From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/libva: Bump version to 1.4.0
Date: Tue, 7 Oct 2014 23:06:31 +0200 [thread overview]
Message-ID: <20141007210631.GA27580@free.fr> (raw)
In-Reply-To: <XnsA3BFE9C44990FberndkuhlsPkbjNfxxIA@bernd-kuhls.de>
Bernd, All,
On 2014-10-07 22:58 +0200, Bernd Kuhls spake thusly:
> Peter Korsgaard <jacmet@uclibc.org> wrote in
> news:87ppe3fwnn.fsf at dell.be.48ers.dk:
>
> > Committed all 3, thanks. For future patches, it would be good if you
> > would add the tarball hashes as the libva* release announcements had
> > them (I've added them now).
>
> Hi,
>
> ok, I will do so.
>
> Until now I did not really bother for my non-security-related packages
> because I remembered the commit description
> http://git.buildroot.net/buildroot/commit/support/download/check-hash?id=
> 9bd8b59526c4521879f0ae5f765cb1a748725c49 where Yann talked about "sensitive
> packages, related to security: openssl, dropbear, ca-certificates...", so I
> thought hashes are optional[1].
Yes, that is the primary reason for adding hashes. And we do want hashes
for those sensitive packages. However...
> It seems I did not notice the change of
> policy regarding hashes.
> In other words: Is there a reason _not_ to include a hash for a source
> tarball?
... there are a few other good reasons we accept hashes:
- it ensures a broken download is detected, so the user quickly knows
that the tarball is broken because of the download; sometimes,
upstreams breaks their distributions (e.g. the recent sourceforge
breakage...).
- non-compliant downloads are removed (rm -f) so they are not
accidentally used in another context (e.g. I do share my BR2_DL_DIR
with other stuff).
- consequently, it helps the autobuilders prune their failed
downloads.
But in the end there is no clear policy, except:
- we *do* want hashes for security-related packages;
- hashes for other packages are a nice bonus.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2014-10-07 21:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-06 19:28 [Buildroot] [PATCH 1/3] package/libva: Bump version to 1.4.0 Bernd Kuhls
2014-10-06 19:28 ` [Buildroot] [PATCH 2/3] package/libva-intel-driver: " Bernd Kuhls
2014-10-06 19:28 ` [Buildroot] [PATCH 3/3] package/ffmpeg: Bump version to 2.4.2 Bernd Kuhls
2014-10-07 20:32 ` [Buildroot] [PATCH 1/3] package/libva: Bump version to 1.4.0 Peter Korsgaard
2014-10-07 20:58 ` Bernd Kuhls
2014-10-07 21:06 ` Yann E. MORIN [this message]
2014-10-07 21:12 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141007210631.GA27580@free.fr \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox