1. Patchew
  2. Xen
  3. [PATCH v5 0/5] Stop using insecure transports
  4. View patch

[PATCH v5 4/5] Build system: Replace git:// and http:// with https://

Demi Marie Obenour posted 5 patches 2 years, 11 months ago
There is a newer version of this series
[PATCH v5 4/5] Build system: Replace git:// and http:// with https://
Posted by Demi Marie Obenour 2 years, 11 months ago 
Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports in the build system.
Some URLs returned 301 or 302 redirects, so I replaced them with the
URLs that were redirected to.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 stubdom/configure                 | 12 ++++++------
 stubdom/configure.ac              | 12 ++++++------
 tools/firmware/etherboot/Makefile |  6 +-----
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/stubdom/configure b/stubdom/configure
index 4ea95baa9192f3b319349ac2a14a3055a21ce705..540e9cd331888449b0e24c1aa974bc22c5bcab54 100755
--- a/stubdom/configure
+++ b/stubdom/configure
@@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
+  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
 fi
 
 fi
@@ -3560,7 +3560,7 @@ if test "x$NEWLIB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   NEWLIB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  NEWLIB_URL="ftp://sources.redhat.com/pub/newlib"
+  NEWLIB_URL="https://sourceware.org/ftp/newlib"
 fi
 
 fi
@@ -3575,7 +3575,7 @@ if test "x$LWIP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   LWIP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  LWIP_URL="http://download.savannah.gnu.org/releases/lwip"
+  LWIP_URL="https://download.savannah.gnu.org/releases/lwip"
 fi
 
 fi
@@ -3590,7 +3590,7 @@ if test "x$GRUB_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GRUB_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GRUB_URL="http://alpha.gnu.org/gnu/grub"
+  GRUB_URL="https://alpha.gnu.org/gnu/grub"
 fi
 
 fi
@@ -3602,7 +3602,7 @@ GRUB_VERSION="0.97"
 
 if test "x$OCAML_URL" = "x"; then :
 
-	OCAML_URL="http://caml.inria.fr/pub/distrib/ocaml-4.02"
+	OCAML_URL="https://caml.inria.fr/pub/distrib/ocaml-4.02"
 
 fi
 OCAML_VERSION="4.02.0"
@@ -3616,7 +3616,7 @@ if test "x$GMP_URL" = "x"; then :
 	if test "x$extfiles" = "xy"; then :
   GMP_URL=\$\(XEN_EXTFILES_URL\)
 else
-  GMP_URL="ftp://ftp.gmplib.org/pub/gmp-4.3.2"
+  GMP_URL="https://gmplib.org/download/gmp/archive"
 fi
 
 fi
diff --git a/stubdom/configure.ac b/stubdom/configure.ac
index c648b1602c227ed5fe63b9fbdf3fa52fd2e1654b..471e371e14a82aedc10314c95bcaf39ce9f89f90 100644
--- a/stubdom/configure.ac
+++ b/stubdom/configure.ac
@@ -56,12 +56,12 @@ AX_DEPENDS_PATH_PROG([vtpm], [CMAKE], [cmake])
 
 # Stubdom libraries version and url setup
 AX_STUBDOM_LIB([ZLIB], [zlib], [1.2.3])
-AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [http://www.kernel.org/pub/software/utils/pciutils])
-AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [ftp://sources.redhat.com/pub/newlib])
-AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [http://download.savannah.gnu.org/releases/lwip])
-AX_STUBDOM_LIB([GRUB], [grub], [0.97], [http://alpha.gnu.org/gnu/grub])
-AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [http://caml.inria.fr/pub/distrib/ocaml-4.02])
-AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [ftp://ftp.gmplib.org/pub/gmp-4.3.2])
+AX_STUBDOM_LIB([LIBPCI], [libpci], [2.2.9], [https://mirrors.edge.kernel.org/pub/software/utils/pciutils])
+AX_STUBDOM_LIB([NEWLIB], [newlib], [1.16.0], [https://sourceware.org/ftp/newlib])
+AX_STUBDOM_LIB([LWIP], [lwip], [1.3.0], [https://download.savannah.gnu.org/releases/lwip])
+AX_STUBDOM_LIB([GRUB], [grub], [0.97], [https://alpha.gnu.org/gnu/grub])
+AX_STUBDOM_LIB_NOEXT([OCAML], [ocaml], [4.02.0], [https://caml.inria.fr/pub/distrib/ocaml-4.02])
+AX_STUBDOM_LIB([GMP], [libgmp], [4.3.2], [https://gmplib.org/download/gmp/archive])
 AX_STUBDOM_LIB([POLARSSL], [polarssl], [1.1.4])
 AX_STUBDOM_LIB([TPMEMU], [berlios tpm emulator], [0.7.4])
 
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index 4bc3633ba3d67ff9f52a9cb7923afea73c861da9..6ab9e5bc6b4cc750f2e802128fbc71e9150397b1 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -4,11 +4,7 @@ XEN_ROOT = $(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 include Config
 
-ifeq ($(GIT_HTTP),y)
-IPXE_GIT_URL ?= http://git.ipxe.org/ipxe.git
-else
-IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git
-endif
+IPXE_GIT_URL ?= https://github.com/ipxe/ipxe.git
 
 # put an updated tar.gz on xenbits after changes to this variable
 IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Re: [PATCH v5 4/5] Build system: Replace git:// and http:// with https://
Posted by Jan Beulich 2 years, 11 months ago 
On 25.02.2023 21:37, Demi Marie Obenour wrote:
> --- a/stubdom/configure
> +++ b/stubdom/configure
> @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
>  	if test "x$extfiles" = "xy"; then :
>    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
>  else
> -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
>  fi

Simply replacing https:// in the original URL does work. Why did you alter
it beyond that? Yes, either access leads to the URL you specify, but that
forwarding (or however it's implemented) may change down the road (and it
could, aiui, even be dependent upon where in the world the access is coming
from). In any event, here and below, any adjustment beyond what the title
says wants explaining in the description.

Jan
Re: [PATCH v5 4/5] Build system: Replace git:// and http:// with https://
Posted by Demi Marie Obenour 2 years, 11 months ago 
On Mon, Feb 27, 2023 at 09:42:24AM +0100, Jan Beulich wrote:
> On 25.02.2023 21:37, Demi Marie Obenour wrote:
> > --- a/stubdom/configure
> > +++ b/stubdom/configure
> > @@ -3545,7 +3545,7 @@ if test "x$LIBPCI_URL" = "x"; then :
> >  	if test "x$extfiles" = "xy"; then :
> >    LIBPCI_URL=\$\(XEN_EXTFILES_URL\)
> >  else
> > -  LIBPCI_URL="http://www.kernel.org/pub/software/utils/pciutils"
> > +  LIBPCI_URL="https://mirrors.edge.kernel.org/pub/software/utils/pciutils"
> >  fi
> 
> Simply replacing https:// in the original URL does work. Why did you alter
> it beyond that? Yes, either access leads to the URL you specify, but that
> forwarding (or however it's implemented) may change down the road (and it
> could, aiui, even be dependent upon where in the world the access is coming
> from). In any event, here and below, any adjustment beyond what the title
> says wants explaining in the description.
> 
> Jan

    $ curl --head --fail https://www.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Mon, 27 Feb 2023 20:46:38 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Strict-Transport-Security: max-age=15768001
    Referrer-Policy: same-origin
    Content-Security-Policy: default-src 'self'; img-src https: data:

This means that all future requests should be made to
https://mirrors.edge.kernel.org/pub/software/utils/pciutils/pciutils-2.2.9.tar.bz2
as per the HTTP standard.  If this were a temporary redirect you would
be correct, but it is not.  See:

> Some URLS returned 301 or 302 redirects, so I replaced them with the
> URLs that were redirected to.

from the commit message.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.