Message ID | 1480344142-6382-1-git-send-email-ash.charles@savoirfairelinux.com |
---|---|
State | Rejected |
Headers | show |
Hello, On Mon, 28 Nov 2016 09:42:22 -0500, Ash Charles wrote: > -The +none+ hash type is reserved to those archives downloaded from a > -repository, like a 'git clone', a 'subversion checkout'... > +For archives downloaded from a repository e.g. from a 'git clone', a 'subversion checkout', using a locally-calculated sha256 hash is recommended although the +none+ type has also been used. The line needs to be wrapped to 72 characters. Also, I am not sure that the archives we produce from all version control systems are reproducible. I'm sure it's the case for Git, but I'm not sure for Subversion, so it might be that your statement is actually wrong. In addition, I think the last part "although the +none+ type has also been used" is a bit confusing. I think we should rather: 1. Look again closely at which version control systems currently produce reproducible archives in Buildroot. 2. Make Buildroot actually check the hashes for the downloads made through those version control systems. 3. Update the documentation accordingly, with a clear statement of which packages should have hashes, which packages should not. Best regards, Thomas
On Mon, Nov 28, 2016 at 3:43 PM, Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote: > The line needs to be wrapped to 72 characters. > > Also, I am not sure that the archives we produce from all version > control systems are reproducible. I'm sure it's the case for Git, but > I'm not sure for Subversion, so it might be that your statement is > actually wrong. > > In addition, I think the last part "although the +none+ type has also > been used" is a bit confusing. > > I think we should rather: > > 1. Look again closely at which version control systems currently > produce reproducible archives in Buildroot. > > 2. Make Buildroot actually check the hashes for the downloads made > through those version control systems. > > 3. Update the documentation accordingly, with a clear statement of > which packages should have hashes, which packages should not. Okay--I think this is more than I can dive into at the moment. Either way though, this isn't currently a suitable patch so I've marked it as rejecetd in patchwork. --Ash
diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt index a74761c..96948f8 100644 --- a/docs/manual/adding-packages-directory.txt +++ b/docs/manual/adding-packages-directory.txt @@ -480,8 +480,7 @@ this in a comment line above the hashes. The number of spaces does not matter, so one can use spaces (or tabs) to properly align the different fields. -The +none+ hash type is reserved to those archives downloaded from a -repository, like a 'git clone', a 'subversion checkout'... +For archives downloaded from a repository e.g. from a 'git clone', a 'subversion checkout', using a locally-calculated sha256 hash is recommended although the +none+ type has also been used. The example below defines a +sha1+ and a +sha256+ published by upstream for the main +libfoo-1.2.3.tar.bz2+ tarball, an +md5+ from upstream and a
Archives created from source control systems should still use a hash file with a locally-computed e.g. sha256 hash. As discussed [1], using the 'none' type is no longer a best practice so update the documentation to clarify this. [1] http://lists.busybox.net/pipermail/buildroot/2016-November/178165.html Signed-off-by: Ash Charles <ash.charles@savoirfairelinux.com> --- docs/manual/adding-packages-directory.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)