Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons. Even for non-executable data, insecure
transports are considered deprecated.
This patch enforces the use of secure transports for all xenbits.xen.org
Git repositories. It was generated with the following shell script:
git ls-files -z |
xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g'
All altered links have been tested and are known to work.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
Config.mk | 18 +++++-------------
docs/misc/livepatch.pandoc | 2 +-
docs/process/xen-release-management.pandoc | 2 +-
scripts/get_maintainer.pl | 2 +-
4 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/Config.mk b/Config.mk
index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
--- a/Config.mk
+++ b/Config.mk
@@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
endif
-ifeq ($(GIT_HTTP),y)
-OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
-QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
-MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
-else
-OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
-QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
-MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
-endif
+OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
+QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
+QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
+SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
+MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
QEMU_UPSTREAM_REVISION ?= master
MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc
index d38e4ce074b399946aecdaedb4cb6fe5b8043b66..a94fb57eb568e85a25c93bf6a988f123d4e48443 100644
--- a/docs/misc/livepatch.pandoc
+++ b/docs/misc/livepatch.pandoc
@@ -993,7 +993,7 @@ The design of that is not discussed in this design.
This is implemented in a seperate tool which lives in a seperate
GIT repo.
-Currently it resides at git://xenbits.xen.org/livepatch-build-tools.git
+Currently it resides at https://xenbits.xen.org/git-http/livepatch-build-tools.git
### Exception tables and symbol tables growth
diff --git a/docs/process/xen-release-management.pandoc b/docs/process/xen-release-management.pandoc
index 8f80d61d2f1aa9e63da9b1e61b77a67c826efe6f..7826419dad563a3b70c3c97fc4c0fb5339bd58e9 100644
--- a/docs/process/xen-release-management.pandoc
+++ b/docs/process/xen-release-management.pandoc
@@ -271,7 +271,7 @@ Hi all,
Xen X.Y rcZ is tagged. You can check that out from xen.git:
-git://xenbits.xen.org/xen.git X.Y.0-rcZ
+https://xenbits.xen.org/git-http/xen.git X.Y.0-rcZ
For your convenience there is also a tarball at:
https://downloads.xenproject.org/release/xen/X.Y.0-rcZ/xen-X.Y.0-rcZ.tar.gz
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 48e07370e8d462ced70a1de13ec8134b4eed65ba..cf629cdf3c44e4abe67214378c49a3a9d858d9b5 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1457,7 +1457,7 @@ sub vcs_exists {
warn("$P: No supported VCS found. Add --nogit to options?\n");
warn("Using a git repository produces better results.\n");
warn("Try latest git repository using:\n");
- warn("git clone git://xenbits.xen.org/xen.git\n");
+ warn("git clone https://xenbits.xen.org/git-http/xen.git\n");
$printed_novcs = 1;
}
return 0;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things LabOn 21/03/2023 5:33 pm, Demi Marie Obenour wrote:
> diff --git a/Config.mk b/Config.mk
> index 10eb443b17d85381b2d1e2282f8965c3e99767e0..75f1975e5e78af44d36c2372cba6e89b425267a5 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -215,19 +215,11 @@ ifneq (,$(QEMU_TAG))
> QEMU_TRADITIONAL_REVISION ?= $(QEMU_TAG)
> endif
>
> -ifeq ($(GIT_HTTP),y)
> -OVMF_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/ovmf.git
> -QEMU_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= http://xenbits.xen.org/git-http/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/seabios.git
> -MINIOS_UPSTREAM_URL ?= http://xenbits.xen.org/git-http/mini-os.git
> -else
> -OVMF_UPSTREAM_URL ?= git://xenbits.xen.org/ovmf.git
> -QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-xen.git
> -QEMU_TRADITIONAL_URL ?= git://xenbits.xen.org/qemu-xen-traditional.git
> -SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
> -MINIOS_UPSTREAM_URL ?= git://xenbits.xen.org/mini-os.git
> -endif
> +OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git
> +QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git
> +QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git
> +SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git
> +MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git
> OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5
> QEMU_UPSTREAM_REVISION ?= master
> MINIOS_UPSTREAM_REVISION ?= 5bcb28aaeba1c2506a82fab0cdad0201cd9b54b3
The prior layout was somewhat necessary to dedup the GIT_HTTP part, but
now we really do want pairs of {URL, REVISION} together, rather than one
block of URLs and then a block of REVISIONs.
This is just reordering the lines (and some newlines for clarity), so
I'm happy to sort it out on commit.
~Andrew
On 21.03.2023 18:33, Demi Marie Obenour wrote: > Obtaining code over an insecure transport is a terrible idea for > blatently obvious reasons. Even for non-executable data, insecure > transports are considered deprecated. > > This patch enforces the use of secure transports for all xenbits.xen.org > Git repositories. It was generated with the following shell script: > > git ls-files -z | > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' I thought I had asked already, but looking through earlier conversation it looks like I only meant to: Why not git+ssh:// instead? Iirc there are efficiency differences between http and git protocols. Jan
On Wed, Mar 22, 2023 at 09:32:53AM +0100, Jan Beulich wrote: > On 21.03.2023 18:33, Demi Marie Obenour wrote: > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > > > This patch enforces the use of secure transports for all xenbits.xen.org > > Git repositories. It was generated with the following shell script: > > > > git ls-files -z | > > xargs -0 -- sed -Ei -- 's@(git://xenbits\.xen\.org|http://xenbits\.xen\.org/git-http)/@https://xenbits.xen.org/git-http/@g' > > I thought I had asked already, but looking through earlier conversation > it looks like I only meant to: Why not git+ssh:// instead? Iirc there > are efficiency differences between http and git protocols. git+ssh requires authentication, so you can't use it without an account on xenbits. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
© 2016 - 2026 Red Hat, Inc.