[Buildroot] [PATCH v3] ca-certificates: new package

Peter Korsgaard jacmet at uclibc.org
Sun Jan 12 20:32:59 UTC 2014


>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

Hi,

 > An third alternative is to add a package/pkg/pkg.hash file, which
 > contains the list of files, and their hashes; in fact, the output of the
 > hash util we'd use:
 >     ABCDEF1234567890  foo-1.2.3.patch
 >     ABCDEF1234567890  bla.patch
 >     ABCDEF1234567890  file.bin

That sounds good to me, and is easy to handle. Another alternative would
be to make <pkg>_CHECKSUM a list of hashes, in the same order as the
files are handled (_SOURCE, _EXTRA_DOWNLOADS, _PATCH).


 > Also, we'd have to settle for a hash function. md5 is outdated and
 > subject to attacks; sha1 is still current, but there are known potential
 > attacks; sha2/256 is still very strong for the foreseeable future;
 > sha2/512 seems like a bit overkill, although the time to hash is not
 > very different between sha2/256 and sha2/512.

 > This can be very easily changed, so I've settled for sha2/256 for now.

Next to their strength is also the issue about how likely it is that
those tools are available on the build host. As we would like to check
the hash before downloading, it wouldn't work very well if we needed to
build a host-sha2 or similar.

I don't know what's available on E.G. RHEL, but perhaps sha1 is a safer
bet?

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list