[Buildroot] linux-firmware hash mismatch (tar-1.30)
John Keeping
john at metanate.com
Thu Jan 11 10:55:57 UTC 2018
On Wed, 10 Jan 2018 20:15:38 +0100, Peter Korsgaard wrote:
> >>>>> "John" == John Keeping <john at metanate.com> writes:
>
> > Hi,
> > I'm getting the following error cloning linux-firmware:
>
> > ERROR: linux-firmware-17e6288135d4500f9fe60224dce2b46d850c346b.tar.gz has wrong sha256 hash:
> > ERROR: expected: 28d359523a36c1cdc3e85a8e148bb2d68b036d28b10f0e80a192f3dc29f02c16
> > ERROR: got : bf6fe8d7620949a3e771954cb6d9d18dcf000d37ecc910a7cf69723c1798e246
> > ERROR: Incomplete download, or man-in-the-middle (MITM) attack
>
>
> > After a bit of digging, it looks like this is caused by tar-1.30 which
> > includes the following fix:
>
> > * --numeric-owner now affects private headers too.
>
> > Comparing the tarball created on my system with one from
> > sources.buildroot.net gives the output like this, which shows that the
> > uname/gname fields are set for a GNUTYPE_LONGNAME record in the version
> > from sources.buildroot.net and not set in the version created with
> > tar-1.30:
>
> Gaah, what a mess :/
>
> > I'm not sure whether anything can be done to avoid this problem, but
> > hopefully reporting it will save the next person some debugging time.
>
> I also don't quite see any good solutions either :/
>
> Did you try bringing it up with tar upstream? Perhaps there is a way to
> disable this? Alternatively we can build tar-1.29 for the host and use
> that instead of whichever tar version is available on the build machine,
> but this will slow down the build.
No, I didn't bring it up with tar upstream; I'm not sure there's much
point since it is a clear bug fix to the --numeric-owner option.
I don't think it's possible to reproducibly create bit-identical
archives without using the same software version to produce the archive.
More information about the buildroot
mailing list