[Buildroot] [PATCH 1/3] opencv: Remove hash file

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH 1/3] opencv: Remove hash file
@ 2014-10-26 16:35 Maxime Hadjinlian
  2014-10-26 16:35 ` [Buildroot] [PATCH 2/3] libevent: " Maxime Hadjinlian
  2014-10-26 16:35 ` [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes Maxime Hadjinlian
  0 siblings, 2 replies; 7+ messages in thread
From: Maxime Hadjinlian @ 2014-10-26 16:35 UTC (permalink / raw)
  To: buildroot

Since the tarball we download is generated from GitHub, there's no
saying that the tarball won't differ in a month from now.
So the hash has no value there.

An update to the manual should be done.

Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
---
 package/opencv/opencv.hash | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 package/opencv/opencv.hash

diff --git a/package/opencv/opencv.hash b/package/opencv/opencv.hash
deleted file mode 100644
index fc3b750..0000000
--- a/package/opencv/opencv.hash
+++ /dev/null
@@ -1,3 +0,0 @@
-# From https://github.com/itseez/opencv/archive/2.4.10/
-md5	3346a59310d788d3845f4fd6043a108a	opencv-2.4.10.tar.gz
-sha1	a0c2d5944364fc4f26b6160b33c03082b1fa08c1	opencv-2.4.10.tar.gz
-- 
2.1.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 2/3] libevent: Remove hash file
  2014-10-26 16:35 [Buildroot] [PATCH 1/3] opencv: Remove hash file Maxime Hadjinlian
@ 2014-10-26 16:35 ` Maxime Hadjinlian
  2014-10-26 16:35 ` [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes Maxime Hadjinlian
  1 sibling, 0 replies; 7+ messages in thread
From: Maxime Hadjinlian @ 2014-10-26 16:35 UTC (permalink / raw)
  To: buildroot

Since the tarball we download is generated from GitHub, there's no
saying that the tarball won't differ in a month from now.
So the hash has no value there.

An update to the manual should be done

Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
---
 package/libevent/libevent.hash | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 package/libevent/libevent.hash

diff --git a/package/libevent/libevent.hash b/package/libevent/libevent.hash
deleted file mode 100644
index efa0dc5..0000000
--- a/package/libevent/libevent.hash
+++ /dev/null
@@ -1,2 +0,0 @@
-# Locally calculated after checking pgp signature
-sha256	22a530a8a5ba1cb9c080cba033206b17dacd21437762155c6d30ee6469f574f5	libevent-2.0.21-stable.tar.gz
-- 
2.1.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
  2014-10-26 16:35 [Buildroot] [PATCH 1/3] opencv: Remove hash file Maxime Hadjinlian
  2014-10-26 16:35 ` [Buildroot] [PATCH 2/3] libevent: " Maxime Hadjinlian
@ 2014-10-26 16:35 ` Maxime Hadjinlian
  2014-10-26 16:45   ` Yann E. MORIN
  2014-10-26 17:08   ` Thomas Petazzoni
  1 sibling, 2 replies; 7+ messages in thread
From: Maxime Hadjinlian @ 2014-10-26 16:35 UTC (permalink / raw)
  To: buildroot

We can't take hash from GitHub, unless the tarball has been uploaded by
the maintainer, otherwise it will generated and may change over time,
which renders hash files, useless.

Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>
---
 docs/manual/adding-packages-directory.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
index c145829..28312d6 100644
--- a/docs/manual/adding-packages-directory.txt
+++ b/docs/manual/adding-packages-directory.txt
@@ -372,6 +372,11 @@ the hashes of the downloaded files for the +libfoo+ package.
 The hashes stored in that file are used to validate the integrity of the
 downloaded files.
 
+If +libfoo+ is from GitHub, we can only accept +.hash+ file if the
+package has a release section and the maintainer has uploaded a release
+tarball. Otherwise, the automated generated tarball may change through
+time, rendering a +.hash+ file invalid.
+
 The format of this file is one line for each file for which to check the
 hash, each line being space-separated, with these three fields:
 
-- 
2.1.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
  2014-10-26 16:35 ` [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes Maxime Hadjinlian
@ 2014-10-26 16:45   ` Yann E. MORIN
  2014-10-26 17:08   ` Thomas Petazzoni
  1 sibling, 0 replies; 7+ messages in thread
From: Yann E. MORIN @ 2014-10-26 16:45 UTC (permalink / raw)
  To: buildroot

Maxime, All,

On 2014-10-26 17:35 +0100, Maxime Hadjinlian spake thusly:
> We can't take hash from GitHub, unless the tarball has been uploaded by

*hashes

> the maintainer, otherwise it will generated and may change over time,

...it is generated...

> which renders hash files, useless.
> 
> Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
> Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>
> ---
>  docs/manual/adding-packages-directory.txt | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
> index c145829..28312d6 100644
> --- a/docs/manual/adding-packages-directory.txt
> +++ b/docs/manual/adding-packages-directory.txt
> @@ -372,6 +372,11 @@ the hashes of the downloaded files for the +libfoo+ package.
>  The hashes stored in that file are used to validate the integrity of the
>  downloaded files.
>  
> +If +libfoo+ is from GitHub, we can only accept +.hash+ file if the
> +package has a release section and the maintainer has uploaded a release
> +tarball. Otherwise, the automated generated tarball may change through

s/through/over/

> +time, rendering a +.hash+ file invalid.

    time, and thus its hashes may be different each time it is downloaded,
    making the +.hash+ file irrelevant for that tarball.

However, the .hash file is not completely irrelevant, in case the
package has extra downloads (with FOO_EXTRA_DOWNLOADS). I'm not sure if
the above makes completely sense...

Regards,
Yann E. MORIN.

>  The format of this file is one line for each file for which to check the
>  hash, each line being space-separated, with these three fields:
>  
> -- 
> 2.1.1
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
  2014-10-26 16:35 ` [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes Maxime Hadjinlian
  2014-10-26 16:45   ` Yann E. MORIN
@ 2014-10-26 17:08   ` Thomas Petazzoni
  2014-10-26 17:13     ` Yann E. MORIN
  1 sibling, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2014-10-26 17:08 UTC (permalink / raw)
  To: buildroot

Dear Maxime Hadjinlian,

On Sun, 26 Oct 2014 17:35:15 +0100, Maxime Hadjinlian wrote:

> +If +libfoo+ is from GitHub, we can only accept +.hash+ file if the
> +package has a release section and the maintainer has uploaded a release
> +tarball. Otherwise, the automated generated tarball may change through
> +time, rendering a +.hash+ file invalid.

I don't really understand this. If the tarball is automatically
generated, then it should always be the same for a given version/tag of
a certain repository, no?

It would be scary if it was not possible to validate the integrity of
all the packages we download from github.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
  2014-10-26 17:08   ` Thomas Petazzoni
@ 2014-10-26 17:13     ` Yann E. MORIN
  2014-10-26 17:16       ` Thomas Petazzoni
  0 siblings, 1 reply; 7+ messages in thread
From: Yann E. MORIN @ 2014-10-26 17:13 UTC (permalink / raw)
  To: buildroot

Thomas, All,

On 2014-10-26 18:08 +0100, Thomas Petazzoni spake thusly:
> On Sun, 26 Oct 2014 17:35:15 +0100, Maxime Hadjinlian wrote:
> 
> > +If +libfoo+ is from GitHub, we can only accept +.hash+ file if the
> > +package has a release section and the maintainer has uploaded a release
> > +tarball. Otherwise, the automated generated tarball may change through
> > +time, rendering a +.hash+ file invalid.
> 
> I don't really understand this. If the tarball is automatically
> generated, then it should always be the same for a given version/tag of
> a certain repository, no?

The content of the extracted archive is always the same, except for
timestamps, so, the archive is not reproducible itself.

> It would be scary if it was not possible to validate the integrity of
> all the packages we download from github.

But then that's the case for generated tarballs from github: we have
absolutely no way to check them, unless we want to have hashes for the
extracted files themselves (which I doubt we want, as it would be a
nightmare to handle).

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes
  2014-10-26 17:13     ` Yann E. MORIN
@ 2014-10-26 17:16       ` Thomas Petazzoni
  0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2014-10-26 17:16 UTC (permalink / raw)
  To: buildroot

Dear Yann E. MORIN,

On Sun, 26 Oct 2014 10:13:05 -0700, Yann E. MORIN wrote:

> > I don't really understand this. If the tarball is automatically
> > generated, then it should always be the same for a given version/tag of
> > a certain repository, no?
> 
> The content of the extracted archive is always the same, except for
> timestamps, so, the archive is not reproducible itself.

The timestamps change each time you generate the tarball? This would be
really weird from github to not have planned to make the tarballs
reproducible for a given version of the repository. If that's really
the case, then maybe it's something we should report to github?

> But then that's the case for generated tarballs from github: we have
> absolutely no way to check them, unless we want to have hashes for the
> extracted files themselves (which I doubt we want, as it would be a
> nightmare to handle).

Indeed, we don't want to go this way.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2014-10-26 17:16 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-26 16:35 [Buildroot] [PATCH 1/3] opencv: Remove hash file Maxime Hadjinlian
2014-10-26 16:35 ` [Buildroot] [PATCH 2/3] libevent: " Maxime Hadjinlian
2014-10-26 16:35 ` [Buildroot] [PATCH 3/3] manual: Add notes about GitHub and hashes Maxime Hadjinlian
2014-10-26 16:45   ` Yann E. MORIN
2014-10-26 17:08   ` Thomas Petazzoni
2014-10-26 17:13     ` Yann E. MORIN
2014-10-26 17:16       ` Thomas Petazzoni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox