[v6] Stop using insecure transports

[PATCH v6 2/5] Change remaining xenbits.xen.org link to HTTPS

Posted by Demi Marie Obenour 2 years, 10 months ago

Obtaining code over an insecure transport is a terrible idea for
blatently obvious reasons.  Even for non-executable data, insecure
transports are considered deprecated.

This patch enforces the use of secure transports for all xenbits.xen.org
URLs.  All altered links have been tested and are known to work.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 Config.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Config.mk b/Config.mk
index 75f1975e5e78af44d36c2372cba6e89b425267a5..b2bef45b059976d5a6320eabada6073004eb22ee 100644
--- a/Config.mk
+++ b/Config.mk
@@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
-XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
+XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
 # the internet.  The original download URL is preserved as a comment
 # near the place in the Xen Makefiles where the file is used.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Re: [PATCH v6 2/5] Change remaining xenbits.xen.org link to HTTPS

Posted by Jan Beulich 2 years, 10 months ago

On 21.03.2023 18:33, Demi Marie Obenour wrote:
> Obtaining code over an insecure transport is a terrible idea for
> blatently obvious reasons.  Even for non-executable data, insecure
> transports are considered deprecated.
> 
> This patch enforces the use of secure transports for all xenbits.xen.org
> URLs.  All altered links have been tested and are known to work.
> 
> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>

A patch of (almost) this title was already committed and then partly reverted,
as it had become clear that ...

> --- a/Config.mk
> +++ b/Config.mk
> @@ -191,7 +191,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>  EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>  
> -XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
> +XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles

... this really is part of the build system. Hence I wonder why this wasn't
folded into patch 4 (as it should have been from the beginning, which then
also would have avoided the noise about committing the patch too early).

Jan

[PATCH v6 1/5] Use HTTPS for all xenbits.xen.org Git repos
[PATCH v6 2/5] Change remaining xenbits.xen.org link to HTTPS
[PATCH v6 3/5] Build system: Do not try to use broken links
[PATCH v6 4/5] Build system: Replace git:// and http:// with https://
[PATCH v6 5/5] Automation and CI: Replace git:// and http:// with https://