diff mbox

[2/7,v4] package infra: do not check hashes when downloading from a repository

Message ID b172905fe4ddd1944cc14df21cc33d527c755a80.1427840060.git.yann.morin.1998@free.fr
State Accepted
Headers show

Commit Message

Yann E. MORIN March 31, 2015, 10:15 p.m. UTC 
When downloading from a repository, we have no way to ensure the
reproducibility of the generated archives, so we can't check the hashes.

Do not specifiy a hash file in those cases.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>

---
Changes v2 -> v3:
  - add blurb in the manual  (Arnout)
---
 docs/manual/adding-packages-directory.txt | 6 ++++++
 package/pkg-download.mk                   | 5 -----
 2 files changed, 6 insertions(+), 5 deletions(-)

Comments

Arnout Vandecappelle April 2, 2015, 9:38 p.m. UTC | #1 
On 01/04/15 00:15, Yann E. MORIN wrote:
> When downloading from a repository, we have no way to ensure the
> reproducibility of the generated archives, so we can't check the hashes.
> 
> Do not specifiy a hash file in those cases.
> 
> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

 And now I also reviewed the manual update.

 Regards,
 Arnout

> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> 
> ---
> Changes v2 -> v3:
>   - add blurb in the manual  (Arnout)
[snip]
Yann E. MORIN April 2, 2015, 9:49 p.m. UTC | #2 
Arnout, All,

On 2015-04-02 23:38 +0200, Arnout Vandecappelle spake thusly:
> On 01/04/15 00:15, Yann E. MORIN wrote:
> > When downloading from a repository, we have no way to ensure the
> > reproducibility of the generated archives, so we can't check the hashes.
> > 
> > Do not specifiy a hash file in those cases.
> > 
> > Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
> > Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> > Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
> 
>  And now I also reviewed the manual update.

Well, I think I just used what you provided in your previous review, so
I assumed your reviewed-by tag was still valid... ;-)

Thanks!

Regards,
Yann E. MORIN.
Arnout Vandecappelle April 2, 2015, 9:57 p.m. UTC | #3 
On 02/04/15 23:49, Yann E. MORIN wrote:
> Arnout, All,
> 
> On 2015-04-02 23:38 +0200, Arnout Vandecappelle spake thusly:
>> On 01/04/15 00:15, Yann E. MORIN wrote:
>>> When downloading from a repository, we have no way to ensure the
>>> reproducibility of the generated archives, so we can't check the hashes.
>>>
>>> Do not specifiy a hash file in those cases.
>>>
>>> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
>>> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>>> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
>>
>>  And now I also reviewed the manual update.
> 
> Well, I think I just used what you provided in your previous review, so
> I assumed your reviewed-by tag was still valid... ;-)

 Ah, that explains the complete lack of spelling mistakes :-P

 Regards,
 Arnout
Yann E. MORIN April 2, 2015, 10:08 p.m. UTC | #4 
Arnout, All,

On 2015-04-02 23:57 +0200, Arnout Vandecappelle spake thusly:
> On 02/04/15 23:49, Yann E. MORIN wrote:
[---SNIP--]
> > Well, I think I just used what you provided in your previous review, so
> > I assumed your reviewed-by tag was still valid... ;-)
> 
>  Ah, that explains the complete lack of spelling mistakes :-P

You now *are* on my List. Beware...

Regards,
Yann E. MORIN.

PS. Muhahaha! ;-)
diff mbox

Patch

diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
index 1ce9a3b..132c702 100644
--- a/docs/manual/adding-packages-directory.txt
+++ b/docs/manual/adding-packages-directory.txt
@@ -474,4 +474,10 @@  environment variable +BR2_ENFORCE_CHECK_HASH+ to a non-empty value, and
 there is no hash for a downloaded file, Buildroot considers this an
 error, deletes the downloaded file, and aborts.
 
+Sources that are downloaded from a version control system (git, subversion,
+etc...) can not have a hash, because the version control system and tar
+may not create exactly the same file (dates, files ordering...), so the
+hash could be wrong even for a valid download. Therefore, the hash check
+is entirely skipped for such sources.
+
 If the +.hash+ file is missing, then no check is done at all.
diff --git a/package/pkg-download.mk b/package/pkg-download.mk
index 5e74519..e274712 100644
--- a/package/pkg-download.mk
+++ b/package/pkg-download.mk
@@ -87,7 +87,6 @@  github = https://github.com/$(1)/$(2)/archive/$(3)
 define DOWNLOAD_GIT
 	$(EXTRA_ENV) $(DL_WRAPPER) -b git \
 		-o $(DL_DIR)/$($(PKG)_SOURCE) \
-		-H $(PKGDIR)/$($(PKG)_RAWNAME).hash \
 		$(QUIET) \
 		-- \
 		$($(PKG)_SITE) \
@@ -109,7 +108,6 @@  endef
 define DOWNLOAD_BZR
 	$(EXTRA_ENV) $(DL_WRAPPER) -b bzr \
 		-o $(DL_DIR)/$($(PKG)_SOURCE) \
-		-H $(PKGDIR)/$($(PKG)_RAWNAME).hash \
 		$(QUIET) \
 		-- \
 		$($(PKG)_SITE) \
@@ -128,7 +126,6 @@  endef
 define DOWNLOAD_CVS
 	$(EXTRA_ENV) $(DL_WRAPPER) -b cvs \
 		-o $(DL_DIR)/$($(PKG)_SOURCE) \
-		-H $(PKGDIR)/$($(PKG)_RAWNAME).hash \
 		$(QUIET) \
 		-- \
 		$(call stripurischeme,$(call qstrip,$($(PKG)_SITE))) \
@@ -149,7 +146,6 @@  endef
 define DOWNLOAD_SVN
 	$(EXTRA_ENV) $(DL_WRAPPER) -b svn \
 		-o $(DL_DIR)/$($(PKG)_SOURCE) \
-		-H $(PKGDIR)/$($(PKG)_RAWNAME).hash \
 		$(QUIET) \
 		-- \
 		$($(PKG)_SITE) \
@@ -189,7 +185,6 @@  endef
 define DOWNLOAD_HG
 	$(EXTRA_ENV) $(DL_WRAPPER) -b hg \
 		-o $(DL_DIR)/$($(PKG)_SOURCE) \
-		-H $(PKGDIR)/$($(PKG)_RAWNAME).hash \
 		$(QUIET) \
 		-- \
 		$($(PKG)_SITE) \