[Buildroot] [PATCH 1/1] linuxptp: bump to the latest version
Thomas Petazzoni
thomas.petazzoni at free-electrons.com
Sun Sep 10 18:40:51 UTC 2017
Hello,
On Sun, 10 Sep 2017 20:18:06 +0200, Yann E. MORIN wrote:
> Globally, the hash is here for three reasons:
>
> 1- be sure that what we download is what we expect, to avoid
> man-in-the-middle attacks, especially on security-sensitive
> packages: ca-certificates, openssh, dropbear, etc...
>
> 2- be sure that what we download is what we expect, to avoid silent
> corruption of the downloaded blob, or to avoid fscked-up by
> intermediate CDNs (already seen!)
>
> 3- detect when upstream completely messes up, and redoes a release,
> like regnerating a release tarball, or re-tagging another commit,
> after the previous one went public.
I think there is also another reason for the hashes to exist: if you
fetch from a BR2_PRIMARY_SITE or from the BR2_BACKUP_SITE, you're
really fetching tarballs, and not doing git clones. So in this case,
having a hash makes a lot of sense.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
More information about the buildroot
mailing list