[OE-core] [oe] BlueZ old releases have new checksums

Chris Larson clarson at kergoth.com
Thu Jan 5 00:16:51 UTC 2012


On Wed, Jan 4, 2012 at 3:02 PM, Denys Dmytriyenko <denis at denix.org> wrote:
> On Wed, Jan 04, 2012 at 12:53:25PM -0800, Khem Raj wrote:
>> On Wed, Jan 4, 2012 at 12:14 PM, Chris Larson <clarson at kergoth.com> wrote:
>> > On Wed, Jan 4, 2012 at 11:14 AM, Denys Dmytriyenko <denis at denix.org> wrote:
>> >> The main archive of BlueZ/obexd/hcidump releases on kernel.org[1] finally
>> >> re-appeared after missing for long time since kernel.org compromise.
>> >> Unfortunately, all previous tarballs have new checksums, breaking builds for
>> >> anyone w/o previous copy cached. Old copies were also extensively mirrored,
>> >> so you never know which one you fetch next time...
>> >
>> > Heh, checksums changing after a security compromise, that's worrisome
>> > :) should diff their contents to see what's going on, or whether its
>> > just a gzip timestamp change or something.
>>
>> exactly. Make sure the tars are sane
>
> Well, according to BlueZ maintainer[1], he gave the correct tarballs to
> kernel.org people, but for some reason they untarred and re-packed them.
> There's only 4 bytes difference, presumably timestamp...

/me thinks maintainers should tar -cvO | gzip -n if they're going to use gzip ;)

But then, we see it from a rather different perspective than upstreams tend to..
-- 
Christopher Larson




More information about the Openembedded-core mailing list