From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2] linux-firmware: bump version to latest 1baa348
Date: Fri, 16 Nov 2018 09:35:13 +0100 [thread overview]
Message-ID: <20181116093513.152dc10c@windsurf> (raw)
In-Reply-To: <20181115190558.GM10271@scaer>
Hello,
On Thu, 15 Nov 2018 20:05:58 +0100, Yann E. MORIN wrote:
> > Since we have the same problems sometimes with github tarballs, I think we need
> > a more fundamental solution. I would propose a new tarsha256 hash type, which
> > extracts the tarball to calculate the hash. In a simple version it's not so
> > complicated, something like
> >
> > tar -xf - --to-command=$(TOPDIR)/support/scripts/tarsha256 | sort | sha256sum -
> >
> > where tarsha256 contains:
> >
> > { echo $TAR_FILENAME; echo $TAR_MODE; echo $TAR_FILETYPE; cat - } | \
> > sha256sum - | cut -f 1 -d ' '
> >
> > As usually, entirely untested.
>
> I don't like it, because this is totally non-standard. People expect to
> be able to check hashes by running the *usual* XXXsum commands, directly
> on the shipped/received files.
>
> Introducing our own hash mechanism, how reliable or simple as it would
> be, breaks this assumption, and the tool to actually check them is not
> available at all except internally to Buildroot, so it is not possible
> to reproduce the checks outside of Buildroot.
>
> This goes counter one of the initial goal of hashes, which is to be able
> to track archives and their validity across a supply chain, inbound (as
> sent by a provider to Buildroot, to do the build) or outbound (as received
> by a recepient, from Buildroot, for compliance) alike.
I understand this argument, but do you have some alternative solution ?
Even building our own host-tar and host-gzip doesn't solve entirely the
problem, because it doesn't solve the case of tarballs fetched from
github, that tend to change in subtle ways once in a while.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2018-11-16 8:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 15:33 [Buildroot] [PATCH v2] linux-firmware: bump version to latest 1baa348 Marcin Niestroj
2018-11-09 20:57 ` Thomas Petazzoni
2018-11-09 21:06 ` Yann E. MORIN
2018-11-13 17:20 ` Marcin Niestrój
2018-11-13 17:32 ` Marcin Niestrój
2018-11-13 20:02 ` Thomas Petazzoni
2018-11-13 20:29 ` Yann E. MORIN
2018-11-13 20:57 ` Thomas Petazzoni
2018-11-13 23:54 ` Arnout Vandecappelle
2018-11-15 19:05 ` Yann E. MORIN
2018-11-16 8:35 ` Thomas Petazzoni [this message]
2018-11-20 18:50 ` Yann E. MORIN
2018-11-20 23:47 ` Arnout Vandecappelle
2018-11-21 7:13 ` Peter Korsgaard
2018-11-13 21:34 ` Marcin Niestrój
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181116093513.152dc10c@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.