-----Original Message----- From: Alexander Kanavin <[email protected]> Sent: Tuesday, May 21, 2024 12:17 To: Marko, Peter (ADV D EU SK BFS1) <[email protected]> Cc: [email protected] Subject: Re: [OE-core][PATCH 1/2] ncurses: switch to new mirror
> On Sat, 18 May 2024 at 23:30, Peter Marko via lists.openembedded.org > <[email protected]> wrote: > > # Upstream has useful patches at times at > > ftp://invisible-island.net/ncurses/ > > -SRC_URI = > > "git://github.com/mirror/ncurses.git;protocol=https;branch=master" > > +SRC_URI = > > "git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master" > > After the xz backdoor I'm nervous about switching upstream sources with no > verification of their authenticity. Is this referenced anywhere from ncurses > homepage or ncurses tarball download? Should we take that tarball rather? > > Alex The "new" mirror is maintained by the same github account as the old mirror. So the trust should be the same and this patch should not decrease the security. I have also verified that both old and new version matches the source tarballs (as stated in my commit message). But you're right that it's not referenced on homepage, at least my google queries yielded 0 relevant hits. Looking at the recipe history, reason for switching to mirrors is instability of the upstream homepage paths. https://git.openembedded.org/openembedded-core/commit/?id=4d3f84f84147145cfd786362d9cd754bbb93873e Not sure if we want to return to that situation. I already thought about the xz situation before submitting my patch. One of the reasons why I did not go back to tarball was that I didn't know how to configure AUH regex. If you know how to do that, switching to it may be an option even if that would mean having to change the URL on lts branches from time to time... Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199671): https://lists.openembedded.org/g/openembedded-core/message/199671 Mute This Topic: https://lists.openembedded.org/mt/106178307/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
