Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>,
	Buildroot List <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES
Date: Wed, 27 Dec 2023 18:18:02 +0100	[thread overview]
Message-ID: <875y0jr2d1.fsf@48ers.dk> (raw)
In-Reply-To: <20231227170759.2902227-1-thomas.petazzoni@bootlin.com> (Thomas Petazzoni's message of "Wed, 27 Dec 2023 18:07:58 +0100")

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
 > dependency:

 > 	depends on BR2_GLOBAL_PATCH_DIR != ""

 > However, strictly speaking checking all hashes does not necessarily
 > require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
 > versions.

 > But more importantly:

 > - Having this dependency means that this options is hidden when people
 >   don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
 >   made visible, encouraging people to turn it on.

 > - The Config.in comment was there to mitigate this previous argument,
 >   but this comment then shows up all the time when you have an empty
 >   global patch dir.

 > This seems over-complicated, and it sounds much easier to have the
 > option unconditionally available, and visible, and clarify in its help
 > text that in order to this to work fully with custom package versions,
 > BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 > ---
 >  Config.in | 16 +++++++---------
 >  1 file changed, 7 insertions(+), 9 deletions(-)

 > diff --git a/Config.in b/Config.in
 > index 554b4062eb..75f699154d 100644
 > --- a/Config.in
 > +++ b/Config.in
 > @@ -711,20 +711,18 @@ config BR2_FORCE_HOST_BUILD

 >  config BR2_DOWNLOAD_FORCE_CHECK_HASHES
 >  	bool "Force all downloads to have a valid hash"
 > -	depends on BR2_GLOBAL_PATCH_DIR != ""
 >  	help
 > -	  For packages where a custom version or location can be set,
 > -	  Buildroot does not carry a hash for those custom versions or
 > -	  locations, so the integrity of such downloads is not verified.
 > -
 >  	  Say 'y' here to enforce downloads to have at least one valid
 >  	  hash (and of course, that all hashes be valid).

 > -	  Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR,
 > -	  see above.
 > +	  By default, Buildroot checks hashes of all packages
 > +	  downloaded, except those for which a custom version is
 > +	  used.

 > -comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
 > -	depends on BR2_GLOBAL_PATCH_DIR = ""
 > +	  With this option turned on, Buildroot will check hashes of
 > +	  all packages, including those have use a custom version. In

s/have use/that use/

 > +	  order to provide hashes for such packages, additional hash
 > +	  files can be placed into BR2_GLOBAL_PATCH_DIR directories.

I guess it is really s/can be/must be/, E.G. the build fails if not
done, right?

Maybe we should mention utils/add-custom-hashes to create such .hash
files?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot