LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

kernel.org compromised

kernel.org compromised

Posted Sep 2, 2011 7:36 UTC (Fri) by pebolle (guest, #35204)
In reply to: kernel.org compromised by pebolle
Parent article: kernel.org compromised

> 0) Does anyone know what the major distributions use as a base for their
> kernel packages: kernel.org tarballs or tarballs created from their copy
> of a git repository? (As far as I know the Fedora kernel packages have a
> tarball as their primary source.)

Well, to answer my own question, if I look at kernel-2.6.40.3-0.fc15.src.rpm (which seems to be the latest kernel pushed for F15) I see it's v.2.6.39 based. And doing a simple md5sum on the copy of linux-2.6.39.tar.bz2 enclosed in that source package shows that is identical to the copy of linux-2.6.39.tar.bz2 I just downloaded for a kernel.org mirror.

Creating bzipped tarballs with identical checksums is rather hard, isn't it? I assume Fedora uses kernel.org tarballs for its packages.

Perhaps someone from the Fedora kernel team could confirm (or deny) that.

(Log in to post comments)

kernel.org compromised

Posted Sep 2, 2011 8:09 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

Yes, Fedora uses kernel.org tarballs. I am a Fedora contributor although not in the kernel team.

kernel.org compromised

Posted Sep 3, 2011 19:31 UTC (Sat) by pebolle (guest, #35204) [Link]

0) Thanks.

1) Note my idea that creating "bzipped tarballs with identical checksums is rather hard" turned out to be entirely incorrect.

2) I was able to create identical bzipped tarballs of linux-2.6.39 and linux-3.0. I also was able to create identical bzip2 versions of a few recent -rc and -stable patches. So it seems the tar an bzip2 formats are more likely to generate reproducible results than I expected. Ditto for the git commands I used to generate their input.

(3) Boring details: for linux-2.6.39 I only needed to add "-c tar.umask=0022" to "git archive" to create an identical tarfile. For the -rc patches I needed to edit one git diff index line (ie, an "index <hash>..<hash> <mode>" line) because one hash abbreviation changed due to, in short, recent additions to the repository. Trivial changes, really. Other files I could easily recreate with rather obvious command lines, like "git diff v3.0..v3.0.4 | bzip2 -9".)

kernel.org compromised

Posted Sep 4, 2011 17:58 UTC (Sun) by joey (subscriber, #328) [Link]

While this is thuroughly offtopic, if you're interested in recreating original tarballs, gz files, and bz files, see pristine-tar. It's not "easy" in the general case, but it's possible. :)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds