Config.mk | 20 ++++------- README | 4 +-- automation/build/centos/CentOS-7.2.repo | 8 ++--- automation/build/debian/stretch-llvm-8.list | 4 +-- automation/build/debian/unstable-llvm-8.list | 4 +-- automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +- docs/misc/livepatch.pandoc | 2 +- docs/process/xen-release-management.pandoc | 2 +- scripts/get_maintainer.pl | 2 +- stubdom/configure | 24 ++++++++----- stubdom/configure.ac | 24 ++++++++----- tools/firmware/etherboot/Makefile | 6 +--- xen/include/xen/pci_regs.h | 37 -------------------- 13 files changed, 51 insertions(+), 88 deletions(-)
Obtaining code over an insecure transport is a terrible idea for blatently obvious reasons. Even for non-executable data, insecure transports are considered deprecated. Changes since v2: - Drop patches 5 and 6, which changed links not used by automated tools. These patches are the least urgent and hardest to review. - Ensure that no links are broken, and fail with an error instead of trying to use links that *are* broken. Demi Marie Obenour (4): Use HTTPS for all xenbits.xen.org Git repos Build system: Replace git:// and http:// with https:// Automation and CI: Replace git:// and http:// with https:// Rip out HyperTransport Config.mk | 20 ++++------- README | 4 +-- automation/build/centos/CentOS-7.2.repo | 8 ++--- automation/build/debian/stretch-llvm-8.list | 4 +-- automation/build/debian/unstable-llvm-8.list | 4 +-- automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +- docs/misc/livepatch.pandoc | 2 +- docs/process/xen-release-management.pandoc | 2 +- scripts/get_maintainer.pl | 2 +- stubdom/configure | 24 ++++++++----- stubdom/configure.ac | 24 ++++++++----- tools/firmware/etherboot/Makefile | 6 +--- xen/include/xen/pci_regs.h | 37 -------------------- 13 files changed, 51 insertions(+), 88 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Obtaining code over an insecure transport is a terrible idea for blatently obvious reasons. Even for non-executable data, insecure transports are considered deprecated. Changes since v3: - Drop patch 4, which is an unrelated removal of unused code. - Do not fail with an error if one tries to build the I/O emulator, vTPM, or vTPM manager stubdomains and passes --enable-extfiles. The user may have provided alternate download URLs via environment variables. Changes since v2: - Drop patches 5 and 6, which changed links not used by automated tools. These patches are the least urgent and hardest to review. - Ensure that no links are broken, and fail with an error instead of trying to use links that *are* broken. Demi Marie Obenour (3): Use HTTPS for all xenbits.xen.org Git repos Build system: Replace git:// and http:// with https:// Automation and CI: Replace git:// and http:// with https:// Config.mk | 20 ++++++-------------- README | 4 ++-- automation/build/centos/CentOS-7.2.repo | 8 ++++---- automation/build/debian/stretch-llvm-8.list | 4 ++-- automation/build/debian/unstable-llvm-8.list | 4 ++-- automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +- docs/misc/livepatch.pandoc | 2 +- docs/process/xen-release-management.pandoc | 2 +- scripts/get_maintainer.pl | 2 +- stubdom/configure | 18 +++++++++--------- stubdom/configure.ac | 18 +++++++++--------- tools/firmware/etherboot/Makefile | 6 +----- 12 files changed, 39 insertions(+), 51 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Obtaining code over an insecure transport is a terrible idea for blatently obvious reasons. Even for non-executable data, insecure transports are considered deprecated. Changes since v4: - Remove known-broken links entirely. They only mislead users into believing the code can be obtained there when it cannot. Changes since v3: - Drop patch 4, which is an unrelated removal of unused code. - Do not fail with an error if one tries to build the I/O emulator, vTPM, or vTPM manager stubdomains and passes --enable-extfiles. The user may have provided alternate download URLs via environment variables. Changes since v2: - Drop patches 5 and 6, which changed links not used by automated tools. These patches are the least urgent and hardest to review. - Ensure that no links are broken, and fail with an error instead of trying to use links that *are* broken. Demi Marie Obenour (5): Use HTTPS for all xenbits.xen.org Git repos Change remaining xenbits.xen.org links to HTTPS Build system: Do not try to use broken links Build system: Replace git:// and http:// with https:// Automation and CI: Replace git:// and http:// with https:// Config.mk | 20 ++++--------- README | 4 +-- automation/build/debian/stretch-llvm-8.list | 4 +-- automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +- docs/misc/livepatch.pandoc | 2 +- docs/process/xen-release-management.pandoc | 2 +- m4/stubdom.m4 | 5 ++-- scripts/get_maintainer.pl | 2 +- stubdom/configure | 33 ++++++--------------- stubdom/configure.ac | 18 +++++------ tools/firmware/etherboot/Makefile | 6 +--- tools/misc/mkrpm | 2 +- 12 files changed, 37 insertions(+), 63 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Hi, I believe all the containers that needed to be updated in our GitLab CI to be able to access HTTPS URLs have now been updated. So I guess the series is good to go if it's reviewed. Cheers, -- Anthony PERARD
On Mon, Mar 20, 2023 at 11:14 AM Anthony PERARD <anthony.perard@citrix.com> wrote: > Hi, > > I believe all the containers that needed to be updated in our GitLab CI > to be able to access HTTPS URLs have now been updated. > > So I guess the series is good to go if it's reviewed. > Has it run and passed Gitlab-CI with the new container images? -George
Obtaining code over an insecure transport is a terrible idea for blatently obvious reasons. Even for non-executable data, insecure transports are considered deprecated. Changes since v5: - Rebase on top of the staging branch. - Do not replace a xenbits.xenproject.org link with a xenbits.xen.org link. Changes since v4: - Remove known-broken links entirely. They only mislead users into believing the code can be obtained there when it cannot. Changes since v3: - Drop patch 4, which is an unrelated removal of unused code. - Do not fail with an error if one tries to build the I/O emulator, vTPM, or vTPM manager stubdomains and passes --enable-extfiles. The user may have provided alternate download URLs via environment variables. Changes since v2: - Drop patches 5 and 6, which changed links not used by automated tools. These patches are the least urgent and hardest to review. - Ensure that no links are broken, and fail with an error instead of trying to use links that *are* broken. Demi Marie Obenour (5): Use HTTPS for all xenbits.xen.org Git repos Change remaining xenbits.xen.org link to HTTPS Build system: Do not try to use broken links Build system: Replace git:// and http:// with https:// Automation and CI: Replace git:// and http:// with https:// Config.mk | 20 ++++--------- README | 4 +-- automation/build/debian/stretch-llvm-8.list | 4 +-- docs/misc/livepatch.pandoc | 2 +- docs/process/xen-release-management.pandoc | 2 +- m4/stubdom.m4 | 5 ++-- scripts/get_maintainer.pl | 2 +- stubdom/configure | 33 ++++++--------------- stubdom/configure.ac | 18 +++++------ tools/firmware/etherboot/Makefile | 6 +--- 10 files changed, 35 insertions(+), 61 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
On 21/03/2023 5:33 pm, Demi Marie Obenour wrote: > Demi Marie Obenour (5): > Use HTTPS for all xenbits.xen.org Git repos > Change remaining xenbits.xen.org link to HTTPS > Build system: Do not try to use broken links > Build system: Replace git:// and http:// with https:// > Automation and CI: Replace git:// and http:// with https:// https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from patchew, so I think we're good now on the containers. > > Config.mk | 20 ++++--------- > README | 4 +-- > automation/build/debian/stretch-llvm-8.list | 4 +-- Except for this, where I thought we'd already dropped it... ~Andrew
On Wed, Mar 22, 2023 at 08:37:43AM +0000, Andrew Cooper wrote: > On 21/03/2023 5:33 pm, Demi Marie Obenour wrote: > > Demi Marie Obenour (5): > > Use HTTPS for all xenbits.xen.org Git repos > > Change remaining xenbits.xen.org link to HTTPS > > Build system: Do not try to use broken links > > Build system: Replace git:// and http:// with https:// > > Automation and CI: Replace git:// and http:// with https:// > > https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from > patchew, so I think we're good now on the containers. > > > > > Config.mk | 20 ++++--------- > > README | 4 +-- > > automation/build/debian/stretch-llvm-8.list | 4 +-- > > Except for this, where I thought we'd already dropped it... We dropped llvm-8 on the unstable container, I don't think there's been patch for the stretch container. -- Anthony PERARD
On 24/03/2023 4:37 pm, Anthony PERARD wrote: > On Wed, Mar 22, 2023 at 08:37:43AM +0000, Andrew Cooper wrote: >> On 21/03/2023 5:33 pm, Demi Marie Obenour wrote: >>> Demi Marie Obenour (5): >>> Use HTTPS for all xenbits.xen.org Git repos >>> Change remaining xenbits.xen.org link to HTTPS >>> Build system: Do not try to use broken links >>> Build system: Replace git:// and http:// with https:// >>> Automation and CI: Replace git:// and http:// with https:// >> https://gitlab.com/xen-project/patchew/xen/-/pipelines/813510934 from >> patchew, so I think we're good now on the containers. >> >>> Config.mk | 20 ++++--------- >>> README | 4 +-- >>> automation/build/debian/stretch-llvm-8.list | 4 +-- >> Except for this, where I thought we'd already dropped it... > We dropped llvm-8 on the unstable container, I don't think there's been > patch for the stretch container. Yeah, I was just figuring that out. I'm going to commit Demi's series as is, and fix the container afterwards. ~Andrew
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories. It was generated with the following shell script:
git ls-files -z |
xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
All altered links have been tested and are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 18 +++++-------------
docs/misc/livepatch.pandoc | 2 +-
docs/process/xen-release-management.pandoc | 2 +-
scripts/get_maintainer.pl | 2 +-
4 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
endif
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
QEMU_UPSTREAM_REVISION ?= master
MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
This is implemented in a seperate tool which lives in a seperate
GIT repo.
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
### Exception tables and symbol tables growth
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
Xen X.Y rcZ is tagged. You can check that out from xen.git:
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
For your convenience there is also a tarball at:
https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
warn("$P: No supported VCS found. Add --nogit to options?\n");
warn("Using a git repository produces better results.\n");
warn("Try latest git repository using:\n");
- warn("git clone git://xenbits.xen.org/xen.git\n");
+ warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
$printed_novcs = 1;
}
return 0;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> diff --git a/Config.mk b/Config.mk
> index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
> QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
> endif
>
> -ifeq ($(GIT_HTTP),y)
> -OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
> -QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
> -MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
> -else
> -OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
> -QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
> -MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
> -endif
> +OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
> +QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
> +QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
> +SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
> +MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
> OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
> QEMU_UPSTREAM_REVISION ?= master
> MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
The prior layout was somewhat necessary to dedup the GIT_HTTP part, but
now we really do want pairs of {URL, REVISION} together, rather than one
block of URLs and then a block of REVISIONs.
This is just reordering the lines (and some newlines for clarity), so
I'm happy to sort it out on commit.
~Andrew
On 21.03.2023 18:33, Demi Marie Obenour wrote: > Obtaining code over an insecure transport is a terrible idea for > blatently obvious reasons. Even for non-executable data, insecure > transports are considered deprecated. > > This patch enforces the use of secure transports for all xenbits.xen.org > Git repositories. It was generated with the following shell script: > > git ls-files -z | > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' I thought I had asked already, but looking through earlier conversation it looks like I only meant to: Why not git+ssh:// instead? Iirc there are efficiency differences between http and git protocols. Jan
On Wed, Mar 22, 2023 at 09:32:53AM +0100, Jan Beulich wrote: > On 21.03.2023 18:33, Demi Marie Obenour wrote: > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > > > This patch enforces the use of secure transports for all xenbits.xen.org > > Git repositories. It was generated with the following shell script: > > > > git ls-files -z | > > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' > > I thought I had asked already, but looking through earlier conversation > it looks like I only meant to: Why not git+ssh:// instead? Iirc there > are efficiency differences between http and git protocols. git+ssh requires authentication, so you can't use it without an account on xenbits. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports for all xenbits.xen.org
URLs. All altered links have been tested and are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
# the internet. The original download URL is preserved as a comment
# near the place in the Xen Makefiles where the file is used.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 21.03.2023 18:33, Demi Marie Obenour wrote: > Obtaining code over an insecure transport is a terrible idea for > blatently obvious reasons. Even for non-executable data, insecure > transports are considered deprecated. > > This patch enforces the use of secure transports for all xenbits.xen.org > URLs. All altered links have been tested and are known to work. > > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> A patch of (almost) this title was already committed and then partly reverted, as it had become clear that ... > --- a/Config.mk > +++ b/Config.mk > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) > EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles ... this really is part of the build system. Hence I wonder why this wasn't folded into patch 4 (as it should have been from the beginning, which then also would have avoided the noise about committing the patch too early). Jan
The upstream URLs for zlib, PolarSSL, and the TPM emulator do not work
anymore, so do not attempt to use them.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
m4/stubdom.m4 | 5 +++--
stubdom/configure | 21 +++------------------
stubdom/configure.ac | 6 +++---
3 files changed, 9 insertions(+), 23 deletions(-)
diff --git a/m4/stubdom.m4 b/m4/stubdom.m4
index 6aa488b8e229dabbe107cfe115b5f2ac7e5ae824..26f10595d1c1250b1dc8a5be626142325e8d4673 100644
--- a/m4/stubdom.m4
+++ b/m4/stubdom.m4
@@ -78,10 +78,11 @@ done
AC_DEFUN([AX_STUBDOM_LIB], [
AC_ARG_VAR([$1_URL], [Download url for $2])
AS_IF([test "x$$1_URL" = "x"], [
- AS_IF([test "x$extfiles" = "xy"],
+ m4_if([$#],[3],[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
+ [$#],[4],[AS_IF([test "x$extfiles" = "xy"],
[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
[$1_URL="$4"])
- ])
+],[m4_fatal([AX_STUBDOM_LIB expects 3 or 4 arguments, not $#])])])
$1_VERSION="$3"
AC_SUBST($1_URL)
AC_SUBST($1_VERSION)
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..4ea95baa9192f3b319349ac2a14a3055a21ce705 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3532,12 +3532,7 @@ fi
if test "x$ZLIB_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- ZLIB_URL=\$\(XEN_EXTFILES_URL\)
-else
- ZLIB_URL="http://www.zlib.net"
-fi
-
+ ZLIB_URL=\$\(XEN_EXTFILES_URL\)
fi
ZLIB_VERSION="1.2.3"
@@ -3633,12 +3628,7 @@ GMP_VERSION="4.3.2"
if test "x$POLARSSL_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
-else
- POLARSSL_URL="http://polarssl.org/code/releases"
-fi
-
+ POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
fi
POLARSSL_VERSION="1.1.4"
@@ -3648,12 +3638,7 @@ POLARSSL_VERSION="1.1.4"
if test "x$TPMEMU_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
-else
- TPMEMU_URL="http://download.berlios.de/tpm-emulator"
-fi
-
+ TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
fi
TPMEMU_VERSION="0.7.4"
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
#These stubdoms should be enabled if the dependent one is
AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabObtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
stubdom/configure | 12 ++++++------
stubdom/configure.ac | 12 ++++++------
tools/firmware/etherboot/Makefile | 6 +-----
3 files changed, 13 insertions(+), 17 deletions(-)
diff --git a/stubdom/configure b/stubdom/configure
index 4ea95baa9192f3b319349ac2a14a3055a21ce705..540e9cd331888449b0e24c1aa974bc22c5bcab54 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
else
- LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+ LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
fi
fi
@@ -3560,7 +3560,7 @@ if test "x$NEWLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+ NEWLIB_URL="https://sourceware.org/ftp/newlib"
fi
fi
@@ -3575,7 +3575,7 @@ if test "x$LWIP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LWIP_URL=\$\(XEN_EXTFILES_URL\)
else
- LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+ LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
fi
fi
@@ -3590,7 +3590,7 @@ if test "x$GRUB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GRUB_URL=\$\(XEN_EXTFILES_URL\)
else
- GRUB_URL="http://alpha.gnu.org/gnu/grub"
+ GRUB_URL="https://alpha.gnu.org/gnu/grub"
fi
fi
@@ -3602,7 +3602,7 @@ GRUB_VERSION="0.97"
if test "x$OCAML_URL" = "x"; then :
- OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+ OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
fi
OCAML_VERSION="4.02.0"
@@ -3616,7 +3616,7 @@ if test "x$GMP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GMP_URL=\$\(XEN_EXTFILES_URL\)
else
- GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+ GMP_URL="https://gmplib.org/download/gmp/archive"
fi
fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b..471e371e14a82aedc10314c95bcaf39ce9f89f90 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -56,12 +56,12 @@ AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
include Config
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
# put an updated tar.gz on xenbits after changes to this variable
IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 21/03/2023 5:33 pm, Demi Marie Obenour wrote: > Obtaining code over an insecure transport is a terrible idea for > blatently obvious reasons. Even for non-executable data, insecure > transports are considered deprecated. > > This patch enforces the use of secure transports in the build system. > Some URLs returned 301 or 302 redirects, so I replaced them with the > URLs that were redirected to. > > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> > --- > stubdom/configure | 12 ++++++------ > stubdom/configure.ac | 12 ++++++------ > tools/firmware/etherboot/Makefile | 6 +----- This drops the final reference to GIT_HTTP. As you're modifying configure anyway, it would be preferable to drop this option too, for an even more negative diffstat. (Probably ok to be folded in on commit.) ~Andrew
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
README | 4 ++--
automation/build/debian/stretch-llvm-8.list | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
Various tools, such as pygrub, have the following runtime dependencies:
* Python 2.6 or later.
- URL: http://www.python.org/
+ URL: https://www.python.org/
Debian: python
Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
Intel's technology for safer computing, Intel(R) Trusted Execution Technology
(Intel(R) TXT), defines platform-level enhancements that provide the building
blocks for creating trusted platforms. For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
# Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabObtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories. It was generated with the following shell script:
git ls-files -z |
xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
All altered links have been tested and are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 18 +++++-------------
docs/misc/livepatch.pandoc | 2 +-
docs/process/xen-release-management.pandoc | 2 +-
scripts/get_maintainer.pl | 2 +-
4 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
endif
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
QEMU_UPSTREAM_REVISION ?= master
MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
This is implemented in a seperate tool which lives in a seperate
GIT repo.
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
### Exception tables and symbol tables growth
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
Xen X.Y rcZ is tagged. You can check that out from xen.git:
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
For your convenience there is also a tarball at:
https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
warn("$P: No supported VCS found. Add --nogit to options?\n");
warn("Using a git repository produces better results.\n");
warn("Try latest git repository using:\n");
- warn("git clone git://xenbits.xen.org/xen.git\n");
+ warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
$printed_novcs = 1;
}
return 0;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn Sat, Feb 25, 2023 at 03:37:11PM -0500, Demi Marie Obenour wrote: > Obtaining code over an insecure transport is a terrible idea for > blatently obvious reasons. Even for non-executable data, insecure > transports are considered deprecated. > > This patch enforces the use of secure transports for all xenbits.xen.org > Git repositories. It was generated with the following shell script: > > git ls-files -z | > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' > > All altered links have been tested and are known to work. > > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> It seems expired Lets Encrypt root issue applies to few other containers too: - archlinux:current: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739751 - debian:stretch-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739762 - debian:unstable-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739771 -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
On Sat, Feb 25, 2023 at 11:34:32PM +0100, Marek Marczykowski-Górecki wrote: > On Sat, Feb 25, 2023 at 03:37:11PM -0500, Demi Marie Obenour wrote: > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > > > This patch enforces the use of secure transports for all xenbits.xen.org > > Git repositories. It was generated with the following shell script: > > > > git ls-files -z | > > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' > > > > All altered links have been tested and are known to work. > > > > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> > > It seems expired Lets Encrypt root issue applies to few other containers > too: Yes, I haven't finished rebuilding all containers needed to be rebuilt. I've mostly took care of fixing dockerfiles for those needed to change. Cheers, > - archlinux:current: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739751 > - debian:stretch-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739762 > - debian:unstable-i386: https://gitlab.com/xen-project/patchew/xen/-/jobs/3834739771 -- Anthony PERARD
Also fix an old xenbits.xenproject.org link.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 2 +-
tools/misc/mkrpm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
# the internet. The original download URL is preserved as a comment
# near the place in the Xen Makefiles where the file is used.
diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm
index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644
--- a/tools/misc/mkrpm
+++ b/tools/misc/mkrpm
@@ -34,7 +34,7 @@ Version: $version
Release: $release
License: GPL
Group: System/Hypervisor
-URL: http://xenbits.xenproject.org/xen.git
+URL: https://xenbits.xen.org/git-http/xen.git
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%define _binary_payload w1.gzdio
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 25.02.2023 21:37, Demi Marie Obenour wrote: > --- a/Config.mk > +++ b/Config.mk > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) > EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles > # All the files at that location were downloaded from elsewhere on > # the internet. The original download URL is preserved as a comment > # near the place in the Xen Makefiles where the file is used. > diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm > index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644 > --- a/tools/misc/mkrpm > +++ b/tools/misc/mkrpm > @@ -34,7 +34,7 @@ Version: $version > Release: $release > License: GPL > Group: System/Hypervisor > -URL: http://xenbits.xenproject.org/xen.git > +URL: https://xenbits.xen.org/git-http/xen.git Please can you not lose "project" from the URL? That's the more modern form, after all. In fact, since you're touching the other URL above anyway, I wonder if it wouldn't be a good idea to insert "project" there as well. With at least the former adjustment (which I suppose can be done while committing, as long as you agree) Acked-by: Jan Beulich <jbeulich@suse.com> Jan
On Mon, Feb 27, 2023 at 09:35:51AM +0100, Jan Beulich wrote: > On 25.02.2023 21:37, Demi Marie Obenour wrote: > > --- a/Config.mk > > +++ b/Config.mk > > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) > > EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all > > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables > > > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles > > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles > > # All the files at that location were downloaded from elsewhere on > > # the internet. The original download URL is preserved as a comment > > # near the place in the Xen Makefiles where the file is used. > > diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm > > index 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 100644 > > --- a/tools/misc/mkrpm > > +++ b/tools/misc/mkrpm > > @@ -34,7 +34,7 @@ Version: $version > > Release: $release > > License: GPL > > Group: System/Hypervisor > > -URL: http://xenbits.xenproject.org/xen.git > > +URL: https://xenbits.xen.org/git-http/xen.git > > Please can you not lose "project" from the URL? That's the more modern > form, after all. In fact, since you're touching the other URL above > anyway, I wonder if it wouldn't be a good idea to insert "project" > there as well. With at least the former adjustment (which I suppose > can be done while committing, as long as you agree) > Acked-by: Jan Beulich <jbeulich@suse.com> I’m fine with either or both of those adjustments. I was not aware that https://xenbits.xen.org is an alias for https://xenbits.xenproject.org. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
On Mon, Feb 27, 2023 at 6:46 PM Demi Marie Obenour < demi@invisiblethingslab.com> wrote: > On Mon, Feb 27, 2023 at 09:35:51AM +0100, Jan Beulich wrote: > > On 25.02.2023 21:37, Demi Marie Obenour wrote: > > > --- a/Config.mk > > > +++ b/Config.mk > > > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), > -I$(i)) > > > EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector > -fno-stack-protector-all > > > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions > -fno-asynchronous-unwind-tables > > > > > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles > > > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles > > > # All the files at that location were downloaded from elsewhere on > > > # the internet. The original download URL is preserved as a comment > > > # near the place in the Xen Makefiles where the file is used. > > > diff --git a/tools/misc/mkrpm b/tools/misc/mkrpm > > > index > 68819b2d739cea5491b53f9b944ee2bd20d92c2b..548db4b5da2691547438df5d7d58e5b4c3bd90d0 > 100644 > > > --- a/tools/misc/mkrpm > > > +++ b/tools/misc/mkrpm > > > @@ -34,7 +34,7 @@ Version: $version > > > Release: $release > > > License: GPL > > > Group: System/Hypervisor > > > -URL: http://xenbits.xenproject.org/xen.git > > > +URL: https://xenbits.xen.org/git-http/xen.git > > > > Please can you not lose "project" from the URL? That's the more modern > > form, after all. In fact, since you're touching the other URL above > > anyway, I wonder if it wouldn't be a good idea to insert "project" > > there as well. With at least the former adjustment (which I suppose > > can be done while committing, as long as you agree) > > Acked-by: Jan Beulich <jbeulich@suse.com> > > I’m fine with either or both of those adjustments. I was not aware that > https://xenbits.xen.org is an alias for https://xenbits.xenproject.org. > "xen.org" is the original. When Xen joined the Linux Foundation, there were some complications with the trademark: Citrix had renamed all their products to XenFoo (even those which had nothing to do with Xen), and so wanted to keep the trademark; but the LF felt they needed a trademark they could own & enforce. The solution the lawyers came up with was for Citrix to allow the LF to own the trademark to "The Xen Project", while Citrix retained the trademark to "Xen". Everything was meant to have shifted over to "xenproject.org", but of course "xen.org" was kept around to avoid breaking links; and here we are, 10 years later. Neither LF nor CSG are particularly trigger-happy with lawsuits, so it's not a huge deal, but all things being equal, it's better to use " xenproject.org"; and switching to "xen.org" is certainly a (small) regression. -George
The upstream URLs for zlib, PolarSSL, and the TPM emulator do not work
anymore, so do not attempt to use them.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
m4/stubdom.m4 | 5 +++--
stubdom/configure | 21 +++------------------
stubdom/configure.ac | 6 +++---
3 files changed, 9 insertions(+), 23 deletions(-)
diff --git a/m4/stubdom.m4 b/m4/stubdom.m4
index 6aa488b8e229dabbe107cfe115b5f2ac7e5ae824..26f10595d1c1250b1dc8a5be626142325e8d4673 100644
--- a/m4/stubdom.m4
+++ b/m4/stubdom.m4
@@ -78,10 +78,11 @@ done
AC_DEFUN([AX_STUBDOM_LIB], [
AC_ARG_VAR([$1_URL], [Download url for $2])
AS_IF([test "x$$1_URL" = "x"], [
- AS_IF([test "x$extfiles" = "xy"],
+ m4_if([$#],[3],[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
+ [$#],[4],[AS_IF([test "x$extfiles" = "xy"],
[$1_URL=\@S|@\@{:@XEN_EXTFILES_URL\@:}@],
[$1_URL="$4"])
- ])
+],[m4_fatal([AX_STUBDOM_LIB expects 3 or 4 arguments, not $#])])])
$1_VERSION="$3"
AC_SUBST($1_URL)
AC_SUBST($1_VERSION)
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..4ea95baa9192f3b319349ac2a14a3055a21ce705 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3532,12 +3532,7 @@ fi
if test "x$ZLIB_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- ZLIB_URL=\$\(XEN_EXTFILES_URL\)
-else
- ZLIB_URL="http://www.zlib.net"
-fi
-
+ ZLIB_URL=\$\(XEN_EXTFILES_URL\)
fi
ZLIB_VERSION="1.2.3"
@@ -3633,12 +3628,7 @@ GMP_VERSION="4.3.2"
if test "x$POLARSSL_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
-else
- POLARSSL_URL="http://polarssl.org/code/releases"
-fi
-
+ POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
fi
POLARSSL_VERSION="1.1.4"
@@ -3648,12 +3638,7 @@ POLARSSL_VERSION="1.1.4"
if test "x$TPMEMU_URL" = "x"; then :
- if test "x$extfiles" = "xy"; then :
- TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
-else
- TPMEMU_URL="http://download.berlios.de/tpm-emulator"
-fi
-
+ TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
fi
TPMEMU_VERSION="0.7.4"
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
#These stubdoms should be enabled if the dependent one is
AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabObtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
stubdom/configure | 12 ++++++------
stubdom/configure.ac | 12 ++++++------
tools/firmware/etherboot/Makefile | 6 +-----
3 files changed, 13 insertions(+), 17 deletions(-)
diff --git a/stubdom/configure b/stubdom/configure
index 4ea95baa9192f3b319349ac2a14a3055a21ce705..540e9cd331888449b0e24c1aa974bc22c5bcab54 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
else
- LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+ LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
fi
fi
@@ -3560,7 +3560,7 @@ if test "x$NEWLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+ NEWLIB_URL="https://sourceware.org/ftp/newlib"
fi
fi
@@ -3575,7 +3575,7 @@ if test "x$LWIP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LWIP_URL=\$\(XEN_EXTFILES_URL\)
else
- LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+ LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
fi
fi
@@ -3590,7 +3590,7 @@ if test "x$GRUB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GRUB_URL=\$\(XEN_EXTFILES_URL\)
else
- GRUB_URL="http://alpha.gnu.org/gnu/grub"
+ GRUB_URL="https://alpha.gnu.org/gnu/grub"
fi
fi
@@ -3602,7 +3602,7 @@ GRUB_VERSION="0.97"
if test "x$OCAML_URL" = "x"; then :
- OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+ OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
fi
OCAML_VERSION="4.02.0"
@@ -3616,7 +3616,7 @@ if test "x$GMP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GMP_URL=\$\(XEN_EXTFILES_URL\)
else
- GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+ GMP_URL="https://gmplib.org/download/gmp/archive"
fi
fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b..471e371e14a82aedc10314c95bcaf39ce9f89f90 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -56,12 +56,12 @@ AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
include Config
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
# put an updated tar.gz on xenbits after changes to this variable
IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 25.02.2023 21:37, Demi Marie Obenour wrote: > --- a/stubdom/configure > +++ b/stubdom/configure > @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then : > if test "x$extfiles" = "xy"; then : > LIBPCI_URL=\$\(XEN_EXTFILES_URL\) > else > - LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils" > + LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils" > fi Simply replacing https:// in the original URL does work. Why did you alter it beyond that? Yes, either access leads to the URL you specify, but that forwarding (or however it's implemented) may change down the road (and it could, aiui, even be dependent upon where in the world the access is coming from). In any event, here and below, any adjustment beyond what the title says wants explaining in the description. Jan
On Mon, Feb 27, 2023 at 09:42:24AM +0100, Jan Beulich wrote:
> On 25.02.2023 21:37, Demi Marie Obenour wrote:
> > --- a/stubdom/configure
> > +++ b/stubdom/configure
> > @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
> > if test "x$extfiles" = "xy"; then :
> > LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
> > else
> > - LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> > + LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
> > fi
>
> Simply replacing https:// in the original URL does work. Why did you alter
> it beyond that? Yes, either access leads to the URL you specify, but that
> forwarding (or however it's implemented) may change down the road (and it
> could, aiui, even be dependent upon where in the world the access is coming
> from). In any event, here and below, any adjustment beyond what the title
> says wants explaining in the description.
>
> Jan
$ curl --head --fail https://www.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 27 Feb 2023 20:46:38 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15768001
Referrer-Policy: same-origin
Content-Security-Policy: default-src 'self'; img-src https: data:
This means that all future requests should be made to
https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
as per the HTTP standard. If this were a temporary redirect you would
be correct, but it is not. See:
> Some URLS returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to.
from the commit message.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
README | 4 ++--
automation/build/debian/stretch-llvm-8.list | 4 ++--
automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
Various tools, such as pygrub, have the following runtime dependencies:
* Python 2.6 or later.
- URL: http://www.python.org/
+ URL: https://www.python.org/
Debian: python
Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
Intel's technology for safer computing, Intel(R) Trusted Execution Technology
(Intel(R) TXT), defines platform-level enhancements that provide the building
blocks for creating trusted platforms. For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
# Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff --git a/automation/scripts/qemu-smoke-dom0-arm32.sh b/automation/scripts/qemu-smoke-dom0-arm32.sh
index 98e4d481f65c2b29ac935ddf6247132ddf94fa1d..950ad3a0daa63d66fc8647c0a390ff59c2f22b1a 100755
--- a/automation/scripts/qemu-smoke-dom0-arm32.sh
+++ b/automation/scripts/qemu-smoke-dom0-arm32.sh
@@ -4,7 +4,7 @@ set -ex
cd binaries
# Use the kernel from Debian
-curl --fail --silent --show-error --location --output vmlinuz http://http.us.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
+curl --fail --silent --show-error --location --output vmlinuz https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
# Use a tiny initrd based on busybox from Alpine Linux
curl --fail --silent --show-error --location --output initrd.tar.gz https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/armhf/alpine-minirootfs-3.15.1-armhf.tar.gz
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabObtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories. It was generated with the following shell script:
git ls-files -z |
xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
All altered links have been tested and are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 18 +++++-------------
docs/misc/livepatch.pandoc | 2 +-
docs/process/xen-release-management.pandoc | 2 +-
scripts/get_maintainer.pl | 2 +-
4 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
endif
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
QEMU_UPSTREAM_REVISION ?= master
MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
This is implemented in a seperate tool which lives in a seperate
GIT repo.
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
### Exception tables and symbol tables growth
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
Xen X.Y rcZ is tagged. You can check that out from xen.git:
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
For your convenience there is also a tarball at:
https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
warn("$P: No supported VCS found. Add --nogit to options?\n");
warn("Using a git repository produces better results.\n");
warn("Try latest git repository using:\n");
- warn("git clone git://xenbits.xen.org/xen.git\n");
+ warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
$printed_novcs = 1;
}
return 0;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabObtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 2 +-
stubdom/configure | 18 +++++++++---------
stubdom/configure.ac | 18 +++++++++---------
tools/firmware/etherboot/Makefile | 6 +-----
4 files changed, 20 insertions(+), 24 deletions(-)
diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
# the internet. The original download URL is preserved as a comment
# near the place in the Xen Makefiles where the file is used.
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..c717d315c75a596850b94e59c72c5d5f010f8888 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
ZLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- ZLIB_URL="http://www.zlib.net"
+ ZLIB_URL="https://www.zlib.net"
fi
fi
@@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
else
- LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+ LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
fi
fi
@@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+ NEWLIB_URL="https://sourceware.org/ftp/newlib"
fi
fi
@@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LWIP_URL=\$\(XEN_EXTFILES_URL\)
else
- LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+ LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
fi
fi
@@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GRUB_URL=\$\(XEN_EXTFILES_URL\)
else
- GRUB_URL="http://alpha.gnu.org/gnu/grub"
+ GRUB_URL="https://alpha.gnu.org/gnu/grub"
fi
fi
@@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
if test "x$OCAML_URL" = "x"; then :
- OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+ OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
fi
OCAML_VERSION="4.02.0"
@@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GMP_URL=\$\(XEN_EXTFILES_URL\)
else
- GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+ GMP_URL="https://gmplib.org/download/gmp/archive"
fi
fi
@@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
else
- POLARSSL_URL="http://polarssl.org/code/releases"
+ POLARSSL_URL="https://polarssl.org/code/releases"
fi
fi
@@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
else
- TPMEMU_URL="http://download.berlios.de/tpm-emulator"
+ TPMEMU_URL="https://download.berlios.de/tpm-emulator"
fi
fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..ab52e00293bee033db9ff7133efd34daa5944c8d 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,15 +55,15 @@ AC_PROG_INSTALL
AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
#These stubdoms should be enabled if the dependent one is
AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
include Config
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
# put an updated tar.gz on xenbits after changes to this variable
IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 19.02.2023 03:46, Demi Marie Obenour wrote: > --- a/stubdom/configure > +++ b/stubdom/configure > @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then : > if test "x$extfiles" = "xy"; then : > ZLIB_URL=\$\(XEN_EXTFILES_URL\) > else > - ZLIB_URL="http://www.zlib.net" > + ZLIB_URL="https://www.zlib.net" > fi In v3 you said that this URL can't be used anymore for the version we're trying to fetch (which I can confirm). Leaving aside the question of why stubdom was never updated in that regard, what use is it to update URL (without even mentioning the aspect in the description) in such a case? (I haven't gone through any of the other URLs again, so there may well be more similar cases.) Jan
On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote: > On 19.02.2023 03:46, Demi Marie Obenour wrote: > > --- a/stubdom/configure > > +++ b/stubdom/configure > > @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > ZLIB_URL=\$\(XEN_EXTFILES_URL\) > > else > > - ZLIB_URL="http://www.zlib.net" > > + ZLIB_URL="https://www.zlib.net" > > fi > > In v3 you said that this URL can't be used anymore for the version we're > trying to fetch (which I can confirm). Leaving aside the question of why > stubdom was never updated in that regard, what use is it to update URL > (without even mentioning the aspect in the description) in such a case? > (I haven't gone through any of the other URLs again, so there may well > be more similar cases.) Main advantage is that it will fail securely rather than downloading whatever random code an MITM attacker put in there. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
On 24.02.2023 23:55, Demi Marie Obenour wrote: > On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote: >> On 19.02.2023 03:46, Demi Marie Obenour wrote: >>> --- a/stubdom/configure >>> +++ b/stubdom/configure >>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then : >>> if test "x$extfiles" = "xy"; then : >>> ZLIB_URL=\$\(XEN_EXTFILES_URL\) >>> else >>> - ZLIB_URL="http://www.zlib.net" >>> + ZLIB_URL="https://www.zlib.net" >>> fi >> >> In v3 you said that this URL can't be used anymore for the version we're >> trying to fetch (which I can confirm). Leaving aside the question of why >> stubdom was never updated in that regard, what use is it to update URL >> (without even mentioning the aspect in the description) in such a case? >> (I haven't gone through any of the other URLs again, so there may well >> be more similar cases.) > > Main advantage is that it will fail securely rather than downloading > whatever random code an MITM attacker put in there. As said before (and implied here): At the very least you need to mention the aspect in the description. But then wouldn't things be failing equally securely if no (non-working) URL was put in place, or one which is guaranteed to yield an error but makes obvious that no real URL is meant? Jan
On Mon, Feb 27, 2023 at 09:25:32AM +0100, Jan Beulich wrote:
> On 24.02.2023 23:55, Demi Marie Obenour wrote:
> > On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote:
> >> On 19.02.2023 03:46, Demi Marie Obenour wrote:
> >>> --- a/stubdom/configure
> >>> +++ b/stubdom/configure
> >>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> >>> if test "x$extfiles" = "xy"; then :
> >>> ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> >>> else
> >>> - ZLIB_URL="http://www.zlib.net"
> >>> + ZLIB_URL="https://www.zlib.net"
> >>> fi
> >>
> >> In v3 you said that this URL can't be used anymore for the version we're
> >> trying to fetch (which I can confirm). Leaving aside the question of why
> >> stubdom was never updated in that regard, what use is it to update URL
> >> (without even mentioning the aspect in the description) in such a case?
> >> (I haven't gone through any of the other URLs again, so there may well
> >> be more similar cases.)
> >
> > Main advantage is that it will fail securely rather than downloading
> > whatever random code an MITM attacker put in there.
>
> As said before (and implied here): At the very least you need to mention
> the aspect in the description. But then wouldn't things be failing equally
> securely if no (non-working) URL was put in place, or one which is
> guaranteed to yield an error but makes obvious that no real URL is meant?
https://lists.xenproject.org/archives/html/xen-devel/2023-02/msg01439.html
("[PATCH v5 3/5] Build system: Do not try to use broken links") does
exactly that.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in automation and CI.
All URLs are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
README | 4 ++--
automation/build/centos/CentOS-7.2.repo | 8 ++++----
automation/build/debian/stretch-llvm-8.list | 4 ++--
automation/build/debian/unstable-llvm-8.list | 4 ++--
automation/scripts/qemu-smoke-dom0-arm32.sh | 2 +-
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/README b/README
index 755b3d8eaf8f7a58a945b7594e68a3fe455a7bdf..f8cc426f78d690f37e013242e81d4e440556c330 100644
--- a/README
+++ b/README
@@ -181,7 +181,7 @@ Python Runtime Libraries
Various tools, such as pygrub, have the following runtime dependencies:
* Python 2.6 or later.
- URL: http://www.python.org/
+ URL: https://www.python.org/
Debian: python
Note that the build system expects `python` to be available. If your system
@@ -197,7 +197,7 @@ Intel(R) Trusted Execution Technology Support
Intel's technology for safer computing, Intel(R) Trusted Execution Technology
(Intel(R) TXT), defines platform-level enhancements that provide the building
blocks for creating trusted platforms. For more information, see
-http://www.intel.com/technology/security/.
+https://www.intel.com/technology/security/.
Intel(R) TXT support is provided by the Trusted Boot (tboot) module in
conjunction with minimal logic in the Xen hypervisor.
diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo
index 4da27faeb5fa863fd4e140cbeaad308b9a543b86..8e37da1a03f839c486eb9bd0af46716cfb9086e0 100644
--- a/automation/build/centos/CentOS-7.2.repo
+++ b/automation/build/centos/CentOS-7.2.repo
@@ -6,28 +6,28 @@
[base]
name=CentOS-7.2.1511 - Base
-baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-7.2.1511 - Updates
-baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-7.2.1511 - Extras
-baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-7.2.1511 - Plus
-baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
+baseurl=https://vault.centos.org/7.2.1511/centosplus/$basearch/
gpgcheck=1
gpgcheck=1
enabled=0
diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list
index 09fe843fb2a31ae38f752d7c8c71cf97f5b14513..590001ca81e826ab624ba9185423adf4b0c51a21 100644
--- a/automation/build/debian/stretch-llvm-8.list
+++ b/automation/build/debian/stretch-llvm-8.list
@@ -1,3 +1,3 @@
# Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
+deb-src https://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list
index dc119fa0b4df1bd6e742c42776710abcd6deaa86..1db1598997429d7a14d3fcd8f0f8152aa6d40b8a 100644
--- a/automation/build/debian/unstable-llvm-8.list
+++ b/automation/build/debian/unstable-llvm-8.list
@@ -1,3 +1,3 @@
# Unstable LLVM 8 repos
-deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main
-deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb https://apt.llvm.org/unstable/ llvm-toolchain-8 main
+deb-src https://apt.llvm.org/unstable/ llvm-toolchain-8 main
diff --git a/automation/scripts/qemu-smoke-dom0-arm32.sh b/automation/scripts/qemu-smoke-dom0-arm32.sh
index 98e4d481f65c2b29ac935ddf6247132ddf94fa1d..950ad3a0daa63d66fc8647c0a390ff59c2f22b1a 100755
--- a/automation/scripts/qemu-smoke-dom0-arm32.sh
+++ b/automation/scripts/qemu-smoke-dom0-arm32.sh
@@ -4,7 +4,7 @@ set -ex
cd binaries
# Use the kernel from Debian
-curl --fail --silent --show-error --location --output vmlinuz http://http.us.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
+curl --fail --silent --show-error --location --output vmlinuz https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/netboot/vmlinuz
# Use a tiny initrd based on busybox from Alpine Linux
curl --fail --silent --show-error --location --output initrd.tar.gz https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/armhf/alpine-minirootfs-3.15.1-armhf.tar.gz
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab© 2016 - 2024 Red Hat, Inc.