On Thu, Feb 09, 2023 at 02:01:52PM +0000, George Dunlap wrote: > On Wed, Feb 8, 2023 at 8:58 PM Demi Marie Obenour < > d...@invisiblethingslab.com> wrote: > > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > > > This patch enforces the use of secure transports in the build system. > > > > Signed-off-by: Demi Marie Obenour <d...@invisiblethingslab.com> > > > > Hey Demi, > > Thanks for this series -- we definitely want the build system to use secure > transports when available. Can you confirm that you've tested the "+s" > versions of all the URLs in this patch, and verified that they actually > work?
I had not, but a subsequent review indicated that most do work. The exceptions are: - Neither the PolarSSL nor TPM emulator links work, but the http:// verison of these links is also broken. I added an AC_MSG_ERROR to fail the TPM emulator build if they would be used, but a Xen committer will need to regenerate configure. - the newlib url should be https://sourceware.org/ftp/newlib, not https://source.redhat.com/ftp/newlib. This was changed in configure.ac but not in configure. > If you haven't, I realize that may be somewhat tedious, but I think it's > pretty important. You should be able to automate a lot of it using `curl > --head --fail`. [1] That does not work for the Xen git repositories, but those all do work. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
