[Buildroot] [PATCH] package/dvb-apps: add hash file

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sun Jul 5 12:54:30 UTC 2020


Hello,

+Yann in Cc.

On Fri,  3 Jul 2020 22:05:33 -0300
Sergio Prado <sergio.prado at e-labworks.com> wrote:

> Signed-off-by: Sergio Prado <sergio.prado at e-labworks.com>
> ---
>  package/dvb-apps/dvb-apps.hash | 6 ++++++
>  1 file changed, 6 insertions(+)
>  create mode 100644 package/dvb-apps/dvb-apps.hash
> 
> diff --git a/package/dvb-apps/dvb-apps.hash b/package/dvb-apps/dvb-apps.hash
> new file mode 100644
> index 000000000000..a618cd7765d3
> --- /dev/null
> +++ b/package/dvb-apps/dvb-apps.hash
> @@ -0,0 +1,6 @@
> +# Locally computed:
> +sha256  099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645  dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz

Unfortunately, this doesn't work: it seems like our hashes for
Mercurial fetched packages are not reproducible:

ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
dl-wrapper: Re-downloading 'dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz'...
real URL is https://linuxtv.org/hg/dvb-apps
requesting all changes
adding changesets
adding manifests
adding file changes
added 1506 changesets with 6093 changes to 2111 files
new changesets d9fe7e17226f:3d43b280298c
ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
--2020-07-05 14:51:38--  http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
Resolving sources.buildroot.net (sources.buildroot.net)... 2606:4700:20::681a:25, 2606:4700:20::681a:125, 2606:4700:20::ac43:4838, ...
Connecting to sources.buildroot.net (sources.buildroot.net)|2606:4700:20::681a:25|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 453406 (443K) [application/x-gtar-compressed]
Saving to: ‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’

/home/thomas/projets/bui 100%[================================>] 442,78K  1,82MB/s    in 0,2s    

2020-07-05 14:51:38 (1,82 MB/s) - ‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’ saved [453406/453406]

dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz: OK (sha256: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645)

Basically, your hash only matches the tarball on sources.buildroot.net,
but not the tarball I can generate locally after cloning from the
Mercurial repository.

Interestingly, python-pygame is also fetched from Mercurial, also has a
hash file, and it is also wrong:

>>> python-pygame d61ea8eabd56 Downloading
requesting all changes
adding changesets
adding manifests
adding file changes
added 3652 changesets with 15404 changes to 1890 files (+17 heads)                                
new changesets 4609a0076cda:48e19c7b9ee9
ERROR: pygame-d61ea8eabd56.tar.gz has wrong sha256 hash:
ERROR: expected: f95a7dd68ea294d415e36e068d2f533c5a01c67773452d14a535c5c7455681fe
ERROR: got     : d5e0a43a4e338de4cb282af0ddd6e671055d6b9290030c27cfac41b1f7801232
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com



More information about the buildroot mailing list