[Buildroot] Hash verification from GitHub
Yann E. MORIN
yann.morin.1998 at free.fr
Mon Jan 17 10:17:05 UTC 2022
James, Danilo, All,
On 2022-01-16 15:51 -0700, James Hilliard spake thusly:
> On Sun, Jan 16, 2022 at 3:38 PM Danilo Bargen <mail at dbrgn.ch> wrote:
> > > Just use the hash buildroot generated for you, it should be correct.
> > > (...)
> > > Yeah, it's not going to match since buildroot is doing stuff like
> > > vendoring the cargo deps before generating the tarball
> > Ahh, that explains it. Does this mean that for Cargo based packages, it
> > will always be TOFU and checksums provided by the project / maintainer
> > cannot be used (because they will mismatch)?
> A maintainer could sign the tarball generated by buildroot and upload it to
> github releases if they want.
To be exact: an upstream maintainer (i.e. not a Buildroot maintainer).
> As you can see the script will bail out if the tarball already has
> vendored deps:
> https://github.com/buildroot/buildroot/blob/6e4791b751c0f8e0ba218da2c22e71d3e1436b5d/support/download/cargo-post-process#L16-L19
The script will not "bail out" on pre-vendored tarballs; it will just
exit without touching the tarball at all.
I.e. it means that we prefer using tarballs as-is from their upstreams,
when they are vendored; we only vendor packages which upstreams have
not.
> So as long as the upstream release tarball has vendored deps the hash should
> not change AFAIU.
Yes, this is the goal.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list