[Buildroot] [PATCH 1/1] linuxptp: bump to the latest version

Thomas Petazzoni thomas.petazzoni at free-electrons.com
Sun Sep 10 18:40:51 UTC 2017


Hello,

On Sun, 10 Sep 2017 20:18:06 +0200, Yann E. MORIN wrote:

> Globally, the hash is here for three reasons:
> 
>  1- be sure that what we download is what we expect, to avoid
>     man-in-the-middle attacks, especially on security-sensitive
>     packages: ca-certificates, openssh, dropbear, etc...
> 
>  2- be sure that what we download is what we expect, to avoid silent
>     corruption of the downloaded blob, or to avoid fscked-up by
>     intermediate CDNs (already seen!)
> 
>  3- detect when upstream completely messes up, and redoes a release,
>     like regnerating a release tarball, or re-tagging another commit,
>     after the previous one went public.

I think there is also another reason for the hashes to exist: if you
fetch from a BR2_PRIMARY_SITE or from the BR2_BACKUP_SITE, you're
really fetching tarballs, and not doing git clones. So in this case,
having a hash makes a lot of sense.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com



More information about the buildroot mailing list