Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to. I also found that the old zlib used in
the I/O emulator stubdomain can no longer be obtained from
https://www.zlib.net and that the TPM emulator and PolarSSL (used by the
vTPM and vTPM manager stubdomains) can no longer be obtained from their
respective original URLs. Therefore, configure will now error out
instead of trying to download them.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 2 +-
stubdom/configure | 24 +++++++++++++++---------
stubdom/configure.ac | 24 +++++++++++++++---------
tools/firmware/etherboot/Makefile | 6 +-----
4 files changed, 32 insertions(+), 24 deletions(-)
diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
# the internet. The original download URL is preserved as a comment
# near the place in the Xen Makefiles where the file is used.
diff --git a/stubdom/configure b/stubdom/configure
index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
ZLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- ZLIB_URL="http://www.zlib.net"
+ ZLIB_URL="https://www.zlib.net"
fi
fi
@@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
else
- LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+ LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
fi
fi
@@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
else
- NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+ NEWLIB_URL="https://sourceware.org/ftp/newlib"
fi
fi
@@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
LWIP_URL=\$\(XEN_EXTFILES_URL\)
else
- LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+ LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
fi
fi
@@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GRUB_URL=\$\(XEN_EXTFILES_URL\)
else
- GRUB_URL="http://alpha.gnu.org/gnu/grub"
+ GRUB_URL="https://alpha.gnu.org/gnu/grub"
fi
fi
@@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
if test "x$OCAML_URL" = "x"; then :
- OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+ OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
fi
OCAML_VERSION="4.02.0"
@@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
GMP_URL=\$\(XEN_EXTFILES_URL\)
else
- GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+ GMP_URL="https://gmplib.org/download/gmp/archive"
fi
fi
@@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
else
- POLARSSL_URL="http://polarssl.org/code/releases"
+ POLARSSL_URL="https://polarssl.org/code/releases"
fi
fi
@@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
if test "x$extfiles" = "xy"; then :
TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
else
- TPMEMU_URL="http://download.berlios.de/tpm-emulator"
+ TPMEMU_URL="https://download.berlios.de/tpm-emulator"
fi
fi
@@ -3669,6 +3669,12 @@ vtpmmgr="n"
fi
+if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
+ if test "x$extfiles" != xy; then
+ as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5
+ fi
+fi
+
#Conditionally enable these stubdoms based on the presense of dependencies
if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then :
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -55,19 +55,25 @@ AC_PROG_INSTALL
AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
# Stubdom libraries version and url setup
-AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
-AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
-AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
+AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
+AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
+AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
#These stubdoms should be enabled if the dependent one is
AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
+if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
+ if test "x$extfiles" != xy; then
+ AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs])
+ fi
+fi
+
#Conditionally enable these stubdoms based on the presense of dependencies
AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm])
AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr])
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
include Config
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
# put an updated tar.gz on xenbits after changes to this variable
IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons. Even for non-executable data, insecure
> transports are considered deprecated.
>
> This patch enforces the use of secure transports in the build system.
> Some URLs returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to.
https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811
I'm a bit confused about debian build errors:
ERROR: The certificate of 'xenbits.xen.org' is not trusted.
ERROR: The certificate of 'xenbits.xen.org' has expired.
Is clock on gitlab runners (way) off?
> I also found that the old zlib used in
> the I/O emulator stubdomain can no longer be obtained from
> https://www.zlib.net and that the TPM emulator and PolarSSL (used by the
> vTPM and vTPM manager stubdomains) can no longer be obtained from their
> respective original URLs. Therefore, configure will now error out
> instead of trying to download them.
First of all, such change definitely wants a separate patch,
de-supporting some configurations do not belong to "Replace git:// and
http:// with https://" patch. But then, I don't think that's correct
approach. It is a bug to be fixes, instead of breaking it even more.
configure script already supports Xen's mirror, and I think it's even
enabled by default (see --enable-extfiles), and also supports providing
alternative download location (via env variables). So it seems your
change here in fact breaks something that was working before...
> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
> ---
> Config.mk | 2 +-
> stubdom/configure | 24 +++++++++++++++---------
> stubdom/configure.ac | 24 +++++++++++++++---------
> tools/firmware/etherboot/Makefile | 6 +-----
> 4 files changed, 32 insertions(+), 24 deletions(-)
>
> diff --git a/Config.mk b/Config.mk
> index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
> EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
> EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>
> -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
> # All the files at that location were downloaded from elsewhere on
> # the internet. The original download URL is preserved as a comment
> # near the place in the Xen Makefiles where the file is used.
> diff --git a/stubdom/configure b/stubdom/configure
> index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755
> --- a/stubdom/configure
> +++ b/stubdom/configure
> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> ZLIB_URL=\$\(XEN_EXTFILES_URL\)
> else
> - ZLIB_URL="http://www.zlib.net"
> + ZLIB_URL="https://www.zlib.net"
> fi
>
> fi
> @@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
> else
> - LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> + LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
> fi
>
> fi
> @@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
> else
> - NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
> + NEWLIB_URL="https://sourceware.org/ftp/newlib"
> fi
>
> fi
> @@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> LWIP_URL=\$\(XEN_EXTFILES_URL\)
> else
> - LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
> + LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
> fi
>
> fi
> @@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> GRUB_URL=\$\(XEN_EXTFILES_URL\)
> else
> - GRUB_URL="http://alpha.gnu.org/gnu/grub"
> + GRUB_URL="https://alpha.gnu.org/gnu/grub"
> fi
>
> fi
> @@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97"
>
> if test "x$OCAML_URL" = "x"; then :
>
> - OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
> + OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
>
> fi
> OCAML_VERSION="4.02.0"
> @@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> GMP_URL=\$\(XEN_EXTFILES_URL\)
> else
> - GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
> + GMP_URL="https://gmplib.org/download/gmp/archive"
> fi
>
> fi
> @@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> POLARSSL_URL=\$\(XEN_EXTFILES_URL\)
> else
> - POLARSSL_URL="http://polarssl.org/code/releases"
> + POLARSSL_URL="https://polarssl.org/code/releases"
> fi
>
> fi
> @@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then :
> if test "x$extfiles" = "xy"; then :
> TPMEMU_URL=\$\(XEN_EXTFILES_URL\)
> else
> - TPMEMU_URL="http://download.berlios.de/tpm-emulator"
> + TPMEMU_URL="https://download.berlios.de/tpm-emulator"
> fi
>
> fi
> @@ -3669,6 +3669,12 @@ vtpmmgr="n"
> fi
>
>
> +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> + if test "x$extfiles" != xy; then
> + as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5
> + fi
> +fi
> +
> #Conditionally enable these stubdoms based on the presense of dependencies
>
> if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then :
> diff --git a/stubdom/configure.ac b/stubdom/configure.ac
> index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644
> --- a/stubdom/configure.ac
> +++ b/stubdom/configure.ac
> @@ -55,19 +55,25 @@ AC_PROG_INSTALL
> AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
>
> # Stubdom libraries version and url setup
> -AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net])
> -AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
> -AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
> -AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
> -AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
> -AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
> -AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
> -AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases])
> -AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator])
> +AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net])
> +AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
> +AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
> +AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
> +AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
> +AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
> +AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
> +AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases])
> +AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator])
>
> #These stubdoms should be enabled if the dependent one is
> AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm])
>
> +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then
> + if test "x$extfiles" != xy; then
> + AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs])
> + fi
> +fi
> +
> #Conditionally enable these stubdoms based on the presense of dependencies
> AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm])
> AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr])
> diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
> index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
> --- a/tools/firmware/etherboot/Makefile
> +++ b/tools/firmware/etherboot/Makefile
> @@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
> include $(XEN_ROOT)/tools/Rules.mk
> include Config
>
> -ifeq ($(GIT_HTTP),y)
> -IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
> -else
> -IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
> -endif
> +IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
>
> # put an updated tar.gz on xenbits after changes to this variable
> IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
> --
> Sincerely,
> Demi Marie Obenour (she/her/hers)
> Invisible Things Lab
>
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
On 18/02/2023 2:10 pm, Marek Marczykowski-Górecki wrote: > On Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote: >> Obtaining code over an insecure transport is a terrible idea for >> blatently obvious reasons. Even for non-executable data, insecure >> transports are considered deprecated. >> >> This patch enforces the use of secure transports in the build system. >> Some URLs returned 301 or 302 redirects, so I replaced them with the >> URLs that were redirected to. > https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811 > > I'm a bit confused about debian build errors: > > ERROR: The certificate of 'xenbits.xen.org' is not trusted. > ERROR: The certificate of 'xenbits.xen.org' has expired. > > Is clock on gitlab runners (way) off? https://lore.kernel.org/xen-devel/20230215120208.35807-1-anthony.perard@citrix.com/T/#u ~Andrew
On Sat, Feb 18, 2023 at 03:10:16PM +0100, Marek Marczykowski-Górecki wrote: > On Fri, Feb 17, 2023 at 04:35:25PM -0500, Demi Marie Obenour wrote: > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > > > This patch enforces the use of secure transports in the build system. > > Some URLs returned 301 or 302 redirects, so I replaced them with the > > URLs that were redirected to. > > https://gitlab.com/xen-project/patchew/xen/-/pipelines/781679811 > > I'm a bit confused about debian build errors: > > ERROR: The certificate of 'xenbits.xen.org' is not trusted. > ERROR: The certificate of 'xenbits.xen.org' has expired. > > Is clock on gitlab runners (way) off? > > > I also found that the old zlib used in > > the I/O emulator stubdomain can no longer be obtained from > > https://www.zlib.net and that the TPM emulator and PolarSSL (used by the > > vTPM and vTPM manager stubdomains) can no longer be obtained from their > > respective original URLs. Therefore, configure will now error out > > instead of trying to download them. > > First of all, such change definitely wants a separate patch, > de-supporting some configurations do not belong to "Replace git:// and > http:// with https://" patch. But then, I don't think that's correct > approach. It is a bug to be fixes, instead of breaking it even more. > configure script already supports Xen's mirror, and I think it's even > enabled by default (see --enable-extfiles), and also supports providing > alternative download location (via env variables). So it seems your > change here in fact breaks something that was working before... Ah, you do take --enable-extfiles into account. But still alternative URL can be provided by env variable. > > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> > > --- > > Config.mk | 2 +- > > stubdom/configure | 24 +++++++++++++++--------- > > stubdom/configure.ac | 24 +++++++++++++++--------- > > tools/firmware/etherboot/Makefile | 6 +----- > > 4 files changed, 32 insertions(+), 24 deletions(-) > > > > diff --git a/Config.mk b/Config.mk > > index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644 > > --- a/Config.mk > > +++ b/Config.mk > > @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) > > EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all > > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables > > > > -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles > > +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles > > # All the files at that location were downloaded from elsewhere on > > # the internet. The original download URL is preserved as a comment > > # near the place in the Xen Makefiles where the file is used. > > diff --git a/stubdom/configure b/stubdom/configure > > index b8bffceafdd46181e26a79b85405aefb8bc3ff7d..e40aca9afd0de2c5074978d654d4e78f4f63e3d2 100755 > > --- a/stubdom/configure > > +++ b/stubdom/configure > > @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > ZLIB_URL=\$\(XEN_EXTFILES_URL\) > > else > > - ZLIB_URL="http://www.zlib.net" > > + ZLIB_URL="https://www.zlib.net" > > fi > > > > fi > > @@ -3550,7 +3550,7 @@ if test "x$LIBPCI_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > LIBPCI_URL=\$\(XEN_EXTFILES_URL\) > > else > > - LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils" > > + LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils" > > fi > > > > fi > > @@ -3565,7 +3565,7 @@ if test "x$NEWLIB_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > NEWLIB_URL=\$\(XEN_EXTFILES_URL\) > > else > > - NEWLIB_URL="ftp://sources.redhat.com/pub/newlib" > > + NEWLIB_URL="https://sourceware.org/ftp/newlib" > > fi > > > > fi > > @@ -3580,7 +3580,7 @@ if test "x$LWIP_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > LWIP_URL=\$\(XEN_EXTFILES_URL\) > > else > > - LWIP_URL="http://download.savannah.gnu.org/releases/lwip" > > + LWIP_URL="https://download.savannah.gnu.org/releases/lwip" > > fi > > > > fi > > @@ -3595,7 +3595,7 @@ if test "x$GRUB_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > GRUB_URL=\$\(XEN_EXTFILES_URL\) > > else > > - GRUB_URL="http://alpha.gnu.org/gnu/grub" > > + GRUB_URL="https://alpha.gnu.org/gnu/grub" > > fi > > > > fi > > @@ -3607,7 +3607,7 @@ GRUB_VERSION="0.97" > > > > if test "x$OCAML_URL" = "x"; then : > > > > - OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02" > > + OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02" > > > > fi > > OCAML_VERSION="4.02.0" > > @@ -3621,7 +3621,7 @@ if test "x$GMP_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > GMP_URL=\$\(XEN_EXTFILES_URL\) > > else > > - GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2" > > + GMP_URL="https://gmplib.org/download/gmp/archive" > > fi > > > > fi > > @@ -3636,7 +3636,7 @@ if test "x$POLARSSL_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > POLARSSL_URL=\$\(XEN_EXTFILES_URL\) > > else > > - POLARSSL_URL="http://polarssl.org/code/releases" > > + POLARSSL_URL="https://polarssl.org/code/releases" > > fi > > > > fi > > @@ -3651,7 +3651,7 @@ if test "x$TPMEMU_URL" = "x"; then : > > if test "x$extfiles" = "xy"; then : > > TPMEMU_URL=\$\(XEN_EXTFILES_URL\) > > else > > - TPMEMU_URL="http://download.berlios.de/tpm-emulator" > > + TPMEMU_URL="https://download.berlios.de/tpm-emulator" > > fi > > > > fi > > @@ -3669,6 +3669,12 @@ vtpmmgr="n" > > fi > > > > > > +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then > > + if test "x$extfiles" != xy; then > > + as_fn_error $? "Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs" "$LINENO" 5 > > + fi > > +fi > > + > > #Conditionally enable these stubdoms based on the presense of dependencies > > > > if test "x$vtpm" = "xy" || test "x$vtpm" = "x"; then : > > diff --git a/stubdom/configure.ac b/stubdom/configure.ac > > index e20d99edac0da88098f4806333edde9f31dbc1a7..d27f2bc1f17140ab41a687e1e8faaa66e2b4483b 100644 > > --- a/stubdom/configure.ac > > +++ b/stubdom/configure.ac > > @@ -55,19 +55,25 @@ AC_PROG_INSTALL > > AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake]) > > > > # Stubdom libraries version and url setup > > -AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [http://www.zlib.net]) > > -AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils]) > > -AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib]) > > -AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip]) > > -AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub]) > > -AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02]) > > -AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2]) > > -AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [http://polarssl.org/code/releases]) > > -AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [http://download.berlios.de/tpm-emulator]) > > +AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3], [https://www.zlib.net]) > > +AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils]) > > +AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib]) > > +AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip]) > > +AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub]) > > +AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02]) > > +AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive]) > > +AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4], [https://polarssl.org/code/releases]) > > +AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4], [https://download.berlios.de/tpm-emulator]) > > > > #These stubdoms should be enabled if the dependent one is > > AX_STUBDOM_AUTO_DEPENDS([vtpmmgr], [vtpm]) > > > > +if test "x$vtpm" != xn || test "x$vtpmmgr" != xn || test "x$ioemu" != xn; then > > + if test "x$extfiles" != xy; then > > + AC_MSG_ERROR([Sources needed for the vTPM, vTPM manager, and IO emulator stubdomains are no longer at their original URLs]) > > + fi > > +fi > > + > > #Conditionally enable these stubdoms based on the presense of dependencies > > AX_STUBDOM_CONDITIONAL_FINISH([vtpm-stubdom], [vtpm]) > > AX_STUBDOM_CONDITIONAL_FINISH([vtpmmgr-stubdom], [vtpmmgr]) > > diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile > > index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644 > > --- a/tools/firmware/etherboot/Makefile > > +++ b/tools/firmware/etherboot/Makefile > > @@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../.. > > include $(XEN_ROOT)/tools/Rules.mk > > include Config > > > > -ifeq ($(GIT_HTTP),y) > > -IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git > > -else > > -IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git > > -endif > > +IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git > > > > # put an updated tar.gz on xenbits after changes to this variable > > IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb > > -- > > Sincerely, > > Demi Marie Obenour (she/her/hers) > > Invisible Things Lab > > > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
© 2016 - 2026 Red Hat, Inc.