From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D69FEC433EF for ; Mon, 17 Jan 2022 10:17:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 7172940220; Mon, 17 Jan 2022 10:17:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HidifZ8FssNk; Mon, 17 Jan 2022 10:17:16 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 68D7740232; Mon, 17 Jan 2022 10:17:15 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id D8AD81BF3D7 for ; Mon, 17 Jan 2022 10:17:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C03C36079E for ; Mon, 17 Jan 2022 10:17:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=free.fr Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrfQ9gIn75Pk for ; Mon, 17 Jan 2022 10:17:12 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from smtp2-g21.free.fr (smtp2-g21.free.fr [IPv6:2a01:e0c:1:1599::11]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8EE6060AAB for ; Mon, 17 Jan 2022 10:17:12 +0000 (UTC) Received: from ymorin.is-a-geek.org (unknown [IPv6:2a01:cb19:8b51:cb00:3413:1d36:355:a22c]) (Authenticated sender: yann.morin.1998@free.fr) by smtp2-g21.free.fr (Postfix) with ESMTPSA id 432DC20039F; Mon, 17 Jan 2022 11:17:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1642414629; bh=lodpoRTUYPLDF2jyQg5l6+OAD3xrp3GqOjg1xNlGdDc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ToxQwd+p2MDzK4A3d3/I+Mh0d8dn+kQUmBxnlYiue00WUfNPexlNMVWBDRotqWB4f SlgfNYZvlETy5xD50l8JsYTXwoKcOEY7GDcoQI7iDDA+a6znEKd9afxfSXl69U+7tW hiq4ZcCbGtlq9b1RMmIUJO4j3V5UfPVEiit4kmlSJv4zWhr1rNyXLVz1/kZYLb/bxl S7uoHth5NwgMLjZ4WOLsvsHgIGW8LCdA3+iOpbO00gOeCmI1lvVPLdgAO71kkO0PE5 O2k23k8WzPkAD1YrX91SQ60BT0rd7vUtcio+qlxplBvCxdYp4lern6rn+HKLug9LgW HPwPlahFM90GQ== Received: by ymorin.is-a-geek.org (sSMTP sendmail emulation); Mon, 17 Jan 2022 11:17:05 +0100 Date: Mon, 17 Jan 2022 11:17:05 +0100 From: "Yann E. MORIN" To: James Hilliard Message-ID: <20220117101705.GB2313964@scaer> References: <20220116230404.71f68dbb@c3po> <20220116233758.59918490@c3po> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.22 (2013-10-16) Subject: Re: [Buildroot] Hash verification from GitHub X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Danilo Bargen , buildroot Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" James, Danilo, All, On 2022-01-16 15:51 -0700, James Hilliard spake thusly: > On Sun, Jan 16, 2022 at 3:38 PM Danilo Bargen wrote: > > > Just use the hash buildroot generated for you, it should be correct. > > > (...) > > > Yeah, it's not going to match since buildroot is doing stuff like > > > vendoring the cargo deps before generating the tarball > > Ahh, that explains it. Does this mean that for Cargo based packages, it > > will always be TOFU and checksums provided by the project / maintainer > > cannot be used (because they will mismatch)? > A maintainer could sign the tarball generated by buildroot and upload it to > github releases if they want. To be exact: an upstream maintainer (i.e. not a Buildroot maintainer). > As you can see the script will bail out if the tarball already has > vendored deps: > https://github.com/buildroot/buildroot/blob/6e4791b751c0f8e0ba218da2c22e71d3e1436b5d/support/download/cargo-post-process#L16-L19 The script will not "bail out" on pre-vendored tarballs; it will just exit without touching the tarball at all. I.e. it means that we prefer using tarballs as-is from their upstreams, when they are vendored; we only vendor packages which upstreams have not. > So as long as the upstream release tarball has vendored deps the hash should > not change AFAIU. Yes, this is the goal. Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot