[Buildroot] [PATCH 1/1] documentation: hash source control archives

[Buildroot] [PATCH 1/1] documentation: hash source control archives

[Ash Charles]

Archives created from source control systems should still use a hash
file with a locally-computed e.g. sha256 hash. As discussed [1], using
the 'none' type is no longer a best practice so update the
documentation to clarify this.

[1] http://lists.busybox.net/pipermail/buildroot/2016-November/178165.html

Signed-off-by: Ash Charles <ash.charles@savoirfairelinux.com>
---
 docs/manual/adding-packages-directory.txt | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
index a74761c..96948f8 100644
--- a/docs/manual/adding-packages-directory.txt
+++ b/docs/manual/adding-packages-directory.txt
@@ -480,8 +480,7 @@ this in a comment line above the hashes.
 The number of spaces does not matter, so one can use spaces (or tabs) to
 properly align the different fields.
 
-The +none+ hash type is reserved to those archives downloaded from a
-repository, like a 'git clone', a 'subversion checkout'...
+For archives downloaded from a repository e.g. from a 'git clone', a 'subversion checkout', using a locally-calculated sha256 hash is recommended although the +none+ type has also been used.
 
 The example below defines a +sha1+ and a +sha256+ published by upstream for
 the main +libfoo-1.2.3.tar.bz2+ tarball, an +md5+ from upstream and a
-- 
2.7.4

[Buildroot] [PATCH 1/1] documentation: hash source control archives

[Thomas Petazzoni]

Hello,

On Mon, 28 Nov 2016 09:42:22 -0500, Ash Charles wrote:

> -The +none+ hash type is reserved to those archives downloaded from a
> -repository, like a 'git clone', a 'subversion checkout'...
> +For archives downloaded from a repository e.g. from a 'git clone', a 'subversion checkout', using a locally-calculated sha256 hash is recommended although the +none+ type has also been used.

The line needs to be wrapped to 72 characters.

Also, I am not sure that the archives we produce from all version
control systems are reproducible. I'm sure it's the case for Git, but
I'm not sure for Subversion, so it might be that your statement is
actually wrong.

In addition, I think the last part "although the +none+ type has also
been used" is a bit confusing.

I think we should rather:

 1. Look again closely at which version control systems currently
    produce reproducible archives in Buildroot.

 2. Make Buildroot actually check the hashes for the downloads made
    through those version control systems.

 3. Update the documentation accordingly, with a clear statement of
    which packages should have hashes, which packages should not.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] documentation: hash source control archives

[Ash Charles]

On Mon, Nov 28, 2016 at 3:43 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> The line needs to be wrapped to 72 characters.
>
> Also, I am not sure that the archives we produce from all version
> control systems are reproducible. I'm sure it's the case for Git, but
> I'm not sure for Subversion, so it might be that your statement is
> actually wrong.
>
> In addition, I think the last part "although the +none+ type has also
> been used" is a bit confusing.
>
> I think we should rather:
>
>  1. Look again closely at which version control systems currently
>     produce reproducible archives in Buildroot.
>
>  2. Make Buildroot actually check the hashes for the downloads made
>     through those version control systems.
>
>  3. Update the documentation accordingly, with a clear statement of
>     which packages should have hashes, which packages should not.
Okay--I think this is more than I can dive into at the moment.  Either
way though, this isn't currently a suitable patch so I've marked it as
rejecetd in patchwork.
--Ash