From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: James Hilliard <james.hilliard1@gmail.com>
Cc: Danilo Bargen <mail@dbrgn.ch>, buildroot <buildroot@buildroot.org>
Subject: Re: [Buildroot] Hash verification from GitHub
Date: Mon, 17 Jan 2022 11:17:05 +0100 [thread overview]
Message-ID: <20220117101705.GB2313964@scaer> (raw)
In-Reply-To: <CADvTj4pjgwNt4ZnFB2ZmDeZP0nGaGPveqAapCTC+TOx3SEoBrw@mail.gmail.com>
James, Danilo, All,
On 2022-01-16 15:51 -0700, James Hilliard spake thusly:
> On Sun, Jan 16, 2022 at 3:38 PM Danilo Bargen <mail@dbrgn.ch> wrote:
> > > Just use the hash buildroot generated for you, it should be correct.
> > > (...)
> > > Yeah, it's not going to match since buildroot is doing stuff like
> > > vendoring the cargo deps before generating the tarball
> > Ahh, that explains it. Does this mean that for Cargo based packages, it
> > will always be TOFU and checksums provided by the project / maintainer
> > cannot be used (because they will mismatch)?
> A maintainer could sign the tarball generated by buildroot and upload it to
> github releases if they want.
To be exact: an upstream maintainer (i.e. not a Buildroot maintainer).
> As you can see the script will bail out if the tarball already has
> vendored deps:
> https://github.com/buildroot/buildroot/blob/6e4791b751c0f8e0ba218da2c22e71d3e1436b5d/support/download/cargo-post-process#L16-L19
The script will not "bail out" on pre-vendored tarballs; it will just
exit without touching the tarball at all.
I.e. it means that we prefer using tarballs as-is from their upstreams,
when they are vendored; we only vendor packages which upstreams have
not.
> So as long as the upstream release tarball has vendored deps the hash should
> not change AFAIU.
Yes, this is the goal.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-01-17 10:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-16 22:04 [Buildroot] Hash verification from GitHub Danilo Bargen
2022-01-16 22:14 ` James Hilliard
2022-01-16 22:37 ` Danilo Bargen
2022-01-16 22:51 ` James Hilliard
2022-01-17 10:17 ` Yann E. MORIN [this message]
2022-01-17 10:24 ` Danilo Bargen
2022-01-17 10:32 ` Yann E. MORIN
2022-01-17 15:54 ` Yann E. MORIN
2022-01-17 16:06 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220117101705.GB2313964@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=james.hilliard1@gmail.com \
--cc=mail@dbrgn.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.