Message ID | 20240518212954.788524-1-peter.marko@siemens.com |
---|---|
State | Accepted, archived |
Commit | ea801be31d051b558fde52f7d6dccf2cd416afb9 |
Headers | show |
Series | [1/2] ncurses: switch to new mirror | expand |
On Sat, 18 May 2024 at 23:30, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ > -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master" > +SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master" After the xz backdoor I'm nervous about switching upstream sources with no verification of their authenticity. Is this referenced anywhere from ncurses homepage or ncurses tarball download? Should we take that tarball rather? Alex
-----Original Message----- From: Alexander Kanavin <alex.kanavin@gmail.com> Sent: Tuesday, May 21, 2024 12:17 To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror > On Sat, 18 May 2024 at 23:30, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > # Upstream has useful patches at times at > > ftp://invisible-island.net/ncurses/ > > -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master" > > +SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master" > > After the xz backdoor I'm nervous about switching upstream sources with no verification of their authenticity. Is this referenced anywhere from ncurses homepage or ncurses tarball download? Should we take that tarball rather? > > Alex The "new" mirror is maintained by the same github account as the old mirror. So the trust should be the same and this patch should not decrease the security. I have also verified that both old and new version matches the source tarballs (as stated in my commit message). But you're right that it's not referenced on homepage, at least my google queries yielded 0 relevant hits. Looking at the recipe history, reason for switching to mirrors is instability of the upstream homepage paths. https://git.openembedded.org/openembedded-core/commit/?id=4d3f84f84147145cfd786362d9cd754bbb93873e Not sure if we want to return to that situation. I already thought about the xz situation before submitting my patch. One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex. If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time... Peter
On Tue, 21 May 2024 at 21:17, Marko, Peter <Peter.Marko@siemens.com> wrote: > I already thought about the xz situation before submitting my patch. > One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex. > If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time... Can you tell me where the tarballs are? Then I can check if the regex is even needed, and what it should be if so. And, this is kinda obvious, but maybe you could email the maintainer and ask if the new github URI is really them? Alex
-----Original Message----- From: Alexander Kanavin <alex.kanavin@gmail.com> Sent: Tuesday, May 21, 2024 21:31 To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror > On Tue, 21 May 2024 at 21:17, Marko, Peter <Peter.Marko@siemens.com> wrote: > > I already thought about the xz situation before submitting my patch. > > One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex. > > If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time... > > Can you tell me where the tarballs are? Then I can check if the regex is even needed, and what it should be if so. > > And, this is kinda obvious, but maybe you could email the maintainer and ask if the new github URI is really them? > > Alex I have to correct myself. I'm not so familiar with how github presents things; the two mirrors are managed by different accounts. However I finally found reference that this is the right mirror. https://invisible-island.net/#ftp (Archives) lists https://github.com/ThomasDickey (on github) as official place for snapshot mirrors for invisible-island archives. Peter
On Tue, 21 May 2024 at 22:27, Marko, Peter <Peter.Marko@siemens.com> wrote: > I have to correct myself. I'm not so familiar with how github presents things; the two mirrors are managed by different accounts. > > However I finally found reference that this is the right mirror. > https://invisible-island.net/#ftp (Archives) lists https://github.com/ThomasDickey (on github) as official place for snapshot mirrors for invisible-island archives. Thanks, then there is no issue. Alex
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index 761b6a3d31..3b72f3efdd 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc @@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \ inherit autotools binconfig-disabled multilib_header pkgconfig # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master" +SRC_URI = "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master" EXTRA_AUTORECONF = "-I m4" diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb index 97130c06d6..61558ecfa8 100644 --- a/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb @@ -10,10 +10,10 @@ SRC_URI += "file://0001-tic-hang.patch \ file://CVE-2023-45918.patch \ " # commit id corresponds to the revision in package version -SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" +SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030" S = "${WORKDIR}/git" EXTRA_OECONF += "--with-abi-version=5" -UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$" +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+_\d+)$" # This is needed when using patchlevel versions like 6.1+20181013 #CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"