[Buildroot] [PATCH] support/download: print dl hash if not provided

Arnout Vandecappelle arnout at mind.be
Mon Oct 23 09:10:32 UTC 2017


 Hi Gaël,

On 11-09-17 21:12, Gaël PORTAY wrote:
> Yann,
> 
> On Sun, Sep 10, 2017 at 11:29:55AM +0200, Yann E. MORIN wrote:
>> Gaël, All,
>>
>> On 2017-07-19 23:18 -0400, Gaël PORTAY spake thusly:
>>> ...
>>>
>>> It also fixes check_one_hash description. check_one_hash() takes three
>>> arguments:
>>>  - algo hash
>>>  - known hash
>>>  - file to hash
>>>
>>> Signed-off-by: Gaël PORTAY <gael.portay at savoirfairelinux.com>
>>
>> NAK from me.
>>
>> The reason we do not want this is that we instead want the user to go
>> fetch the hash(es) as provided by upstream, like in an announcement
>> email, or in an on-the-side hash file.
>>
>> Having the download infra print the locally computed hash defeats the
>> very purpose of hashes: check that we get what upstream provides.
>>
>> We only accept local calculations of hashes for the cases where upstream
>> does not provide any (or too weak) hash.
>>
> 
> Okay.

 Thomas and I discussed this at the BR developer meeting, and we disagree with
Yann that we should make life difficult for people bumping a package :-P. So we
think this patch does have value. Would you be willing to respin it?

 However, the text you propose is not strong enough. How about:

       Please find a hash in the upstream announcement or website
       and add it to ${h_file}
       If upstream doesn't provide a hash and the source is trusted,
       consider adding these lines:


 Also, the most annoying thing actually is that when the hash is wrong, the
just-downloaded file will be removed again. It would be convenient to avoid
removing it, similar to how it is done when the file exists already.

 Regards,
 Arnout

> 
>> As an aside, this patch does two things: fix the comment for
>> check_one_hash() and print the hash. It should be split.
>>
> 
> I will send a patch for this tiny nitpick.
> 
> Regards,
> Gaël
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF


More information about the buildroot mailing list