From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Danilo Bargen <mail@dbrgn.ch>
Cc: James Hilliard <james.hilliard1@gmail.com>,
buildroot <buildroot@buildroot.org>
Subject: Re: [Buildroot] Hash verification from GitHub
Date: Mon, 17 Jan 2022 17:06:02 +0100 [thread overview]
Message-ID: <20220117160602.GF2313964@scaer> (raw)
In-Reply-To: <1ae38367-2e5c-20c7-0ba1-ebaff05cf8e7@dbrgn.ch>
Danilo, All,
On 2022-01-17 11:24 +0100, Danilo Bargen spake thusly:
> On 1/17/22 11:17, Yann E. MORIN wrote:
> >I.e. it means that we prefer using tarballs as-is from their upstreams,
> >when they are vendored; we only vendor packages which upstreams have
> >not.
> That makes sense! I am the maintainer of tealdeer, and I'll provide a
> vendored source tarball for the next release. (I've heard of "cargo vendor"
> before, but I haven't used it so far.)
Note that vendoring is definitely not a requirement we impose on
upstreams.
We do prefer when the vendoring has been done by upstream, because it
means (at least we hope it does!) that upstream has validated the fully
vendored package, and thus we have some confidence everything works as
expected.
It also avoids the case where an uppstreams for a dependency mucks
around with their releases: we already noticed the case where an
upstream for a dependency did a re-tag of their release, thus breaking
the vendoring of the dependees because it would no longer match the
expected hashes in the cargo.toml (or go.mod?). Also (but that's mostly
for go, IIRC), we also already noticed that some of the points of
distribution (goproxies?) are serving some incorrect archives, thus
causing download issues...
However, if an upstream decides to not vendor (for whatever reason),
then this is perfectly fine for Buildroot; this is exactly why the cargo
infra has been made to support doing the vendoring.
All in all, it is better that upstream vendors their releases, because
it avoids any of the pitfals I mention above.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2022-01-17 16:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-16 22:04 [Buildroot] Hash verification from GitHub Danilo Bargen
2022-01-16 22:14 ` James Hilliard
2022-01-16 22:37 ` Danilo Bargen
2022-01-16 22:51 ` James Hilliard
2022-01-17 10:17 ` Yann E. MORIN
2022-01-17 10:24 ` Danilo Bargen
2022-01-17 10:32 ` Yann E. MORIN
2022-01-17 15:54 ` Yann E. MORIN
2022-01-17 16:06 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220117160602.GF2313964@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=james.hilliard1@gmail.com \
--cc=mail@dbrgn.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox