From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Petazzoni Date: Wed, 18 Apr 2018 16:43:44 +0200 Subject: [Buildroot] [PATCH 0/4] support/download: make the git backend more robust In-Reply-To: <5ad747f83aa3d_4f402af5fb1a8ea4724ef@ultri4.mail> References: <20180418105225.747e611e@windsurf.numericable.fr> <5ad747f83aa3d_4f402af5fb1a8ea4724ef@ultri4.mail> Message-ID: <20180418164344.404d7a92@windsurf.numericable.fr> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Hello, On Wed, 18 Apr 2018 10:28:24 -0300, Ricardo Martincoski wrote: > Could be the case your build server has a blacklisted tar version and you run > the commands in a clean output (actually without host-tar built)? It is indeed the case (I have an old tar), and indeed building host-tar first fixes the problem. When I don't build host-tar, what happens is: test at build:~/buildroot$ make host-squashfs-extract >>> host-squashfs e38956b92f738518c29734399629e7cdb33072d3 Downloading Initialized empty Git repository in /home/test/dl/squashfs/git/.git/ Fetching all references remote: Counting objects: 8972, done. remote: Total 8972 (delta 0), reused 0 (delta 0) Receiving objects: 100% (8972/8972), 1.56 MiB | 2.51 MiB/s, done. Resolving deltas: 100% (6544/6544), done. >From https://git.kernel.org/pub/scm/fs/squashfs/squashfs-tools * [new branch] lz4 -> origin/lz4 * [new branch] master -> origin/master * [new branch] stable -> origin/stable Could not fetch special ref 'e38956b92f738518c29734399629e7cdb33072d3'; assuming it is not special. ERROR: squashfs-e38956b92f738518c29734399629e7cdb33072d3.tar.gz has wrong sha256 hash: ERROR: expected: bd0aa3011320b8ebee68aa406060de277bef16daf81bad5b9f70cbea6db1a779 ERROR: got : c7a61e3bcabb716b268f5a341055ac5ecda8b9f2b42025f82926f201ff5c8881 ERROR: Incomplete download, or man-in-the-middle (MITM) attack So I assume it has used the system tar, which generates tar archives whose hash doesn't match the one generated by "good" tar versions. Is that the problem I was having ? So, we indeed have a serious problem here. host-tar is not an extract dependency, but a download dependency. Meh. Crap. This breaks several things: - make -source on Git packages from a clean build - A regular build, if the first package downloaded is fetched from Git and no other package has been extracted before. Indeed, in such a case, host-tar would not yet be built/installed. Gaaaah. Thomas -- Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons) Embedded Linux and Kernel engineering https://bootlin.com