package/dvb-apps: add hash file

Message ID	20200704010533.1854-1-sergio.prado@e-labworks.com
State	Rejected
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Sergio Prado <sergio.prado@e-labworks.com> To: buildroot@buildroot.org Date: Fri, 3 Jul 2020 22:05:33 -0300 Message-Id: <20200704010533.1854-1-sergio.prado@e-labworks.com> Subject: [Buildroot] [PATCH] package/dvb-apps: add hash file Precedence: list Cc: Sergio Prado <sergio.prado@e-labworks.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	package/dvb-apps: add hash file \| expand package/dvb-apps: add hash file

Sergio Prado July 4, 2020, 1:05 a.m. UTC

Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
---
 package/dvb-apps/dvb-apps.hash | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 package/dvb-apps/dvb-apps.hash

Thomas Petazzoni July 5, 2020, 12:54 p.m. UTC | #1

Hello,

+Yann in Cc.

On Fri,  3 Jul 2020 22:05:33 -0300
Sergio Prado <sergio.prado@e-labworks.com> wrote:

> Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
> ---
>  package/dvb-apps/dvb-apps.hash | 6 ++++++
>  1 file changed, 6 insertions(+)
>  create mode 100644 package/dvb-apps/dvb-apps.hash
> 
> diff --git a/package/dvb-apps/dvb-apps.hash b/package/dvb-apps/dvb-apps.hash
> new file mode 100644
> index 000000000000..a618cd7765d3
> --- /dev/null
> +++ b/package/dvb-apps/dvb-apps.hash
> @@ -0,0 +1,6 @@
> +# Locally computed:
> +sha256  099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645  dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz

Unfortunately, this doesn't work: it seems like our hashes for
Mercurial fetched packages are not reproducible:

ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
dl-wrapper: Re-downloading 'dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz'...
real URL is https://linuxtv.org/hg/dvb-apps
requesting all changes
adding changesets
adding manifests
adding file changes
added 1506 changesets with 6093 changes to 2111 files
new changesets d9fe7e17226f:3d43b280298c
ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
--2020-07-05 14:51:38--  http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
Resolving sources.buildroot.net (sources.buildroot.net)... 2606:4700:20::681a:25, 2606:4700:20::681a:125, 2606:4700:20::ac43:4838, ...
Connecting to sources.buildroot.net (sources.buildroot.net)|2606:4700:20::681a:25|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 453406 (443K) [application/x-gtar-compressed]
Saving to: ‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’

/home/thomas/projets/bui 100%[================================>] 442,78K  1,82MB/s    in 0,2s    

2020-07-05 14:51:38 (1,82 MB/s) - ‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’ saved [453406/453406]

dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz: OK (sha256: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645)

Basically, your hash only matches the tarball on sources.buildroot.net,
but not the tarball I can generate locally after cloning from the
Mercurial repository.

Interestingly, python-pygame is also fetched from Mercurial, also has a
hash file, and it is also wrong:

>>> python-pygame d61ea8eabd56 Downloading
requesting all changes
adding changesets
adding manifests
adding file changes
added 3652 changesets with 15404 changes to 1890 files (+17 heads)                                
new changesets 4609a0076cda:48e19c7b9ee9
ERROR: pygame-d61ea8eabd56.tar.gz has wrong sha256 hash:
ERROR: expected: f95a7dd68ea294d415e36e068d2f533c5a01c67773452d14a535c5c7455681fe
ERROR: got     : d5e0a43a4e338de4cb282af0ddd6e671055d6b9290030c27cfac41b1f7801232
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

Best regards,

Thomas

Yann E. MORIN July 5, 2020, 5:37 p.m. UTC | #2

Thomas, Sergio, All,

On 2020-07-05 14:54 +0200, Thomas Petazzoni spake thusly:
> On Fri,  3 Jul 2020 22:05:33 -0300
> Sergio Prado <sergio.prado@e-labworks.com> wrote:
> > Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
> > +# Locally computed:
> > +sha256  099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645  dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
> 
> Unfortunately, this doesn't work: it seems like our hashes for
> Mercurial fetched packages are not reproducible:

They should be. It was my experience that hg does produce reproducible
archives, even without a complexe dance like we do with the git backend.
See commit 76b51f90c0e which purportedly made them reproducible.

> ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
> ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57

I too got that 926208 sha256 here, with two different hg versions: 3.7.3
and 4.8.2.

> --2020-07-05 14:51:38--  http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz

dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz  2014-Sep-01 16:03:23 442.7K application/x-gtar-compressed

So, this file was created before the commit that made the archives
reproducible. So, no surprise that the sha256 does not match the
locally-created archive but that from s.b.o.

> Interestingly, python-pygame is also fetched from Mercurial, also has a
> hash file, and it is also wrong:
> 
> >>> python-pygame d61ea8eabd56 Downloading

A full sha1 should be used, rather than a shortened one.

The python-pygame archive was however created after commit 76b51f90c0e...

> requesting all changes
> adding changesets
> adding manifests
> adding file changes
> added 3652 changesets with 15404 changes to 1890 files (+17 heads)                                
> new changesets 4609a0076cda:48e19c7b9ee9
> ERROR: pygame-d61ea8eabd56.tar.gz has wrong sha256 hash:
> ERROR: expected: f95a7dd68ea294d415e36e068d2f533c5a01c67773452d14a535c5c7455681fe
> ERROR: got     : d5e0a43a4e338de4cb282af0ddd6e671055d6b9290030c27cfac41b1f7801232

I too git d5e0a43a4e33.

What machine is pushing the archives to s.b.o. ?

Regards,
Yann E. MORIN.

Sergio Prado July 5, 2020, 5:40 p.m. UTC | #3

Hello,

> > diff --git a/package/dvb-apps/dvb-apps.hash
b/package/dvb-apps/dvb-apps.hash
> > new file mode 100644
> > index 000000000000..a618cd7765d3
> > --- /dev/null
> > +++ b/package/dvb-apps/dvb-apps.hash
> > @@ -0,0 +1,6 @@
> > +# Locally computed:
> > +sha256
 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
 dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
>
> Unfortunately, this doesn't work: it seems like our hashes for
> Mercurial fetched packages are not reproducible:
>
> ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong
sha256 hash:
> ERROR: expected:
099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> ERROR: got     :
926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> dl-wrapper: Re-downloading
'dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz'...
> real URL is https://linuxtv.org/hg/dvb-apps
> requesting all changes
> adding changesets
> adding manifests
> adding file changes
> added 1506 changesets with 6093 changes to 2111 files
> new changesets d9fe7e17226f:3d43b280298c
> ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong
sha256 hash:
> ERROR: expected:
099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> ERROR: got     :
926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> --2020-07-05 14:51:38--
http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
> Resolving sources.buildroot.net (sources.buildroot.net)...
2606:4700:20::681a:25, 2606:4700:20::681a:125, 2606:4700:20::ac43:4838, ...
> Connecting to sources.buildroot.net (sources.buildroot.net)|2606:4700:20::681a:25|:80...
connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 453406 (443K) [application/x-gtar-compressed]
> Saving to:
‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’
>
> /home/thomas/projets/bui 100%[================================>] 442,78K
 1,82MB/s    in 0,2s
>
> 2020-07-05 14:51:38 (1,82 MB/s) -
‘/home/thomas/projets/buildroot/output/build/.dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz.MM0BzY/output’
saved [453406/453406]
>
> dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz: OK (sha256:
099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645)
>
> Basically, your hash only matches the tarball on sources.buildroot.net,
> but not the tarball I can generate locally after cloning from the
> Mercurial repository.

Indeed I removed sources.buildroot.net from the mirrors location and got
the same error. What's interesting is that I got the same hash as you. So
the tar generated in our machines was exactly the same, but it is different
from the one hosted in sources.buildroot.net.

>>> dvb-apps 3d43b280298c39a67d1d889e01e173f52c12da35 Downloading
real URL is https://linuxtv.org/hg/dvb-apps
requesting all changes
adding changesets
adding manifests
adding file changes
added 1506 changesets with 6093 changes to 2111 files


new changesets d9fe7e17226f:3d43b280298c
ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong
sha256 hash:
ERROR: expected:
099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
ERROR: got     :
926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
package/pkg-generic.mk:167: recipe for target
'/opt/build/buildroot/build/dvb-apps/qemu_arm_uclibc_ext/build/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35/.stamp_downloaded'
failed
make[1]: ***
[/opt/build/buildroot/build/dvb-apps/qemu_arm_uclibc_ext/build/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35/.stamp_downloaded]
Error 1
Makefile:23: recipe for target '_all' failed
make: *** [_all] Error 2

I also notice that there is a path in the tar file metadata fetched from
sources.buildroot.net (the generated locally doesn't have this path).

$ xxd dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
00000000: 1f8b 0808 6c92 2c53 02ff 2f68 6f6d 652f  ....l.,S../home/
00000010: 7065 6b6f 2f73 6f75 7263 652f 6275 696c  peko/source/buil
00000020: 6472 6f6f 742f 6f75 7470 7574 2f62 7569  droot/output/bui
00000030: 6c64 2f2e 6476 622d 6170 7073 2d33 6434  ld/.dvb-apps-3d4
00000040: 3362 3238 3032 3938 6333 3961 3637 6431  3b280298c39a67d1
00000050: 6438 3839 6530 3165 3137 3366 3532 6331  d889e01e173f52c1
00000060: 3264 6133 352e 7461 722e 677a 2e38 7363  2da35.tar.gz.8sc
00000070: 326a 6f2f 6f75 7470 7574 00ec bd6b 7b1b  2jo/output...k{.
00000080: 3792 28bc 5fd5 bf02 af66 662d 6629 8a17  7.(._....ff-f)..
00000090: dd6c c599 5014 6571 425d 4252 76bc 3939  .l..P.eqB]BRv.99

Best regards,

Sergio Prado

Yann E. MORIN July 6, 2020, 5:21 p.m. UTC | #4

Sergio, All,

On 2020-07-05 14:40 -0300, Sergio Prado spake thusly:
> > > diff --git a/package/dvb-apps/dvb-apps.hash b/package/dvb-apps/dvb-apps.hash
> > > new file mode 100644
> > > index 000000000000..a618cd7765d3
> > > --- /dev/null
> > > +++ b/package/dvb-apps/dvb-apps.hash
> > > @@ -0,0 +1,6 @@
> > > +# Locally computed:
> > > +sha256  099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
>  dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
> >
> > Unfortunately, this doesn't work: it seems like our hashes for
> > Mercurial fetched packages are not reproducible:
> > ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has wrong sha256 hash:
> > ERROR: expected: 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> > ERROR: got     : 926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
> Indeed I removed  [8]sources.buildroot.net from the mirrors location and got the same error. What's interesting is that I
> got the same hash as you. So the tar generated in our machines was exactly the same, but it is different from the one hosted in
> [9]sources.buildroot.net.

As I explained in my previous reply, is that the archive on s.b.o. was
generated before the hg backend was made reproducible. It now is.

[--SNIP--]
> I also notice that there is a path in the tar file metadata fetched from [12]sources.buildroot.net (the generated locally doesn't
> have this path).

Yes, see commit 76b51f90c0e; quoting:

    (The reason is that in the first case, a temporary file is created and
    then compressed, and gzip is adding the filename and its timestamp in
    the gzip header, while in the second case, there is no temporary file,
    and thus no timestamp and thus it is reproducible.)

Regards,
Yann E. MORIN.

Sergio Prado July 6, 2020, 8:14 p.m. UTC | #5

Yann, All,

Em seg., 6 de jul. de 2020 às 14:21, Yann E. MORIN <yann.morin.1998@free.fr>
escreveu:
>
> Sergio, All,
>
> On 2020-07-05 14:40 -0300, Sergio Prado spake thusly:
> > > > diff --git a/package/dvb-apps/dvb-apps.hash
b/package/dvb-apps/dvb-apps.hash
> > > > new file mode 100644
> > > > index 000000000000..a618cd7765d3
> > > > --- /dev/null
> > > > +++ b/package/dvb-apps/dvb-apps.hash
> > > > @@ -0,0 +1,6 @@
> > > > +# Locally computed:
> > > > +sha256
 099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> >  dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
> > >
> > > Unfortunately, this doesn't work: it seems like our hashes for
> > > Mercurial fetched packages are not reproducible:
> > > ERROR: dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz has
wrong sha256 hash:
> > > ERROR: expected:
099ccbad8dc7263cbeae4c8439f181fb0c031624d8afb40d00bb7462aa1ea645
> > > ERROR: got     :
926208b7e711b4bab1a909ff9bf4e6ae54acdd30a46f5d5bd700ecb088fe1f57
> > Indeed I removed  [8]sources.buildroot.net from the mirrors location
and got the same error. What's interesting is that I
> > got the same hash as you. So the tar generated in our machines was
exactly the same, but it is different from the one hosted in
> > [9]sources.buildroot.net.
>
> As I explained in my previous reply, is that the archive on s.b.o. was
> generated before the hg backend was made reproducible. It now is.

Great, thanks. I'll send v2 with the correct hash. But for the build to
work, the archive should be deleted/updated on s.b.o.

Thanks,

Sergio Prado
Embedded Labworks

Thomas Petazzoni July 7, 2020, 10:21 a.m. UTC | #6

Hello,

On Sun, 5 Jul 2020 19:37:02 +0200
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> I too got that 926208 sha256 here, with two different hg versions: 3.7.3
> and 4.8.2.
> 
> > --2020-07-05 14:51:38--  http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz  
> 
> dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz  2014-Sep-01 16:03:23 442.7K application/x-gtar-compressed
> 
> So, this file was created before the commit that made the archives
> reproducible. So, no surprise that the sha256 does not match the
> locally-created archive but that from s.b.o.

Here, since there is no hash file for dvb-apps in Buildroot in any
Buildroot version, we could change the tarball on sources.b.o.

It would of course be nicer if we could bump the version of dvb-apps,
so that we can keep this older tarball unchanged. But that's not
strictly required as we have never had any hash file for this package.

> The python-pygame archive was however created after commit 76b51f90c0e...
> 
> > requesting all changes
> > adding changesets
> > adding manifests
> > adding file changes
> > added 3652 changesets with 15404 changes to 1890 files (+17 heads)                                
> > new changesets 4609a0076cda:48e19c7b9ee9
> > ERROR: pygame-d61ea8eabd56.tar.gz has wrong sha256 hash:
> > ERROR: expected: f95a7dd68ea294d415e36e068d2f533c5a01c67773452d14a535c5c7455681fe
> > ERROR: got     : d5e0a43a4e338de4cb282af0ddd6e671055d6b9290030c27cfac41b1f7801232  
> 
> I too git d5e0a43a4e33.
> 
> What machine is pushing the archives to s.b.o. ?

I've added Peter in Cc, as he is taking care of the sources.b.o
maintenance. I think it is done on the OSUOSL machine, because Peter
has a script update-br-mirror.sh on this machine.

This machine has:

$ hg --version
Mercurial Distributed SCM (version 2.6.2)

So it is even older than the 3.x and 4.x Mercurial versions you have
tested.

Thomas

Peter Korsgaard July 7, 2020, 1:12 p.m. UTC | #7

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 > I've added Peter in Cc, as he is taking care of the sources.b.o
 > maintenance. I think it is done on the OSUOSL machine, because Peter
 > has a script update-br-mirror.sh on this machine.

Indeed. That machine runs CentOS 7:

cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"

Sergio Prado July 7, 2020, 7:55 p.m. UTC | #8

Thomas, All,

Em ter., 7 de jul. de 2020 às 07:21, Thomas Petazzoni <
thomas.petazzoni@bootlin.com> escreveu:
>
> Hello,
>
> On Sun, 5 Jul 2020 19:37:02 +0200
> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
>
> > I too got that 926208 sha256 here, with two different hg versions: 3.7.3
> > and 4.8.2.
> >
> > > --2020-07-05 14:51:38--
http://sources.buildroot.net/dvb-apps/dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz
> >
> > dvb-apps-3d43b280298c39a67d1d889e01e173f52c12da35.tar.gz  2014-Sep-01
16:03:23 442.7K application/x-gtar-compressed
> >
> > So, this file was created before the commit that made the archives
> > reproducible. So, no surprise that the sha256 does not match the
> > locally-created archive but that from s.b.o.
>
> Here, since there is no hash file for dvb-apps in Buildroot in any
> Buildroot version, we could change the tarball on sources.b.o.
>
> It would of course be nicer if we could bump the version of dvb-apps,
> so that we can keep this older tarball unchanged. But that's not
> strictly required as we have never had any hash file for this package.

Unfortunately there is no new version available. We are already using the
last commit from the repo:

$ hg clone https://linuxtv.org/hg/dvb-apps
destination directory: dvb-apps
requesting all changes
adding changesets
adding manifests
adding file changes
added 1506 changesets with 6093 changes to 2111 files
new changesets d9fe7e17226f:3d43b280298c
updating to branch default
$ cd dvb-apps/
$ hg branches
default                     1505:3d43b280298c
$ hg --debug id -i
3d43b280298c39a67d1d889e01e173f52c12da35

Best regards,

Sergio Prado

Yann E. MORIN July 8, 2020, 4:35 p.m. UTC | #9

Thomas, Peter, All,

On 2020-07-07 12:21 +0200, Thomas Petazzoni spake thusly:
> On Sun, 5 Jul 2020 19:37:02 +0200
> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> > I too got that 926208 sha256 here, with two different hg versions: 3.7.3
> > and 4.8.2.
[--SNIP--]
> Here, since there is no hash file for dvb-apps in Buildroot in any
> Buildroot version, we could change the tarball on sources.b.o.

Yup. I'd like to push the v2 from Sergio shortly. Peter, will you be in
a position to remove the archives, the one in the per-package sub-dir,m
and the one in the main dir, once the patch is applied?

> > What machine is pushing the archives to s.b.o. ?
> This machine has:
> $ hg --version
> Mercurial Distributed SCM (version 2.6.2)
> So it is even older than the 3.x and 4.x Mercurial versions you have
> tested.

That should not really matter, because the output of hg-archive has been
pretty stable. I also tested 2.8.2 (the one in my autobuilder), and it
too generated reproducible archives; I don;t expect 2.6 to be any
different (but I'm often wrong).

Regards,
Yann E. MORIN.

Thomas Petazzoni July 8, 2020, 4:51 p.m. UTC | #10

On Wed, 8 Jul 2020 18:35:00 +0200
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> > Here, since there is no hash file for dvb-apps in Buildroot in any
> > Buildroot version, we could change the tarball on sources.b.o.  
> 
> Yup. I'd like to push the v2 from Sergio shortly. Peter, will you be in
> a position to remove the archives, the one in the per-package sub-dir,m
> and the one in the main dir, once the patch is applied?

The archive can actually be dropped *now*, so that we can verify that
the new one that gets produced on the sources.b.o server has the
correct hash. This should ideally be done *before* applying Sergio's
patch.

Thomas

Peter Korsgaard July 8, 2020, 4:59 p.m. UTC | #11

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Thomas, Peter, All,
 > On 2020-07-07 12:21 +0200, Thomas Petazzoni spake thusly:
 >> On Sun, 5 Jul 2020 19:37:02 +0200
 >> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
 >> > I too got that 926208 sha256 here, with two different hg versions: 3.7.3
 >> > and 4.8.2.
 > [--SNIP--]
 >> Here, since there is no hash file for dvb-apps in Buildroot in any
 >> Buildroot version, we could change the tarball on sources.b.o.

 > Yup. I'd like to push the v2 from Sergio shortly. Peter, will you be in
 > a position to remove the archives, the one in the per-package sub-dir,m
 > and the one in the main dir, once the patch is applied?

Sure!

 >> > What machine is pushing the archives to s.b.o. ?
 >> This machine has:
 >> $ hg --version
 >> Mercurial Distributed SCM (version 2.6.2)
 >> So it is even older than the 3.x and 4.x Mercurial versions you have
 >> tested.

 > That should not really matter, because the output of hg-archive has been
 > pretty stable. I also tested 2.8.2 (the one in my autobuilder), and it
 > too generated reproducible archives; I don;t expect 2.6 to be any
 > different (but I'm often wrong).

;)

Peter Korsgaard July 8, 2020, 5:03 p.m. UTC | #12

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Wed, 8 Jul 2020 18:35:00 +0200
 > "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

 >> > Here, since there is no hash file for dvb-apps in Buildroot in any
 >> > Buildroot version, we could change the tarball on sources.b.o.  
 >> 
 >> Yup. I'd like to push the v2 from Sergio shortly. Peter, will you be in
 >> a position to remove the archives, the one in the per-package sub-dir,m
 >> and the one in the main dir, once the patch is applied?

 > The archive can actually be dropped *now*, so that we can verify that
 > the new one that gets produced on the sources.b.o server has the
 > correct hash. This should ideally be done *before* applying Sergio's
 > patch.

Done.

package/dvb-apps: add hash file

Commit Message

Comments

Patch