[Buildroot] [PATCH 5/6] pkg-infra: add possiblity to check downloaded files against known hashes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 5/6] pkg-infra: add possiblity to check downloaded files against known hashes
Date: Fri, 17 Jan 2014 23:41:36 +0100	[thread overview]
Message-ID: <20140117224136.GE3982@free.fr> (raw)
In-Reply-To: <52D64559.90705@mind.be>

Arnout, All,

On 2014-01-15 09:22 +0100, Arnout Vandecappelle spake thusly:
> On 15/01/14 00:34, Yann E. MORIN wrote:
> >Arnout, All,
> >
> >On 2014-01-14 22:37 +0100, Arnout Vandecappelle spake thusly:
> >>On 13/01/14 00:44, Yann E. MORIN wrote:
> [snip]
> >>>Note-2: The laternative to sha1 would be sha2 (256- or 512-bit), but
> >>>oldish "enterprise-class" distributions  may be missing them entirely.
> >>>sha256sum and sha512sum were added to coreutils in 2005-10-23, and RHEL5
> >>>seems to have them. But better be safe than sorry. If sha2 should be
> >>>considered instead of sha1, then it is very easy to switch now. Switching
> >>>later would require that we revalidate all packages that have hashes,
> >>>which could prove to be quite time-demanding if we have lots of
> >>>packages using hashes.
> >>
> >>  We can be more future-safe by storing the hash that is used in the .hash
> >>file itself.
> >
> >Hu?
> 
>  If the hash file contains the following:
> 
> 486fb55c3efa71148fe07895fd713ea3a5ae343a  sha1  libfoo-1.2.3.tar.bz2

OK, I see what you meant, now.

> then you can now let the script check that the second field is sha1, and
> later you can support different hash methods. In that case, it is not
> necessary to update all the files when we want to switch to a new hash
> method.

However, that means the file is no longer the output of:
    sha1sum files-to-check* >package.hash

or of any other hash utility: sha*sum all generates similarly-formatted
outputs:
    hash <two spaces> filename

Which was the reason I choose that format.

If we'd use your suggestion, we'd need a simple way to generate that
file, or it'd be error prone.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

next prev parent reply	other threads:[~2014-01-17 22:41 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-12 23:44 [Buildroot] [PATCH 0/6] [RFC] some download-related changes Yann E. MORIN
2014-01-12 23:44 ` [Buildroot] [PATCH 1/6] Makefile: rename USER_HOOKS_EXTRA_ENV to EXTRA_ENV Yann E. MORIN
2014-01-14 20:44   ` Arnout Vandecappelle
2014-01-12 23:44 ` [Buildroot] [PATCH 2/6] pkg-infra: move git download helper to a script Yann E. MORIN
2014-01-13 14:18   ` Luca Ceresoli
2014-01-13 17:51     ` Yann E. MORIN
2014-01-14 20:39   ` Arnout Vandecappelle
2014-01-14 22:49     ` Yann E. MORIN
2014-01-12 23:44 ` [Buildroot] [PATCH 3/6] pkg-infra: git helper creates an empty archive if PKG_VERSION is a missing hash Yann E. MORIN
2014-01-13 14:22   ` Luca Ceresoli
2014-01-13 17:50     ` Yann E. MORIN
2014-01-14 20:43   ` Arnout Vandecappelle
2014-01-14 23:21     ` Yann E. MORIN
2014-01-15  8:17       ` Arnout Vandecappelle
2014-01-17 22:35         ` Yann E. MORIN
2014-01-12 23:44 ` [Buildroot] [PATCH 4/6] package infra: DOWNLOAD is never called with two arguments Yann E. MORIN
2014-01-14 20:51   ` Arnout Vandecappelle
2014-01-12 23:44 ` [Buildroot] [PATCH 5/6] pkg-infra: add possiblity to check downloaded files against known hashes Yann E. MORIN
2014-01-13  4:53   ` Baruch Siach
2014-01-13 17:52     ` Yann E. MORIN
2014-01-14 21:37   ` Arnout Vandecappelle
2014-01-14 23:34     ` Yann E. MORIN
2014-01-15  8:22       ` Arnout Vandecappelle
2014-01-15 13:22         ` Gustavo Zacarias
2014-01-17 23:02           ` Yann E. MORIN
2014-01-18  0:33             ` Gustavo Zacarias
2014-01-17 22:41         ` Yann E. MORIN [this message]
2014-01-18 15:53           ` Luca Ceresoli
2014-01-15  0:08   ` Gustavo Zacarias
2014-01-12 23:44 ` [Buildroot] [PATCH 6/6] package/ca-certificates: add tarball's hash Yann E. MORIN
2014-01-14 21:39 ` [Buildroot] [PATCH 0/6] [RFC] some download-related changes Arnout Vandecappelle
2014-01-14 23:39   ` Yann E. MORIN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140117224136.GE3982@free.fr \
    --to=yann.morin.1998@free.fr \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.