[Buildroot] [PATCH 1/5 v2] support/download: make hash file optional

[Yann E. MORIN <yann.morin.1998@free.fr>]

Arnout, All,

On 2015-03-19 22:03 +0100, Arnout Vandecappelle spake thusly:
> On 17/03/15 13:59, Yann E. MORIN wrote:
> > Currently, specifying a hash file for our download wrapper is mandatory.
> > 
> > However, when we download a git, svn, bzr, hg or cvs tree, there's by
> > design no hash to check the download against.
> > 
> > Since we're going to have hash checking mandatory when a hash file
> > exists, this would break those downloads from a repository.
> > 
> > So, make specifying a hash file optional when calling our download
> > wrapper and bail out early from the check-hash script if no hash file is
> > specified.
> 
>  An alternative approach would be to allow an empty hash in the hash file, e.g.

Well, as I state below, we'll need that. But for git/hg/svn/bzr/cvs
clones/checkouts/... there is intrisically no reason to have a hash, by
design.

Yes, reproducibility. But that's soooo far away... :-/

However...

> # From git => no hash
> none xxx avrdude-eabe067c4527bc2eedc5db9288ef5cf1818ec720.tar.gz

At first, I was not too fond of this, but it turns out we'll have to
have it. Consider the following:

    ifeq ($(FOO_BAR),y)
    FOO_VERSION = long-git-hash
    FOO_SITE = $(call github,foo,bar,$(FOO_VERSION))
    else
    FOO_VERSION = 1.2.3
    FOO_SITE = http://foosoftware.org/download
    endif

Say we add a hash for version 1.2.3; currently, we do not add hashes
for archives downloaded from github, because they seem to be
non-reproducible. However, the github helper is not using git-clone, but
us really just a way to generate an http:// UEL we download with wget.

So, what happens now is that, since hashes are mandatory as long as the
.hash file exists, downloads from github for this foo package is broken.

This is the case for gcc, for example, since we get the arc gcc from
github, and the other versions from the GNU mirror.

So, we'll need a way to state that there is no hash for a file, but that
will have to be explicit.

I'll rework the series to take that in considreation. Thanks! :-)

Regards,
Yann E. MORIN.

>  This has the advantage that we don't have to revert this patch in the future
> when we _do_ make reproducible tarballs (which is not rocket science, the
> reproducible builds people in Debian and Fedora do it). Of course, we'll be
> stuck with a s*tload of hash files that have this empty hash...
> 
>  Regards,
>  Arnout
> 
> -- 
> Arnout Vandecappelle                          arnout at mind be
> Senior Embedded Software Architect            +32-16-286500
> Essensium/Mind                                http://www.mind.be
> G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
> LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
> GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'