[Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
Thomas Petazzoni
thomas.petazzoni at free-electrons.com
Sun Oct 26 17:08:55 UTC 2014
Dear Maxime Hadjinlian,
On Sun, 26 Oct 2014 17:35:15 +0100, Maxime Hadjinlian wrote:
> +If +libfoo+ is from GitHub, we can only accept +.hash+ file if the
> +package has a release section and the maintainer has uploaded a release
> +tarball. Otherwise, the automated generated tarball may change through
> +time, rendering a +.hash+ file invalid.
I don't really understand this. If the tarball is automatically
generated, then it should always be the same for a given version/tag of
a certain repository, no?
It would be scary if it was not possible to validate the integrity of
all the packages we download from github.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
More information about the buildroot
mailing list