   |  2 +-
 xen/common/zstd/entropy_common.c              |  2 +-
 xen/common/zstd/fse.h                         |  2 +-
 xen/common/zstd/fse_decompress.c              |  2 +-
 xen/common/zstd/huf.h                         |  2 +-
 xen/common/zstd/huf_decompress.c              |  2 +-
 xen/crypto/README.source                      |  4 ++--
 xen/drivers/acpi/apei/apei-base.c             |  2 +-
 xen/drivers/acpi/apei/apei-io.c               |  2 +-
 xen/drivers/acpi/apei/erst.c                  |  2 +-
 xen/drivers/acpi/apei/hest.c                  |  2 +-
 xen/drivers/acpi/numa.c                       |  2 +-
 xen/drivers/acpi/osl.c                        |  2 +-
 xen/drivers/acpi/pmstat.c                     |  2 +-
 xen/drivers/acpi/tables.c                     |  2 +-
 xen/drivers/char/consoled.c                   |  2 +-
 xen/drivers/char/meson-uart.c                 |  2 +-
 xen/drivers/char/mvebu-uart.c                 |  2 +-
 xen/drivers/char/xen_pv_console.c             |  2 +-
 xen/drivers/char/xhci-dbc.c                   |  2 +-
 xen/drivers/cpufreq/cpufreq.c                 |  2 +-
 xen/drivers/passthrough/amd/iommu-defs.h      |  2 +-
 xen/drivers/passthrough/amd/iommu.h           |  2 +-
 xen/drivers/passthrough/amd/iommu_acpi.c      |  2 +-
 xen/drivers/passthrough/amd/iommu_cmd.c       |  2 +-
 xen/drivers/passthrough/amd/iommu_detect.c    |  2 +-
 xen/drivers/passthrough/amd/iommu_guest.c     |  2 +-
 xen/drivers/passthrough/amd/iommu_init.c      |  2 +-
 xen/drivers/passthrough/amd/iommu_intr.c      |  2 +-
 xen/drivers/passthrough/amd/iommu_map.c       |  2 +-
 xen/drivers/passthrough/amd/pci_amd_iommu.c   |  2 +-
 xen/drivers/passthrough/arm/iommu_fwspec.c    |  2 +-
 xen/drivers/passthrough/arm/iommu_helpers.c   |  2 +-
 xen/drivers/passthrough/arm/ipmmu-vmsa.c      |  4 ++--
 xen/drivers/passthrough/arm/smmu-v3.c         |  2 +-
 xen/drivers/passthrough/arm/smmu.c            |  2 +-
 xen/drivers/passthrough/ats.c                 |  2 +-
 xen/drivers/passthrough/ats.h                 |  2 +-
 xen/drivers/passthrough/iommu.c               |  2 +-
 xen/drivers/passthrough/pci.c                 |  6 ++---
 xen/drivers/passthrough/vtd/dmar.c            |  2 +-
 xen/drivers/passthrough/vtd/dmar.h            |  2 +-
 xen/drivers/passthrough/vtd/extern.h          |  2 +-
 xen/drivers/passthrough/vtd/intremap.c        |  2 +-
 xen/drivers/passthrough/vtd/iommu.c           |  2 +-
 xen/drivers/passthrough/vtd/iommu.h           |  2 +-
 xen/drivers/passthrough/vtd/qinval.c          |  2 +-
 xen/drivers/passthrough/vtd/quirks.c          |  2 +-
 xen/drivers/passthrough/vtd/utils.c           |  2 +-
 xen/drivers/passthrough/vtd/vtd.h             |  2 +-
 xen/drivers/passthrough/vtd/x86/ats.c         |  2 +-
 xen/drivers/passthrough/vtd/x86/hvm.c         |  2 +-
 xen/drivers/passthrough/vtd/x86/vtd.c         |  2 +-
 xen/drivers/passthrough/x86/hvm.c             |  2 +-
 xen/drivers/passthrough/x86/iommu.c           |  2 +-
 xen/drivers/vpci/header.c                     |  2 +-
 xen/drivers/vpci/msi.c                        |  2 +-
 xen/drivers/vpci/msix.c                       |  2 +-
 xen/drivers/vpci/vpci.c                       |  2 +-
 xen/include/acpi/actbl3.h                     |  2 +-
 xen/include/crypto/README.source              |  4 ++--
 xen/include/crypto/vmac.h                     |  5 ++--
 xen/include/efi/eficapsule.h                  |  2 +-
 xen/include/public/arch-x86/hvm/start_info.h  |  2 +-
 xen/include/public/errno.h                    |  2 +-
 xen/include/public/grant_table.h              |  2 +-
 xen/include/public/hvm/params.h               |  2 +-
 xen/include/public/io/blkif.h                 |  4 ++--
 xen/include/public/io/libxenvchan.h           |  2 +-
 xen/include/public/io/tpmif.h                 |  2 +-
 xen/include/xen/acpi.h                        |  2 +-
 xen/include/xen/argo.h                        |  2 +-
 xen/include/xen/atomic.h                      |  2 +-
 xen/include/xen/compiler.h                    |  2 +-
 xen/include/xen/cper.h                        |  2 +-
 xen/include/xen/cpuidle.h                     |  2 +-
 xen/include/xen/dm.h                          |  2 +-
 xen/include/xen/elfstructs.h                  |  4 ++--
 xen/include/xen/gdbstub.h                     |  2 +-
 xen/include/xen/grant_table.h                 |  2 +-
 xen/include/xen/inttypes.h                    |  2 +-
 xen/include/xen/iommu.h                       |  2 +-
 xen/include/xen/ioreq.h                       |  2 +-
 xen/include/xen/lzo.h                         |  2 +-
 xen/include/xen/mem_access.h                  |  2 +-
 xen/include/xen/monitor.h                     |  2 +-
 xen/include/xen/multiboot.h                   |  2 +-
 xen/include/xen/pci_regs.h                    |  4 ++--
 xen/include/xen/radix-tree.h                  |  2 +-
 xen/include/xen/rbtree.h                      |  2 +-
 xen/include/xen/rcupdate.h                    |  8 +++----
 xen/include/xen/vm_event.h                    |  2 +-
 xen/include/xen/xxhash.h                      |  2 +-
 xen/lib/list-sort.c                           |  2 +-
 xen/lib/rbtree.c                              |  4 ++--
 xen/lib/xxhash32.c                            |  2 +-
 xen/lib/xxhash64.c                            |  2 +-
 xen/xsm/silo.c                                |  2 +-
 710 files changed, 867 insertions(+), 896 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

Changes since v2:

- Drop patches 5 and 6, which changed links not used by automated tools.
  These patches are the least urgent and hardest to review.

- Ensure that no links are broken, and fail with an error instead of
  trying to use links that *are* broken.

Demi Marie Obenour (4):
  Use HTTPS for all xenbits.xen.org Git repos
  Build system: Replace git:// and http:// with https://
  Automation and CI: Replace git:// and http:// with https://
  Rip out HyperTransport

 Config.mk                                    | 20 ++++-------
 README                                       |  4 +--
 automation/build/centos/CentOS-7.2.repo      |  8 ++---
 automation/build/debian/stretch-llvm-8.list  |  4 +--
 automation/build/debian/unstable-llvm-8.list |  4 +--
 automation/scripts/qemu-smoke-dom0-arm32.sh  |  2 +-
 docs/misc/livepatch.pandoc                   |  2 +-
 docs/process/xen-release-management.pandoc   |  2 +-
 scripts/get_maintainer.pl                    |  2 +-
 stubdom/configure                            | 24 ++++++++-----
 stubdom/configure.ac                         | 24 ++++++++-----
 tools/firmware/etherboot/Makefile            |  6 +---
 xen/include/xen/pci_regs.h                   | 37 --------------------
 13 files changed, 51 insertions(+), 88 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

Changes since v3:

- Drop patch 4, which is an unrelated removal of unused code.

- Do not fail with an error if one tries to build the I/O emulator,
  vTPM, or vTPM manager stubdomains and passes --enable-extfiles.  The
  user may have provided alternate download URLs via environment
  variables.

Changes since v2:

- Drop patches 5 and 6, which changed links not used by automated tools.
  These patches are the least urgent and hardest to review.

- Ensure that no links are broken, and fail with an error instead of
  trying to use links that *are* broken.

Demi Marie Obenour (3):
  Use HTTPS for all xenbits.xen.org Git repos
  Build system: Replace git:// and http:// with https://
  Automation and CI: Replace git:// and http:// with https://

 Config.mk                                    | 20 ++++++--------------
 README                                       |  4 ++--
 automation/build/centos/CentOS-7.2.repo      |  8 ++++----
 automation/build/debian/stretch-llvm-8.list  |  4 ++--
 automation/build/debian/unstable-llvm-8.list |  4 ++--
 automation/scripts/qemu-smoke-dom0-arm32.sh  |  2 +-
 docs/misc/livepatch.pandoc                   |  2 +-
 docs/process/xen-release-management.pandoc   |  2 +-
 scripts/get_maintainer.pl                    |  2 +-
 stubdom/configure                            | 18 +++++++++---------
 stubdom/configure.ac                         | 18 +++++++++---------
 tools/firmware/etherboot/Makefile            |  6 +-----
 12 files changed, 39 insertions(+), 51 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

Changes since v4:

- Remove known-broken links entirely.  They only mislead users into
  believing the code can be obtained there when it cannot.

Changes since v3:

- Drop patch 4, which is an unrelated removal of unused code.

- Do not fail with an error if one tries to build the I/O emulator,
  vTPM, or vTPM manager stubdomains and passes --enable-extfiles.  The
  user may have provided alternate download URLs via environment
  variables.

Changes since v2:

- Drop patches 5 and 6, which changed links not used by automated tools.
  These patches are the least urgent and hardest to review.

- Ensure that no links are broken, and fail with an error instead of
  trying to use links that *are* broken.

Demi Marie Obenour (5):
  Use HTTPS for all xenbits.xen.org Git repos
  Change remaining xenbits.xen.org links to HTTPS
  Build system: Do not try to use broken links
  Build system: Replace git:// and http:// with https://
  Automation and CI: Replace git:// and http:// with https://

 Config.mk                                   | 20 ++++---------
 README                                      |  4 +--
 automation/build/debian/stretch-llvm-8.list |  4 +--
 automation/scripts/qemu-smoke-dom0-arm32.sh |  2 +-
 docs/misc/livepatch.pandoc                  |  2 +-
 docs/process/xen-release-management.pandoc  |  2 +-
 m4/stubdom.m4                               |  5 ++--
 scripts/get_maintainer.pl                   |  2 +-
 stubdom/configure                           | 33 ++++++---------------
 stubdom/configure.ac                        | 18 +++++------
 tools/firmware/etherboot/Makefile           |  6 +---
 tools/misc/mkrpm                            |  2 +-
 12 files changed, 37 insertions(+), 63 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Hi,

I believe all the containers that needed to be updated in our GitLab CI
to be able to access HTTPS URLs have now been updated.

So I guess the series is good to go if it's reviewed.

Cheers,

-- 
Anthony PERARD

On Mon, Mar 20, 2023 at 11:14 AM Anthony PERARD <anthony.perard@citrix.com>
wrote:

> Hi,
>
> I believe all the containers that needed to be updated in our GitLab CI
> to be able to access HTTPS URLs have now been updated.
>
> So I guess the series is good to go if it's reviewed.
>

Has it run and passed Gitlab-CI with the new container images?

 -George

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

Changes since v5:

- Rebase on top of the staging branch.

- Do not replace a xenbits.xenproject.org link with a xenbits.xen.org
  link.

Changes since v4:

- Remove known-broken links entirely.  They only mislead users into
  believing the code can be obtained there when it cannot.

Changes since v3:

- Drop patch 4, which is an unrelated removal of unused code.

- Do not fail with an error if one tries to build the I/O emulator,
  vTPM, or vTPM manager stubdomains and passes --enable-extfiles.  The
  user may have provided alternate download URLs via environment
  variables.

Changes since v2:

- Drop patches 5 and 6, which changed links not used by automated tools.
  These patches are the least urgent and hardest to review.

- Ensure that no links are broken, and fail with an error instead of
  trying to use links that *are* broken.

Demi Marie Obenour (5):
  Use HTTPS for all xenbits.xen.org Git repos
  Change remaining xenbits.xen.org link to HTTPS
  Build system: Do not try to use broken links
  Build system: Replace git:// and http:// with https://
  Automation and CI: Replace git:// and http:// with https://

 Config.mk                                   | 20 ++++---------
 README                                      |  4 +--
 automation/build/debian/stretch-llvm-8.list |  4 +--
 docs/misc/livepatch.pandoc                  |  2 +-
 docs/process/xen-release-management.pandoc  |  2 +-
 m4/stubdom.m4                               |  5 ++--
 scripts/get_maintainer.pl                   |  2 +-
 stubdom/configure                           | 33 ++++++---------------
 stubdom/configure.ac                        | 18 +++++------
 tools/firmware/etherboot/Makefile           |  6 +---
 10 files changed, 35 insertions(+), 61 deletions(-)

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> Demi Marie Obenour (5):
>   Use HTTPS for all xenbits.xen.org Git repos
>   Change remaining xenbits.xen.org link to HTTPS
>   Build system: Do not try to use broken links
>   Build system: Replace git:// and http:// with https://
>   Automation and CI: Replace git:// and http:// with https://

https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from
patchew, so I think we're good now on the containers.

>
>  Config.mk                                   | 20 ++++---------
>  README                                      |  4 +--
>  automation/build/debian/stretch-llvm-8.list |  4 +--

Except for this, where I thought we'd already dropped it...

~Andrew

On Wed, Mar 22, 2023 at 08:37:43AM +0000, Andrew Cooper wrote:
> On 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> > Demi Marie Obenour (5):
> >   Use HTTPS for all xenbits.xen.org Git repos
> >   Change remaining xenbits.xen.org link to HTTPS
> >   Build system: Do not try to use broken links
> >   Build system: Replace git:// and http:// with https://
> >   Automation and CI: Replace git:// and http:// with https://
> 
> https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from
> patchew, so I think we're good now on the containers.
> 
> >
> >  Config.mk                                   | 20 ++++---------
> >  README                                      |  4 +--
> >  automation/build/debian/stretch-llvm-8.list |  4 +--
> 
> Except for this, where I thought we'd already dropped it...

We dropped llvm-8 on the unstable container, I don't think there's been
patch for the stretch container.

-- 
Anthony PERARD

On 24/03/2023 4:37 pm, Anthony PERARD wrote:
> On Wed, Mar 22, 2023 at 08:37:43AM +0000, Andrew Cooper wrote:
>> On 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
>>> Demi Marie Obenour (5):
>>>   Use HTTPS for all xenbits.xen.org Git repos
>>>   Change remaining xenbits.xen.org link to HTTPS
>>>   Build system: Do not try to use broken links
>>>   Build system: Replace git:// and http:// with https://
>>>   Automation and CI: Replace git:// and http:// with https://
>> https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from
>> patchew, so I think we're good now on the containers.
>>
>>>  Config.mk                                   | 20 ++++---------
>>>  README                                      |  4 +--
>>>  automation/build/debian/stretch-llvm-8.list |  4 +--
>> Except for this, where I thought we'd already dropped it...
> We dropped llvm-8 on the unstable container, I don't think there's been
> patch for the stretch container.

Yeah, I was just figuring that out.

I'm going to commit Demi's series as is, and fix the container afterwards.

~Andrew

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories.  It was generated with the following shell script:

    git ls-files -z |
    xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'

All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                                  | 18 +++++-------------
 docs/misc/livepatch.pandoc                 |  2 +-
 docs/process/xen-release-management.pandoc |  2 +-
 scripts/get_maintainer.pl                  |  2 +-
 4 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
 QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
 endif
 
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
 OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
 QEMU_UPSTREAM_REVISION ?= master
 MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
 This is implemented in a seperate tool which lives in a seperate
 GIT repo.
 
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
 
 ### Exception tables and symbol tables growth
 
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
 
 Xen X.Y rcZ is tagged. You can check that out from xen.git:
 
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
 
 For your convenience there is also a tarball at:
 https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
 	warn("$P: No supported VCS found.  Add --nogit to options?\n");
 	warn("Using a git repository produces better results.\n");
 	warn("Try latest git repository using:\n");
-	warn("git clone git://xenbits.xen.org/xen.git\n");
+	warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
 	$printed_novcs = 1;
     }
     return 0;
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> diff --git a/Config.mk b/Config.mk
> index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
>  QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
>  endif
>  
> -ifeq ($(GIT_HTTP),y)
> -OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
> -QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
> -MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
> -else
> -OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
> -QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
> -MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
> -endif
> +OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
> +QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
> +QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
> +SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
> +MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
>  OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
>  QEMU_UPSTREAM_REVISION ?= master
>  MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3

The prior layout was somewhat necessary to dedup the GIT_HTTP part, but
now we really do want pairs of {URL, REVISION} together, rather than one
block of URLs and then a block of REVISIONs.

This is just reordering the lines (and some newlines for clarity), so
I'm happy to sort it out on commit.

~Andrew

On 21.03.2023 18:33, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> This patch enforces the use of secure transports for all xenbits.xen.org
> Git repositories.  It was generated with the following shell script:
> 
>     git ls-files -z |
>     xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'

I thought I had asked already, but looking through earlier conversation
it looks like I only meant to: Why not git+ssh:// instead? Iirc there
are efficiency differences between http and git protocols.

Jan

On Wed, Mar 22, 2023 at 09:32:53AM +0100, Jan Beulich wrote:
> On 21.03.2023 18:33, Demi Marie Obenour wrote:
> > Obtaining code over an insecure transport is a terrible idea for
> > blatently obvious reasons.  Even for non-executable data, insecure
> > transports are considered deprecated.
> > 
> > This patch enforces the use of secure transports for all xenbits.xen.org
> > Git repositories.  It was generated with the following shell script:
> > 
> >     git ls-files -z |
> >     xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
> 
> I thought I had asked already, but looking through earlier conversation
> it looks like I only meant to: Why not git+ssh:// instead? Iirc there
> are efficiency differences between http and git protocols.

git+ssh requires authentication, so you can't use it without an account
on xenbits.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
URLs.  All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
 # near the place in the Xen Makefiles where the file is used.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 21.03.2023 18:33, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> This patch enforces the use of secure transports for all xenbits.xen.org
> URLs.  All altered links have been tested and are known to work.
> 
> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>

A patch of (almost) this title was already committed and then partly reverted,
as it had become clear that ...

> --- a/Config.mk
> +++ b/Config.mk
> @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>  
> -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles

... this really is part of the build system. Hence I wonder why this wasn't
folded into patch 4 (as it should have been from the beginning, which then
also would have avoided the noise about committing the patch too early).

Jan

The upstream URLs for zlib, PolarSSL, and the TPM emulator do not work
anymore, so do not attempt to use them.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 m4/stubdom.m4        |  5 +++--
 stubdom/configure    | 21 +++------------------
 stubdom/configure.ac |  6 +++---
 3 files changed, 9 insertions(+), 23 deletions(-)

diff --git a/m4/stubdom.m4 b/m4/stubdom.m4
index 6aa488b8e229dabbe107cfe115b5f2ac7e5ae824..26f10595d1c1250b1dc8a5be626142325e8d4673 100644
--- a/m4/stubdom.m4
+++ b/m4/stubdom.m4
@@ -78,10 +78,11 @@ done
 AC_DEFUN([AX_STUBDOM_LIB], [
 AC_ARG_VAR([$1_URL], [Download url for $2])
 AS_IF([test "x$$1_URL" = "x"], [
-	AS_IF([test "x$extfiles" = "xy"],
+	m4_if([$#],[3],[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
+	      [$#],[4],[AS_IF([test "x$extfiles" = "xy"],
 		[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
 		[$1_URL="$4"])
-	])
+],[m4_fatal([AX_STUBDOM_LIB expects 3 or 4 arguments, not $#])])])
 $1_VERSION="$3"
 AC_SUBST($1_URL)
 AC_SUBST($1_VERSION)
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..4ea95baa9192f3b319349ac2a14a3055a21ce705 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3532,12 +3532,7 @@ fi
 
 if test "x$ZLIB_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  ZLIB_URL=\$\(XEN_EXTFILES_URL\)
-else
-  ZLIB_URL="http://www.zlib.net"
-fi
-
+	ZLIB_URL=\$\(XEN_EXTFILES_URL\)
 fi
 ZLIB_VERSION="1.2.3"
 
@@ -3633,12 +3628,7 @@ GMP_VERSION="4.3.2"
 
 if test "x$POLARSSL_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
-else
-  POLARSSL_URL="http://polarssl.org/code/releases"
-fi
-
+	POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
 fi
 POLARSSL_VERSION="1.1.4"
 
@@ -3648,12 +3638,7 @@ POLARSSL_VERSION="1.1.4"
 
 if test "x$TPMEMU_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
-else
-  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
-fi
-
+	TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
 fi
 TPMEMU_VERSION="0.7.4"
 
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
 AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
 AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
 AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
 AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
 AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
 AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
 AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
 
 #These stubdoms should be enabled if the dependent one is
 AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 stubdom/configure                 | 12 ++++++------
 stubdom/configure.ac              | 12 ++++++------
 tools/firmware/etherboot/Makefile |  6 +-----
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/stubdom/configure b/stubdom/configure
index 4ea95baa9192f3b319349ac2a14a3055a21ce705..540e9cd331888449b0e24c1aa974bc22c5bcab54 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
 fi
 
 fi
@@ -3560,7 +3560,7 @@ if test "x$NEWLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+  NEWLIB_URL="https://sourceware.org/ftp/newlib"
 fi
 
 fi
@@ -3575,7 +3575,7 @@ if test "x$LWIP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LWIP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
 fi
 
 fi
@@ -3590,7 +3590,7 @@ if test "x$GRUB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GRUB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GRUB_URL="http://alpha.gnu.org/gnu/grub"
+  GRUB_URL="https://alpha.gnu.org/gnu/grub"
 fi
 
 fi
@@ -3602,7 +3602,7 @@ GRUB_VERSION="0.97"
 
 if test "x$OCAML_URL" = "x"; then :
 
-	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
 
 fi
 OCAML_VERSION="4.02.0"
@@ -3616,7 +3616,7 @@ if test "x$GMP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GMP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+  GMP_URL="https://gmplib.org/download/gmp/archive"
 fi
 
 fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b..471e371e14a82aedc10314c95bcaf39ce9f89f90 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -56,12 +56,12 @@ AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
 AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
 AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
 AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
 
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 include Config
 
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
 
 # put an updated tar.gz on xenbits after changes to this variable
 IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
>
> This patch enforces the use of secure transports in the build system.
> Some URLs returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to.
>
> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> ---
>  stubdom/configure                 | 12 ++++++------
>  stubdom/configure.ac              | 12 ++++++------
>  tools/firmware/etherboot/Makefile |  6 +-----

This drops the final reference to GIT_HTTP.  As you're modifying
configure anyway, it would be preferable to drop this option too, for an
even more negative diffstat.

(Probably ok to be folded in on commit.)

~Andrew

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 README                                      | 4 ++--
 automation/build/debian/stretch-llvm-8.list | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
 Various tools, such as pygrub, have the following runtime dependencies:
 
     * Python 2.6 or later.
-          URL:    http://www.python.org/
+          URL:    https://www.python.org/
           Debian: python
 
 Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
 Intel's technology for safer computing, Intel(R) Trusted Execution Technology
 (Intel(R) TXT), defines platform-level enhancements that provide the building
 blocks for creating trusted platforms.  For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
 
 Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
 conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
 # Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories.  It was generated with the following shell script:

    git ls-files -z |
    xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'

All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                                  | 18 +++++-------------
 docs/misc/livepatch.pandoc                 |  2 +-
 docs/process/xen-release-management.pandoc |  2 +-
 scripts/get_maintainer.pl                  |  2 +-
 4 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
 QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
 endif
 
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
 OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
 QEMU_UPSTREAM_REVISION ?= master
 MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
 This is implemented in a seperate tool which lives in a seperate
 GIT repo.
 
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
 
 ### Exception tables and symbol tables growth
 
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
 
 Xen X.Y rcZ is tagged. You can check that out from xen.git:
 
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
 
 For your convenience there is also a tarball at:
 https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
 	warn("$P: No supported VCS found.  Add --nogit to options?\n");
 	warn("Using a git repository produces better results.\n");
 	warn("Try latest git repository using:\n");
-	warn("git clone git://xenbits.xen.org/xen.git\n");
+	warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
 	$printed_novcs = 1;
     }
     return 0;
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On Sat, Feb 25, 2023 at 03:37:11PM -0500, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> This patch enforces the use of secure transports for all xenbits.xen.org
> Git repositories.  It was generated with the following shell script:
> 
>     git ls-files -z |
>     xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
> 
> All altered links have been tested and are known to work.
> 
> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>

It seems expired Lets Encrypt root issue applies to few other containers
too:
- archlinux:current: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739751
- debian:stretch-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739762
- debian:unstable-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739771

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

On Sat, Feb 25, 2023 at 11:34:32PM +0100, Marek Marczykowski-Górecki wrote:
> On Sat, Feb 25, 2023 at 03:37:11PM -0500, Demi Marie Obenour wrote:
> > Obtaining code over an insecure transport is a terrible idea for
> > blatently obvious reasons.  Even for non-executable data, insecure
> > transports are considered deprecated.
> > 
> > This patch enforces the use of secure transports for all xenbits.xen.org
> > Git repositories.  It was generated with the following shell script:
> > 
> >     git ls-files -z |
> >     xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
> > 
> > All altered links have been tested and are known to work.
> > 
> > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> 
> It seems expired Lets Encrypt root issue applies to few other containers
> too:

Yes, I haven't finished rebuilding all containers needed to be rebuilt.
I've mostly took care of fixing dockerfiles for those needed to change.

Cheers,

> - archlinux:current: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739751
> - debian:stretch-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739762
> - debian:unstable-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739771



-- 
Anthony PERARD

Also fix an old xenbits.xenproject.org link.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk        | 2 +-
 tools/misc/mkrpm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
 # near the place in the Xen Makefiles where the file is used.
diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm
index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644
--- a/tools/misc/mkrpm
+++ b/tools/misc/mkrpm
@@ -34,7 +34,7 @@ Version: $version
 Release: $release
 License: GPL
 Group:   System/Hypervisor
-URL: http://xenbits.xenproject.org/xen.git
+URL: https://xenbits.xen.org/git-http/xen.git
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 %define _binary_payload w1.gzdio
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 25.02.2023 21:37, Demi Marie Obenour wrote:
> --- a/Config.mk
> +++ b/Config.mk
> @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>  
> -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
>  # All the files at that location were downloaded from elsewhere on
>  # the internet.  The original download URL is preserved as a comment
>  # near the place in the Xen Makefiles where the file is used.
> diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm
> index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644
> --- a/tools/misc/mkrpm
> +++ b/tools/misc/mkrpm
> @@ -34,7 +34,7 @@ Version: $version
>  Release: $release
>  License: GPL
>  Group:   System/Hypervisor
> -URL: http://xenbits.xenproject.org/xen.git
> +URL: https://xenbits.xen.org/git-http/xen.git

Please can you not lose "project" from the URL? That's the more modern
form, after all. In fact, since you're touching the other URL above
anyway, I wonder if it wouldn't be a good idea to insert "project"
there as well. With at least the former adjustment (which I suppose
can be done while committing, as long as you agree)
Acked-by: Jan Beulich <jbeulich@suse.com>

Jan

On Mon, Feb 27, 2023 at 09:35:51AM +0100, Jan Beulich wrote:
> On 25.02.2023 21:37, Demi Marie Obenour wrote:
> > --- a/Config.mk
> > +++ b/Config.mk
> > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
> >  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
> >  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
> >  
> > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
> >  # All the files at that location were downloaded from elsewhere on
> >  # the internet.  The original download URL is preserved as a comment
> >  # near the place in the Xen Makefiles where the file is used.
> > diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm
> > index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644
> > --- a/tools/misc/mkrpm
> > +++ b/tools/misc/mkrpm
> > @@ -34,7 +34,7 @@ Version: $version
> >  Release: $release
> >  License: GPL
> >  Group:   System/Hypervisor
> > -URL: http://xenbits.xenproject.org/xen.git
> > +URL: https://xenbits.xen.org/git-http/xen.git
> 
> Please can you not lose "project" from the URL? That's the more modern
> form, after all. In fact, since you're touching the other URL above
> anyway, I wonder if it wouldn't be a good idea to insert "project"
> there as well. With at least the former adjustment (which I suppose
> can be done while committing, as long as you agree)
> Acked-by: Jan Beulich <jbeulich@suse.com>

I’m fine with either or both of those adjustments.  I was not aware that
https://xenbits.xen.org is an alias for https://xenbits.xenproject.org.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On Mon, Feb 27, 2023 at 6:46 PM Demi Marie Obenour <
demi@invisiblethingslab.com> wrote:

> On Mon, Feb 27, 2023 at 09:35:51AM +0100, Jan Beulich wrote:
> > On 25.02.2023 21:37, Demi Marie Obenour wrote:
> > > --- a/Config.mk
> > > +++ b/Config.mk
> > > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES),
> -I$(i))
> > >  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector
> -fno-stack-protector-all
> > >  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
> -fno-asynchronous-unwind-tables
> > >
> > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> > > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
> > >  # All the files at that location were downloaded from elsewhere on
> > >  # the internet.  The original download URL is preserved as a comment
> > >  # near the place in the Xen Makefiles where the file is used.
> > > diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm
> > > index
> 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0
> 100644
> > > --- a/tools/misc/mkrpm
> > > +++ b/tools/misc/mkrpm
> > > @@ -34,7 +34,7 @@ Version: $version
> > >  Release: $release
> > >  License: GPL
> > >  Group:   System/Hypervisor
> > > -URL: http://xenbits.xenproject.org/xen.git
> > > +URL: https://xenbits.xen.org/git-http/xen.git
> >
> > Please can you not lose "project" from the URL? That's the more modern
> > form, after all. In fact, since you're touching the other URL above
> > anyway, I wonder if it wouldn't be a good idea to insert "project"
> > there as well. With at least the former adjustment (which I suppose
> > can be done while committing, as long as you agree)
> > Acked-by: Jan Beulich <jbeulich@suse.com>
>
> I’m fine with either or both of those adjustments.  I was not aware that
> https://xenbits.xen.org is an alias for https://xenbits.xenproject.org.
>

"xen.org" is the original.  When Xen joined the Linux Foundation, there
were some complications with the trademark: Citrix had renamed all their
products to XenFoo (even those which had nothing to do with Xen), and so
wanted to keep the trademark; but the LF felt they needed a trademark they
could own & enforce.  The solution the lawyers came up with was for Citrix
to allow the LF to own the trademark to "The Xen Project", while Citrix
retained the trademark to "Xen".  Everything was meant to have shifted over
to "xenproject.org", but of course "xen.org" was kept around to avoid
breaking links; and here we are, 10 years later.

Neither LF nor CSG are particularly trigger-happy with lawsuits, so it's
not a huge deal, but all things being equal, it's better to use "
xenproject.org"; and switching to "xen.org" is certainly a (small)
regression.

 -George

The upstream URLs for zlib, PolarSSL, and the TPM emulator do not work
anymore, so do not attempt to use them.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 m4/stubdom.m4        |  5 +++--
 stubdom/configure    | 21 +++------------------
 stubdom/configure.ac |  6 +++---
 3 files changed, 9 insertions(+), 23 deletions(-)

diff --git a/m4/stubdom.m4 b/m4/stubdom.m4
index 6aa488b8e229dabbe107cfe115b5f2ac7e5ae824..26f10595d1c1250b1dc8a5be626142325e8d4673 100644
--- a/m4/stubdom.m4
+++ b/m4/stubdom.m4
@@ -78,10 +78,11 @@ done
 AC_DEFUN([AX_STUBDOM_LIB], [
 AC_ARG_VAR([$1_URL], [Download url for $2])
 AS_IF([test "x$$1_URL" = "x"], [
-	AS_IF([test "x$extfiles" = "xy"],
+	m4_if([$#],[3],[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
+	      [$#],[4],[AS_IF([test "x$extfiles" = "xy"],
 		[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
 		[$1_URL="$4"])
-	])
+],[m4_fatal([AX_STUBDOM_LIB expects 3 or 4 arguments, not $#])])])
 $1_VERSION="$3"
 AC_SUBST($1_URL)
 AC_SUBST($1_VERSION)
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..4ea95baa9192f3b319349ac2a14a3055a21ce705 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3532,12 +3532,7 @@ fi
 
 if test "x$ZLIB_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  ZLIB_URL=\$\(XEN_EXTFILES_URL\)
-else
-  ZLIB_URL="http://www.zlib.net"
-fi
-
+	ZLIB_URL=\$\(XEN_EXTFILES_URL\)
 fi
 ZLIB_VERSION="1.2.3"
 
@@ -3633,12 +3628,7 @@ GMP_VERSION="4.3.2"
 
 if test "x$POLARSSL_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
-else
-  POLARSSL_URL="http://polarssl.org/code/releases"
-fi
-
+	POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
 fi
 POLARSSL_VERSION="1.1.4"
 
@@ -3648,12 +3638,7 @@ POLARSSL_VERSION="1.1.4"
 
 if test "x$TPMEMU_URL" = "x"; then :
 
-	if test "x$extfiles" = "xy"; then :
-  TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
-else
-  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
-fi
-
+	TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
 fi
 TPMEMU_VERSION="0.7.4"
 
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
 AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
 AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
 AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
 AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
 AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
 AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
 AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
 
 #These stubdoms should be enabled if the dependent one is
 AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 stubdom/configure                 | 12 ++++++------
 stubdom/configure.ac              | 12 ++++++------
 tools/firmware/etherboot/Makefile |  6 +-----
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/stubdom/configure b/stubdom/configure
index 4ea95baa9192f3b319349ac2a14a3055a21ce705..540e9cd331888449b0e24c1aa974bc22c5bcab54 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
 fi
 
 fi
@@ -3560,7 +3560,7 @@ if test "x$NEWLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+  NEWLIB_URL="https://sourceware.org/ftp/newlib"
 fi
 
 fi
@@ -3575,7 +3575,7 @@ if test "x$LWIP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LWIP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
 fi
 
 fi
@@ -3590,7 +3590,7 @@ if test "x$GRUB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GRUB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GRUB_URL="http://alpha.gnu.org/gnu/grub"
+  GRUB_URL="https://alpha.gnu.org/gnu/grub"
 fi
 
 fi
@@ -3602,7 +3602,7 @@ GRUB_VERSION="0.97"
 
 if test "x$OCAML_URL" = "x"; then :
 
-	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
 
 fi
 OCAML_VERSION="4.02.0"
@@ -3616,7 +3616,7 @@ if test "x$GMP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GMP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+  GMP_URL="https://gmplib.org/download/gmp/archive"
 fi
 
 fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b..471e371e14a82aedc10314c95bcaf39ce9f89f90 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -56,12 +56,12 @@ AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
 AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
 AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
 AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
 
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 include Config
 
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
 
 # put an updated tar.gz on xenbits after changes to this variable
 IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 25.02.2023 21:37, Demi Marie Obenour wrote:
> --- a/stubdom/configure
> +++ b/stubdom/configure
> @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
>  fi

Simply replacing https:// in the original URL does work. Why did you alter
it beyond that? Yes, either access leads to the URL you specify, but that
forwarding (or however it's implemented) may change down the road (and it
could, aiui, even be dependent upon where in the world the access is coming
from). In any event, here and below, any adjustment beyond what the title
says wants explaining in the description.

Jan

On Mon, Feb 27, 2023 at 09:42:24AM +0100, Jan Beulich wrote:
> On 25.02.2023 21:37, Demi Marie Obenour wrote:
> > --- a/stubdom/configure
> > +++ b/stubdom/configure
> > @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> > +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
> >  fi
> 
> Simply replacing https:// in the original URL does work. Why did you alter
> it beyond that? Yes, either access leads to the URL you specify, but that
> forwarding (or however it's implemented) may change down the road (and it
> could, aiui, even be dependent upon where in the world the access is coming
> from). In any event, here and below, any adjustment beyond what the title
> says wants explaining in the description.
> 
> Jan

    $ curl --head --fail https://www.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Mon, 27 Feb 2023 20:46:38 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Strict-Transport-Security: max-age=15768001
    Referrer-Policy: same-origin
    Content-Security-Policy: default-src 'self'; img-src https: data:

This means that all future requests should be made to
https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
as per the HTTP standard.  If this were a temporary redirect you would
be correct, but it is not.  See:

> Some URLS returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to.

from the commit message.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 README                                      | 4 ++--
 automation/build/debian/stretch-llvm-8.list | 4 ++--
 automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
 Various tools, such as pygrub, have the following runtime dependencies:
 
     * Python 2.6 or later.
-          URL:    http://www.python.org/
+          URL:    https://www.python.org/
           Debian: python
 
 Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
 Intel's technology for safer computing, Intel(R) Trusted Execution Technology
 (Intel(R) TXT), defines platform-level enhancements that provide the building
 blocks for creating trusted platforms.  For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
 
 Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
 conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
 # Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff --git a/automation/scripts/qemu-smoke-dom0-arm32.sh b/automation/scripts/qemu-smoke-dom0-arm32.sh
index 98e4d481f65c2b29ac935ddf6247132ddf94fa1d..950ad3a0daa63d66fc8647c0a390ff59c2f22b1a 100755
--- a/automation/scripts/qemu-smoke-dom0-arm32.sh
+++ b/automation/scripts/qemu-smoke-dom0-arm32.sh
@@ -4,7 +4,7 @@ set -ex
 
 cd binaries
 # Use the kernel from Debian
-curl --fail --silent --show-error --location --output vmlinuz http://http.us.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
+curl --fail --silent --show-error --location --output vmlinuz https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
 # Use a tiny initrd based on busybox from Alpine Linux
 curl --fail --silent --show-error --location --output initrd.tar.gz https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/armhf/alpine-minirootfs-3.15.1-armhf.tar.gz
 
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories.  It was generated with the following shell script:

    git ls-files -z |
    xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'

All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                                  | 18 +++++-------------
 docs/misc/livepatch.pandoc                 |  2 +-
 docs/process/xen-release-management.pandoc |  2 +-
 scripts/get_maintainer.pl                  |  2 +-
 4 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
 QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
 endif
 
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
 OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
 QEMU_UPSTREAM_REVISION ?= master
 MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
 This is implemented in a seperate tool which lives in a seperate
 GIT repo.
 
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
 
 ### Exception tables and symbol tables growth
 
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
 
 Xen X.Y rcZ is tagged. You can check that out from xen.git:
 
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
 
 For your convenience there is also a tarball at:
 https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
 	warn("$P: No supported VCS found.  Add --nogit to options?\n");
 	warn("Using a git repository produces better results.\n");
 	warn("Try latest git repository using:\n");
-	warn("git clone git://xenbits.xen.org/xen.git\n");
+	warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
 	$printed_novcs = 1;
     }
     return 0;
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                         |  2 +-
 stubdom/configure                 | 18 +++++++++---------
 stubdom/configure.ac              | 18 +++++++++---------
 tools/firmware/etherboot/Makefile |  6 +-----
 4 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
 # near the place in the Xen Makefiles where the file is used.
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..c717d315c75a596850b94e59c72c5d5f010f8888 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   ZLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  ZLIB_URL="http://www.zlib.net"
+  ZLIB_URL="https://www.zlib.net"
 fi
 
 fi
@@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
 fi
 
 fi
@@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+  NEWLIB_URL="https://sourceware.org/ftp/newlib"
 fi
 
 fi
@@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LWIP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
 fi
 
 fi
@@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GRUB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GRUB_URL="http://alpha.gnu.org/gnu/grub"
+  GRUB_URL="https://alpha.gnu.org/gnu/grub"
 fi
 
 fi
@@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
 
 if test "x$OCAML_URL" = "x"; then :
 
-	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
 
 fi
 OCAML_VERSION="4.02.0"
@@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GMP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+  GMP_URL="https://gmplib.org/download/gmp/archive"
 fi
 
 fi
@@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
 else
-  POLARSSL_URL="http://polarssl.org/code/releases"
+  POLARSSL_URL="https://polarssl.org/code/releases"
 fi
 
 fi
@@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
 else
-  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
+  TPMEMU_URL="https://download.berlios.de/tpm-emulator"
 fi
 
 fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..ab52e00293bee033db9ff7133efd34daa5944c8d 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
 AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
 
 #These stubdoms should be enabled if the dependent one is
 AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 include Config
 
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
 
 # put an updated tar.gz on xenbits after changes to this variable
 IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 19.02.2023 03:46, Demi Marie Obenour wrote:
> --- a/stubdom/configure
> +++ b/stubdom/configure
> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  ZLIB_URL="http://www.zlib.net"
> +  ZLIB_URL="https://www.zlib.net"
>  fi

In v3 you said that this URL can't be used anymore for the version we're
trying to fetch (which I can confirm). Leaving aside the question of why
stubdom was never updated in that regard, what use is it to update URL
(without even mentioning the aspect in the description) in such a case?
(I haven't gone through any of the other URLs again, so there may well
be more similar cases.)

Jan

On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote:
> On 19.02.2023 03:46, Demi Marie Obenour wrote:
> > --- a/stubdom/configure
> > +++ b/stubdom/configure
> > @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  ZLIB_URL="http://www.zlib.net"
> > +  ZLIB_URL="https://www.zlib.net"
> >  fi
> 
> In v3 you said that this URL can't be used anymore for the version we're
> trying to fetch (which I can confirm). Leaving aside the question of why
> stubdom was never updated in that regard, what use is it to update URL
> (without even mentioning the aspect in the description) in such a case?
> (I haven't gone through any of the other URLs again, so there may well
> be more similar cases.)

Main advantage is that it will fail securely rather than downloading
whatever random code an MITM attacker put in there.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 24.02.2023 23:55, Demi Marie Obenour wrote:
> On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote:
>> On 19.02.2023 03:46, Demi Marie Obenour wrote:
>>> --- a/stubdom/configure
>>> +++ b/stubdom/configure
>>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
>>>  	if test "x$extfiles" = "xy"; then :
>>>    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
>>>  else
>>> -  ZLIB_URL="http://www.zlib.net"
>>> +  ZLIB_URL="https://www.zlib.net"
>>>  fi
>>
>> In v3 you said that this URL can't be used anymore for the version we're
>> trying to fetch (which I can confirm). Leaving aside the question of why
>> stubdom was never updated in that regard, what use is it to update URL
>> (without even mentioning the aspect in the description) in such a case?
>> (I haven't gone through any of the other URLs again, so there may well
>> be more similar cases.)
> 
> Main advantage is that it will fail securely rather than downloading
> whatever random code an MITM attacker put in there.

As said before (and implied here): At the very least you need to mention
the aspect in the description. But then wouldn't things be failing equally
securely if no (non-working) URL was put in place, or one which is
guaranteed to yield an error but makes obvious that no real URL is meant?

Jan

On Mon, Feb 27, 2023 at 09:25:32AM +0100, Jan Beulich wrote:
> On 24.02.2023 23:55, Demi Marie Obenour wrote:
> > On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote:
> >> On 19.02.2023 03:46, Demi Marie Obenour wrote:
> >>> --- a/stubdom/configure
> >>> +++ b/stubdom/configure
> >>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> >>>  	if test "x$extfiles" = "xy"; then :
> >>>    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> >>>  else
> >>> -  ZLIB_URL="http://www.zlib.net"
> >>> +  ZLIB_URL="https://www.zlib.net"
> >>>  fi
> >>
> >> In v3 you said that this URL can't be used anymore for the version we're
> >> trying to fetch (which I can confirm). Leaving aside the question of why
> >> stubdom was never updated in that regard, what use is it to update URL
> >> (without even mentioning the aspect in the description) in such a case?
> >> (I haven't gone through any of the other URLs again, so there may well
> >> be more similar cases.)
> > 
> > Main advantage is that it will fail securely rather than downloading
> > whatever random code an MITM attacker put in there.
> 
> As said before (and implied here): At the very least you need to mention
> the aspect in the description. But then wouldn't things be failing equally
> securely if no (non-working) URL was put in place, or one which is
> guaranteed to yield an error but makes obvious that no real URL is meant?

https://lists.xenproject.org/archives/html/xen-devel/2023-02/msg01439.html
("[PATCH v5 3/5] Build system: Do not try to use broken links") does
exactly that.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 README                                       | 4 ++--
 automation/build/centos/CentOS-7.2.repo      | 8 ++++----
 automation/build/debian/stretch-llvm-8.list  | 4 ++--
 automation/build/debian/unstable-llvm-8.list | 4 ++--
 automation/scripts/qemu-smoke-dom0-arm32.sh  | 2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
 Various tools, such as pygrub, have the following runtime dependencies:
 
     * Python 2.6 or later.
-          URL:    http://www.python.org/
+          URL:    https://www.python.org/
           Debian: python
 
 Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
 Intel's technology for safer computing, Intel(R) Trusted Execution Technology
 (Intel(R) TXT), defines platform-level enhancements that provide the building
 blocks for creating trusted platforms.  For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
 
 Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
 conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo
index 4da27faeb5fa863fd4e140cbeaad308b9a543b86..8e37da1a03f839c486eb9bd0af46716cfb9086e0 100644
--- a/automation/build/centos/CentOS-7.2.repo
+++ b/automation/build/centos/CentOS-7.2.repo
@@ -6,28 +6,28 @@
 
 [base]
 name=CentOS-7.2.1511 - Base
-baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/os/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #released updates 
 [updates]
 name=CentOS-7.2.1511 - Updates
-baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/updates/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #additional packages that may be useful
 [extras]
 name=CentOS-7.2.1511 - Extras
-baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/extras/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #additional packages that extend functionality of existing packages
 [centosplus]
 name=CentOS-7.2.1511 - Plus
-baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/centosplus/$basearch/
 gpgcheck=1
 gpgcheck=1
 enabled=0
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
 # Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list
index dc119fa0b4df1bd6e742c42776710abcd6deaa86..1db1598997429d7a14d3fcd8f0f8152aa6d40b8a 100644
--- a/automation/build/debian/unstable-llvm-8.list
+++ b/automation/build/debian/unstable-llvm-8.list
@@ -1,3 +1,3 @@
 # Unstable LLVM 8 repos
-deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main
-deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb https://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb-src https://apt.llvm.org/unstable/ llvm-toolchain-8 main
diff --git a/automation/scripts/qemu-smoke-dom0-arm32.sh b/automation/scripts/qemu-smoke-dom0-arm32.sh
index 98e4d481f65c2b29ac935ddf6247132ddf94fa1d..950ad3a0daa63d66fc8647c0a390ff59c2f22b1a 100755
--- a/automation/scripts/qemu-smoke-dom0-arm32.sh
+++ b/automation/scripts/qemu-smoke-dom0-arm32.sh
@@ -4,7 +4,7 @@ set -ex
 
 cd binaries
 # Use the kernel from Debian
-curl --fail --silent --show-error --location --output vmlinuz http://http.us.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
+curl --fail --silent --show-error --location --output vmlinuz https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
 # Use a tiny initrd based on busybox from Alpine Linux
 curl --fail --silent --show-error --location --output initrd.tar.gz https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/armhf/alpine-minirootfs-3.15.1-armhf.tar.gz
 
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories.  It was generated with the following shell script:

    git ls-files -z |
    xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'

All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                                  | 18 +++++-------------
 docs/misc/livepatch.pandoc                 |  2 +-
 docs/process/xen-release-management.pandoc |  2 +-
 scripts/get_maintainer.pl                  |  2 +-
 4 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
 QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
 endif
 
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
 OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
 QEMU_UPSTREAM_REVISION ?= master
 MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
 This is implemented in a seperate tool which lives in a seperate
 GIT repo.
 
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
 
 ### Exception tables and symbol tables growth
 
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
 
 Xen X.Y rcZ is tagged. You can check that out from xen.git:
 
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
 
 For your convenience there is also a tarball at:
 https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
 	warn("$P: No supported VCS found.  Add --nogit to options?\n");
 	warn("Using a git repository produces better results.\n");
 	warn("Try latest git repository using:\n");
-	warn("git clone git://xenbits.xen.org/xen.git\n");
+	warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
 	$printed_novcs = 1;
     }
     return 0;
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.  I also found that the old zlib used in
the I/O emulator stubdomain can no longer be obtained from
https://www.zlib.net and that the TPM emulator and PolarSSL (used by the
vTPM and vTPM manager stubdomains) can no longer be obtained from their
respective original URLs.  Therefore, configure will now error out
instead of trying to download them.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk                         |  2 +-
 stubdom/configure                 | 24 +++++++++++++++---------
 stubdom/configure.ac              | 24 +++++++++++++++---------
 tools/firmware/etherboot/Makefile |  6 +-----
 4 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
 # near the place in the Xen Makefiles where the file is used.
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   ZLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  ZLIB_URL="http://www.zlib.net"
+  ZLIB_URL="https://www.zlib.net"
 fi
 
 fi
@@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
 fi
 
 fi
@@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+  NEWLIB_URL="https://sourceware.org/ftp/newlib"
 fi
 
 fi
@@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LWIP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
 fi
 
 fi
@@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GRUB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GRUB_URL="http://alpha.gnu.org/gnu/grub"
+  GRUB_URL="https://alpha.gnu.org/gnu/grub"
 fi
 
 fi
@@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
 
 if test "x$OCAML_URL" = "x"; then :
 
-	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
 
 fi
 OCAML_VERSION="4.02.0"
@@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GMP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+  GMP_URL="https://gmplib.org/download/gmp/archive"
 fi
 
 fi
@@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
 else
-  POLARSSL_URL="http://polarssl.org/code/releases"
+  POLARSSL_URL="https://polarssl.org/code/releases"
 fi
 
 fi
@@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
 else
-  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
+  TPMEMU_URL="https://download.berlios.de/tpm-emulator"
 fi
 
 fi
@@ -3669,6 +3669,12 @@ vtpmmgr="n"
 fi
 
 
+if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
+    if test "x$extfiles" != xy; then
+        as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5
+    fi
+fi
+
 #Conditionally enable these stubdoms based on the presense of dependencies
 
 if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then :
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,19 +55,25 @@ AC_PROG_INSTALL
 AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
 
 #These stubdoms should be enabled if the dependent one is
 AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
 
+if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
+    if test "x$extfiles" != xy; then
+        AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs])
+    fi
+fi
+
 #Conditionally enable these stubdoms based on the presense of dependencies
 AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm])
 AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 include Config
 
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
 
 # put an updated tar.gz on xenbits after changes to this variable
 IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> This patch enforces the use of secure transports in the build system.
> Some URLs returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to. 

https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811

I'm a bit confused about debian build errors:

    ERROR: The certificate of 'xenbits.xen.org' is not trusted.
    ERROR: The certificate of 'xenbits.xen.org' has expired.

Is clock on gitlab runners (way) off?

>  I also found that the old zlib used in
> the I/O emulator stubdomain can no longer be obtained from
> https://www.zlib.net and that the TPM emulator and PolarSSL (used by the
> vTPM and vTPM manager stubdomains) can no longer be obtained from their
> respective original URLs.  Therefore, configure will now error out
> instead of trying to download them.

First of all, such change definitely wants a separate patch,
de-supporting some configurations do not belong to "Replace git:// and
http:// with https://" patch. But then, I don't think that's correct
approach. It is a bug to be fixes, instead of breaking it even more.
configure script already supports Xen's mirror, and I think it's even
enabled by default (see --enable-extfiles), and also supports providing
alternative download location (via env variables). So it seems your
change here in fact breaks something that was working before...

> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> ---
>  Config.mk                         |  2 +-
>  stubdom/configure                 | 24 +++++++++++++++---------
>  stubdom/configure.ac              | 24 +++++++++++++++---------
>  tools/firmware/etherboot/Makefile |  6 +-----
>  4 files changed, 32 insertions(+), 24 deletions(-)
> 
> diff --git a/Config.mk b/Config.mk
> index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>  
> -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
>  # All the files at that location were downloaded from elsewhere on
>  # the internet.  The original download URL is preserved as a comment
>  # near the place in the Xen Makefiles where the file is used.
> diff --git a/stubdom/configure b/stubdom/configure
> index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755
> --- a/stubdom/configure
> +++ b/stubdom/configure
> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  ZLIB_URL="http://www.zlib.net"
> +  ZLIB_URL="https://www.zlib.net"
>  fi
>  
>  fi
> @@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
>  fi
>  
>  fi
> @@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
> +  NEWLIB_URL="https://sourceware.org/ftp/newlib"
>  fi
>  
>  fi
> @@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    LWIP_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
> +  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
>  fi
>  
>  fi
> @@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    GRUB_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  GRUB_URL="http://alpha.gnu.org/gnu/grub"
> +  GRUB_URL="https://alpha.gnu.org/gnu/grub"
>  fi
>  
>  fi
> @@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
>  
>  if test "x$OCAML_URL" = "x"; then :
>  
> -	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
> +	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
>  
>  fi
>  OCAML_VERSION="4.02.0"
> @@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    GMP_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
> +  GMP_URL="https://gmplib.org/download/gmp/archive"
>  fi
>  
>  fi
> @@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  POLARSSL_URL="http://polarssl.org/code/releases"
> +  POLARSSL_URL="https://polarssl.org/code/releases"
>  fi
>  
>  fi
> @@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
> +  TPMEMU_URL="https://download.berlios.de/tpm-emulator"
>  fi
>  
>  fi
> @@ -3669,6 +3669,12 @@ vtpmmgr="n"
>  fi
>  
>  
> +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> +    if test "x$extfiles" != xy; then
> +        as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5
> +    fi
> +fi
> +
>  #Conditionally enable these stubdoms based on the presense of dependencies
>  
>  if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then :
> diff --git a/stubdom/configure.ac b/stubdom/configure.ac
> index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644
> --- a/stubdom/configure.ac
> +++ b/stubdom/configure.ac
> @@ -55,19 +55,25 @@ AC_PROG_INSTALL
>  AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
>  
>  # Stubdom libraries version and url setup
> -AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
> -AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
> -AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
> -AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
> -AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
> -AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
> -AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
> -AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
> -AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
> +AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
> +AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
> +AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
> +AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
> +AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
> +AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
> +AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
> +AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
> +AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
>  
>  #These stubdoms should be enabled if the dependent one is
>  AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
>  
> +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> +    if test "x$extfiles" != xy; then
> +        AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs])
> +    fi
> +fi
> +
>  #Conditionally enable these stubdoms based on the presense of dependencies
>  AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm])
>  AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr])
> diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
> index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
> --- a/tools/firmware/etherboot/Makefile
> +++ b/tools/firmware/etherboot/Makefile
> @@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
>  include $(XEN_ROOT)/tools/Rules.mk
>  include Config
>  
> -ifeq ($(GIT_HTTP),y)
> -IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
> -else
> -IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
> -endif
> +IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
>  
>  # put an updated tar.gz on xenbits after changes to this variable
>  IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
> -- 
> Sincerely,
> Demi Marie Obenour (she/her/hers)
> Invisible Things Lab
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

On 18/02/2023 2:10 pm, Marek Marczykowski-Górecki wrote:
> On Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote:
>> Obtaining code over an insecure transport is a terrible idea for
>> blatently obvious reasons.  Even for non-executable data, insecure
>> transports are considered deprecated.
>>
>> This patch enforces the use of secure transports in the build system.
>> Some URLs returned 301 or 302 redirects, so I replaced them with the
>> URLs that were redirected to. 
> https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811
>
> I'm a bit confused about debian build errors:
>
>     ERROR: The certificate of 'xenbits.xen.org' is not trusted.
>     ERROR: The certificate of 'xenbits.xen.org' has expired.
>
> Is clock on gitlab runners (way) off?

https://lore.kernel.org/xen-devel/20230215120208.35807-1-anthony.perard@citrix.com/T/#u

~Andrew

On Sat, Feb 18, 2023 at 03:10:16PM +0100, Marek Marczykowski-Górecki wrote:
> On Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote:
> > Obtaining code over an insecure transport is a terrible idea for
> > blatently obvious reasons.  Even for non-executable data, insecure
> > transports are considered deprecated.
> > 
> > This patch enforces the use of secure transports in the build system.
> > Some URLs returned 301 or 302 redirects, so I replaced them with the
> > URLs that were redirected to. 
> 
> https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811
> 
> I'm a bit confused about debian build errors:
> 
>     ERROR: The certificate of 'xenbits.xen.org' is not trusted.
>     ERROR: The certificate of 'xenbits.xen.org' has expired.
> 
> Is clock on gitlab runners (way) off?
> 
> >  I also found that the old zlib used in
> > the I/O emulator stubdomain can no longer be obtained from
> > https://www.zlib.net and that the TPM emulator and PolarSSL (used by the
> > vTPM and vTPM manager stubdomains) can no longer be obtained from their
> > respective original URLs.  Therefore, configure will now error out
> > instead of trying to download them.
> 
> First of all, such change definitely wants a separate patch,
> de-supporting some configurations do not belong to "Replace git:// and
> http:// with https://" patch. But then, I don't think that's correct
> approach. It is a bug to be fixes, instead of breaking it even more.
> configure script already supports Xen's mirror, and I think it's even
> enabled by default (see --enable-extfiles), and also supports providing
> alternative download location (via env variables). So it seems your
> change here in fact breaks something that was working before...

Ah, you do take --enable-extfiles into account. But still alternative
URL can be provided by env variable.

> > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> > ---
> >  Config.mk                         |  2 +-
> >  stubdom/configure                 | 24 +++++++++++++++---------
> >  stubdom/configure.ac              | 24 +++++++++++++++---------
> >  tools/firmware/etherboot/Makefile |  6 +-----
> >  4 files changed, 32 insertions(+), 24 deletions(-)
> > 
> > diff --git a/Config.mk b/Config.mk
> > index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
> > --- a/Config.mk
> > +++ b/Config.mk
> > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
> >  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
> >  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
> >  
> > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
> >  # All the files at that location were downloaded from elsewhere on
> >  # the internet.  The original download URL is preserved as a comment
> >  # near the place in the Xen Makefiles where the file is used.
> > diff --git a/stubdom/configure b/stubdom/configure
> > index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755
> > --- a/stubdom/configure
> > +++ b/stubdom/configure
> > @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  ZLIB_URL="http://www.zlib.net"
> > +  ZLIB_URL="https://www.zlib.net"
> >  fi
> >  
> >  fi
> > @@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> > +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
> >  fi
> >  
> >  fi
> > @@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
> > +  NEWLIB_URL="https://sourceware.org/ftp/newlib"
> >  fi
> >  
> >  fi
> > @@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    LWIP_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
> > +  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
> >  fi
> >  
> >  fi
> > @@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    GRUB_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  GRUB_URL="http://alpha.gnu.org/gnu/grub"
> > +  GRUB_URL="https://alpha.gnu.org/gnu/grub"
> >  fi
> >  
> >  fi
> > @@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
> >  
> >  if test "x$OCAML_URL" = "x"; then :
> >  
> > -	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
> > +	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
> >  
> >  fi
> >  OCAML_VERSION="4.02.0"
> > @@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    GMP_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
> > +  GMP_URL="https://gmplib.org/download/gmp/archive"
> >  fi
> >  
> >  fi
> > @@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  POLARSSL_URL="http://polarssl.org/code/releases"
> > +  POLARSSL_URL="https://polarssl.org/code/releases"
> >  fi
> >  
> >  fi
> > @@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  TPMEMU_URL="http://download.berlios.de/tpm-emulator"
> > +  TPMEMU_URL="https://download.berlios.de/tpm-emulator"
> >  fi
> >  
> >  fi
> > @@ -3669,6 +3669,12 @@ vtpmmgr="n"
> >  fi
> >  
> >  
> > +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> > +    if test "x$extfiles" != xy; then
> > +        as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5
> > +    fi
> > +fi
> > +
> >  #Conditionally enable these stubdoms based on the presense of dependencies
> >  
> >  if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then :
> > diff --git a/stubdom/configure.ac b/stubdom/configure.ac
> > index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644
> > --- a/stubdom/configure.ac
> > +++ b/stubdom/configure.ac
> > @@ -55,19 +55,25 @@ AC_PROG_INSTALL
> >  AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
> >  
> >  # Stubdom libraries version and url setup
> > -AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
> > -AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
> > -AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
> > -AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
> > -AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
> > -AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
> > -AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
> > -AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
> > -AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
> > +AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
> > +AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
> > +AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
> > +AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
> > +AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
> > +AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
> > +AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
> > +AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
> > +AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
> >  
> >  #These stubdoms should be enabled if the dependent one is
> >  AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
> >  
> > +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> > +    if test "x$extfiles" != xy; then
> > +        AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs])
> > +    fi
> > +fi
> > +
> >  #Conditionally enable these stubdoms based on the presense of dependencies
> >  AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm])
> >  AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr])
> > diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
> > index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
> > --- a/tools/firmware/etherboot/Makefile
> > +++ b/tools/firmware/etherboot/Makefile
> > @@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
> >  include $(XEN_ROOT)/tools/Rules.mk
> >  include Config
> >  
> > -ifeq ($(GIT_HTTP),y)
> > -IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
> > -else
> > -IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
> > -endif
> > +IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
> >  
> >  # put an updated tar.gz on xenbits after changes to this variable
> >  IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
> > -- 
> > Sincerely,
> > Demi Marie Obenour (she/her/hers)
> > Invisible Things Lab
> > 
> 
> -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab



-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 README                                       | 4 ++--
 automation/build/centos/CentOS-7.2.repo      | 8 ++++----
 automation/build/debian/stretch-llvm-8.list  | 4 ++--
 automation/build/debian/unstable-llvm-8.list | 4 ++--
 automation/scripts/qemu-smoke-dom0-arm32.sh  | 2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
 Various tools, such as pygrub, have the following runtime dependencies:
 
     * Python 2.6 or later.
-          URL:    http://www.python.org/
+          URL:    https://www.python.org/
           Debian: python
 
 Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
 Intel's technology for safer computing, Intel(R) Trusted Execution Technology
 (Intel(R) TXT), defines platform-level enhancements that provide the building
 blocks for creating trusted platforms.  For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
 
 Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
 conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo
index 4da27faeb5fa863fd4e140cbeaad308b9a543b86..8e37da1a03f839c486eb9bd0af46716cfb9086e0 100644
--- a/automation/build/centos/CentOS-7.2.repo
+++ b/automation/build/centos/CentOS-7.2.repo
@@ -6,28 +6,28 @@
 
 [base]
 name=CentOS-7.2.1511 - Base
-baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/os/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #released updates 
 [updates]
 name=CentOS-7.2.1511 - Updates
-baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/updates/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #additional packages that may be useful
 [extras]
 name=CentOS-7.2.1511 - Extras
-baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/extras/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
 #additional packages that extend functionality of existing packages
 [centosplus]
 name=CentOS-7.2.1511 - Plus
-baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/centosplus/$basearch/
 gpgcheck=1
 gpgcheck=1
 enabled=0
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
 # Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list
index dc119fa0b4df1bd6e742c42776710abcd6deaa86..1db1598997429d7a14d3fcd8f0f8152aa6d40b8a 100644
--- a/automation/build/debian/unstable-llvm-8.list
+++ b/automation/build/debian/unstable-llvm-8.list
@@ -1,3 +1,3 @@
 # Unstable LLVM 8 repos
-deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main
-deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb https://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb-src https://apt.llvm.org/unstable/ llvm-toolchain-8 main
diff --git a/automation/scripts/qemu-smoke-dom0-arm32.sh b/automation/scripts/qemu-smoke-dom0-arm32.sh
index 98e4d481f65c2b29ac935ddf6247132ddf94fa1d..950ad3a0daa63d66fc8647c0a390ff59c2f22b1a 100755
--- a/automation/scripts/qemu-smoke-dom0-arm32.sh
+++ b/automation/scripts/qemu-smoke-dom0-arm32.sh
@@ -4,7 +4,7 @@ set -ex
 
 cd binaries
 # Use the kernel from Debian
-curl --fail --silent --show-error --location --output vmlinuz http://http.us.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
+curl --fail --silent --show-error --location --output vmlinuz https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
 # Use a tiny initrd based on busybox from Alpine Linux
 curl --fail --silent --show-error --location --output initrd.tar.gz https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/armhf/alpine-minirootfs-3.15.1-armhf.tar.gz
 
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

It is not used and the website is gone.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 xen/include/xen/pci_regs.h | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/xen/include/xen/pci_regs.h b/xen/include/xen/pci_regs.h
index a90aff1712bafc6ed87296858803d16c253e7b53..2b37fe2a464345877faa99a9dce695998910b6bf 100644
--- a/xen/include/xen/pci_regs.h
+++ b/xen/include/xen/pci_regs.h
@@ -12,11 +12,6 @@
  *	PCI Local Bus Specification
  *	PCI to PCI Bridge Specification
  *	PCI System Design Guide
- *
- * 	For hypertransport information, please consult the following manuals
- * 	from http://www.hypertransport.org
- *
- *	The Hypertransport I/O Link Specification
  */
 
 #ifndef LINUX_PCI_REGS_H
@@ -529,38 +524,6 @@
 #define  PCI_VNDR_HEADER_REV(x)	(((x) >> 16) & 0xf)
 #define  PCI_VNDR_HEADER_LEN(x)	(((x) >> 20) & 0xfff)
 
-/*
- * Hypertransport sub capability types
- *
- * Unfortunately there are both 3 bit and 5 bit capability types defined
- * in the HT spec, catering for that is a little messy. You probably don't
- * want to use these directly, just use pci_find_ht_capability() and it
- * will do the right thing for you.
- */
-#define HT_3BIT_CAP_MASK	0xE0
-#define HT_CAPTYPE_SLAVE	0x00	/* Slave/Primary link configuration */
-#define HT_CAPTYPE_HOST		0x20	/* Host/Secondary link configuration */
-
-#define HT_5BIT_CAP_MASK	0xF8
-#define HT_CAPTYPE_IRQ		0x80	/* IRQ Configuration */
-#define HT_CAPTYPE_REMAPPING_40	0xA0	/* 40 bit address remapping */
-#define HT_CAPTYPE_REMAPPING_64 0xA2	/* 64 bit address remapping */
-#define HT_CAPTYPE_UNITID_CLUMP	0x90	/* Unit ID clumping */
-#define HT_CAPTYPE_EXTCONF	0x98	/* Extended Configuration Space Access */
-#define HT_CAPTYPE_MSI_MAPPING	0xA8	/* MSI Mapping Capability */
-#define  HT_MSI_FLAGS		0x02		/* Offset to flags */
-#define  HT_MSI_FLAGS_ENABLE	0x1		/* Mapping enable */
-#define  HT_MSI_FLAGS_FIXED	0x2		/* Fixed mapping only */
-#define  HT_MSI_FIXED_ADDR	0x00000000FEE00000ULL	/* Fixed addr */
-#define  HT_MSI_ADDR_LO		0x04		/* Offset to low addr bits */
-#define  HT_MSI_ADDR_LO_MASK	0xFFF00000	/* Low address bit mask */
-#define  HT_MSI_ADDR_HI		0x08		/* Offset to high addr bits */
-#define HT_CAPTYPE_DIRECT_ROUTE	0xB0	/* Direct routing configuration */
-#define HT_CAPTYPE_VCSET	0xB8	/* Virtual Channel configuration */
-#define HT_CAPTYPE_ERROR_RETRY	0xC0	/* Retry on error configuration */
-#define HT_CAPTYPE_GEN3		0xD0	/* Generation 3 hypertransport configuration */
-#define HT_CAPTYPE_PM		0xE0	/* Hypertransport powermanagement configuration */
-
 /* Access Control Service */
 #define PCI_ACS_CAP		0x04	/* ACS Capability Register */
 #define  PCI_ACS_SV		0x01	/* Source Validation */
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

On 08.02.2023 21:58, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> Demi Marie Obenour (4):
>   Build system: Replace git:// and http:// with https://
>   Automation and CI: Replace git:// and http:// with https://
>   Miscellaneous and documentation: Only use TLS-protected transports
>   GPL License Boilerplate: Switch from HTTP to HTTPS

Mind me asking what changed from v1? Neither here nor in the individual
patches there's any information about that. Yet especially for the
voluminous patches it would be quite relevant, to avoid reviewers needing
to go through everything again that they may have checked already.

Furthermore I'd like to ask that in submissions of new versions you drop
recipients whose email addresses bounce. Like I did get bounces from
Quan Xu's, I'd expect you did as well.

Thanks, Jan