[{"id":1762693,"web_url":"http://patchwork.ozlabs.org/comment/1762693/","msgid":"<7c228b52-f5bf-929b-9acf-07e705ec0198@redhat.com>","list_archive_url":null,"date":"2017-09-04T14:36:39","subject":"Re: [Qemu-devel] [PATCH web 0/2] Secure the download links and more","submitter":{"id":6591,"url":"http://patchwork.ozlabs.org/api/people/6591/","name":"Eric Blake","email":"eblake@redhat.com"},"content":"On 09/04/2017 09:26 AM, Daniel P. Berrange wrote:\n> which gives the $BAD guys plenty chance to compromise your\n> download. Fix this to link to https:// sites exclusively\n> and use the preferred qemu.org domani too. All links are\n> fixed to use https, not merely download site links.\n\nWe should also patch include/qemu-common.h, which lists http:// rather\nthan https:// for the --help output (because at the time the patch was\nfirst written, we did not have https:// fully working yet)","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=eblake@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xmC9Z2RwBz9s7c\n\tfor ;\n\tTue, 5 Sep 2017 00:37:21 +1000 (AEST)","from localhost ([::1]:47781 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dosV4-0005BA-HQ\n\tfor incoming@patchwork.ozlabs.org; Mon, 04 Sep 2017 10:37:18 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:60955)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dosUa-000583-J9\n\tfor qemu-devel@nongnu.org; Mon, 04 Sep 2017 10:36:53 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dosUV-0002ld-Sx\n\tfor qemu-devel@nongnu.org; Mon, 04 Sep 2017 10:36:48 -0400","from mx1.redhat.com ([209.132.183.28]:35432)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dosUV-0002jX-J0\n\tfor qemu-devel@nongnu.org; Mon, 04 Sep 2017 10:36:43 -0400","from smtp.corp.redhat.com\n\t(int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 790AF3E2B4;\n\tMon, 4 Sep 2017 14:36:41 +0000 (UTC)","from [10.10.120.228] (ovpn-120-228.rdu2.redhat.com [10.10.120.228])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 9E3DD820AB;\n\tMon, 4 Sep 2017 14:36:40 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 790AF3E2B4","To":"\"Daniel P. Berrange\" , qemu-devel@nongnu.org","References":"<20170904142608.4897-1-berrange@redhat.com>","From":"Eric Blake ","Openpgp":"url=http://people.redhat.com/eblake/eblake.gpg","Organization":"Red Hat, Inc.","Message-ID":"<7c228b52-f5bf-929b-9acf-07e705ec0198@redhat.com>","Date":"Mon, 4 Sep 2017 09:36:39 -0500","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170904142608.4897-1-berrange@redhat.com>","Content-Type":"multipart/signed; micalg=pgp-sha256;\n\tprotocol=\"application/pgp-signature\";\n\tboundary=\"ii1WxNP7GOrRQbQ1L3C5NELWiCPi9agMI\"","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.16","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.30]);\n\tMon, 04 Sep 2017 14:36:41 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","X-Content-Filtered-By":"Mailman/MimeDel 2.1.21","Subject":"Re: [Qemu-devel] [PATCH web 0/2] Secure the download links and more","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"Peter Maydell ,\n\tPaolo Bonzini ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1766365,"web_url":"http://patchwork.ozlabs.org/comment/1766365/","msgid":"<79e30c8c-9c0b-cd17-5f19-1736124c42d5@redhat.com>","list_archive_url":null,"date":"2017-09-11T15:37:08","subject":"Re: [Qemu-devel] [PATCH web 0/2] Secure the download links and more","submitter":{"id":2701,"url":"http://patchwork.ozlabs.org/api/people/2701/","name":"Paolo Bonzini","email":"pbonzini@redhat.com"},"content":"On 04/09/2017 16:26, Daniel P. Berrange wrote:\n> Peter pointed out a bit of a crazy setup:\n> \n> The front page link to the 2.10.0 tarball is\n> \n> http://download.qemu-project.org/qemu-2.10.0.tar.xz\n> \n> which gets you a 301 redirect to\n> \n> http://download.qemu.org/qemu-2.10.0.tar.xz\n> \n> which gets you a 301 redirect to\n> \n> https://download.qemu.org/qemu-2.10.0.tar.xz...\n> \n> which gives the $BAD guys plenty chance to compromise your\n> download. Fix this to link to https:// sites exclusively\n> and use the preferred qemu.org domani too. All links are\n> fixed to use https, not merely download site links.\n> \n> Daniel P. Berrange (2):\n> Update all links to prefer qemu.org over qemu-project.org\n> Use https links whereever possible\n> \n> .htaccess | 6 +++---\n> _download/source.html | 12 ++++++------\n> _includes/footer.html | 18 +++++++++---------\n> _includes/releases.html | 8 ++++----\n> _posts/2017-02-04-the-new-qemu-website-is-up.md | 10 +++++-----\n> _posts/2017-03-19-qemu-in-the-blogs-february-2017.md | 4 ++--\n> _posts/2017-08-10-deprecation.md | 2 +-\n> contribute.md | 8 ++++----\n> contribute/report-a-bug.md | 6 +++---\n> documentation.md | 8 ++++----\n> index.html | 2 +-\n> 11 files changed, 42 insertions(+), 42 deletions(-)\n> \n\nQueued, including changes to the 2.10.0 blog post in patch 2. Will push\ntomorrow.\n\nPaolo","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=pbonzini@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xrXFh45NVz9s7B\n\tfor ;\n\tTue, 12 Sep 2017 01:40:56 +1000 (AEST)","from localhost ([::1]:58493 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1drQpS-0003HX-K5\n\tfor incoming@patchwork.ozlabs.org; Mon, 11 Sep 2017 11:40:54 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:55225)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1drQm0-0000fS-4A\n\tfor qemu-devel@nongnu.org; Mon, 11 Sep 2017 11:37:21 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1drQlw-0004M7-7w\n\tfor qemu-devel@nongnu.org; Mon, 11 Sep 2017 11:37:20 -0400","from mx1.redhat.com ([209.132.183.28]:35916)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1drQlw-0004Ld-2H\n\tfor qemu-devel@nongnu.org; Mon, 11 Sep 2017 11:37:16 -0400","from smtp.corp.redhat.com\n\t(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 0682737198D;\n\tMon, 11 Sep 2017 15:37:15 +0000 (UTC)","from [10.36.117.6] (ovpn-117-6.ams2.redhat.com [10.36.117.6])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id 3871364458;\n\tMon, 11 Sep 2017 15:37:13 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 0682737198D","To":"\"Daniel P. Berrange\" , qemu-devel@nongnu.org","References":"<20170904142608.4897-1-berrange@redhat.com>","From":"Paolo Bonzini ","Message-ID":"<79e30c8c-9c0b-cd17-5f19-1736124c42d5@redhat.com>","Date":"Mon, 11 Sep 2017 17:37:08 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170904142608.4897-1-berrange@redhat.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.11","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.30]);\n\tMon, 11 Sep 2017 15:37:15 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCH web 0/2] Secure the download links and more","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"Peter Maydell ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}}]