[Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Thomas Petazzoni via buildroot]

BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
dependency:

	depends on BR2_GLOBAL_PATCH_DIR != ""

However, strictly speaking checking all hashes does not necessarily
require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
versions.

But more importantly:

- Having this dependency means that this options is hidden when people
  don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
  made visible, encouraging people to turn it on.

- The Config.in comment was there to mitigate this previous argument,
  but this comment then shows up all the time when you have an empty
  global patch dir.

This seems over-complicated, and it sounds much easier to have the
option unconditionally available, and visible, and clarify in its help
text that in order to this to work fully with custom package versions,
BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 Config.in | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/Config.in b/Config.in
index 554b4062eb..75f699154d 100644
--- a/Config.in
+++ b/Config.in
@@ -711,20 +711,18 @@ config BR2_FORCE_HOST_BUILD
 
 config BR2_DOWNLOAD_FORCE_CHECK_HASHES
 	bool "Force all downloads to have a valid hash"
-	depends on BR2_GLOBAL_PATCH_DIR != ""
 	help
-	  For packages where a custom version or location can be set,
-	  Buildroot does not carry a hash for those custom versions or
-	  locations, so the integrity of such downloads is not verified.
-
 	  Say 'y' here to enforce downloads to have at least one valid
 	  hash (and of course, that all hashes be valid).
 
-	  Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR,
-	  see above.
+	  By default, Buildroot checks hashes of all packages
+	  downloaded, except those for which a custom version is
+	  used.
 
-comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
-	depends on BR2_GLOBAL_PATCH_DIR = ""
+	  With this option turned on, Buildroot will check hashes of
+	  all packages, including those have use a custom version. In
+	  order to provide hashes for such packages, additional hash
+	  files can be placed into BR2_GLOBAL_PATCH_DIR directories.
 
 config BR2_REPRODUCIBLE
 	bool "Make the build reproducible (experimental)"
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
 > dependency:

 > 	depends on BR2_GLOBAL_PATCH_DIR != ""

 > However, strictly speaking checking all hashes does not necessarily
 > require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
 > versions.

 > But more importantly:

 > - Having this dependency means that this options is hidden when people
 >   don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
 >   made visible, encouraging people to turn it on.

 > - The Config.in comment was there to mitigate this previous argument,
 >   but this comment then shows up all the time when you have an empty
 >   global patch dir.

 > This seems over-complicated, and it sounds much easier to have the
 > option unconditionally available, and visible, and clarify in its help
 > text that in order to this to work fully with custom package versions,
 > BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 > ---
 >  Config.in | 16 +++++++---------
 >  1 file changed, 7 insertions(+), 9 deletions(-)

 > diff --git a/Config.in b/Config.in
 > index 554b4062eb..75f699154d 100644
 > --- a/Config.in
 > +++ b/Config.in
 > @@ -711,20 +711,18 @@ config BR2_FORCE_HOST_BUILD
 
 >  config BR2_DOWNLOAD_FORCE_CHECK_HASHES
 >  	bool "Force all downloads to have a valid hash"
 > -	depends on BR2_GLOBAL_PATCH_DIR != ""
 >  	help
 > -	  For packages where a custom version or location can be set,
 > -	  Buildroot does not carry a hash for those custom versions or
 > -	  locations, so the integrity of such downloads is not verified.
 > -
 >  	  Say 'y' here to enforce downloads to have at least one valid
 >  	  hash (and of course, that all hashes be valid).
 
 > -	  Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR,
 > -	  see above.
 > +	  By default, Buildroot checks hashes of all packages
 > +	  downloaded, except those for which a custom version is
 > +	  used.
 
 > -comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
 > -	depends on BR2_GLOBAL_PATCH_DIR = ""
 > +	  With this option turned on, Buildroot will check hashes of
 > +	  all packages, including those have use a custom version. In

s/have use/that use/

 > +	  order to provide hashes for such packages, additional hash
 > +	  files can be placed into BR2_GLOBAL_PATCH_DIR directories.

I guess it is really s/can be/must be/, E.G. the build fails if not
done, right?

Maybe we should mention utils/add-custom-hashes to create such .hash
files?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Thomas Petazzoni via buildroot]

On Wed, 27 Dec 2023 18:18:02 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

>  > -comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
>  > -	depends on BR2_GLOBAL_PATCH_DIR = ""
>  > +	  With this option turned on, Buildroot will check hashes of
>  > +	  all packages, including those have use a custom version. In  
> 
> s/have use/that use/

Fixed.

>  > +	  order to provide hashes for such packages, additional hash
>  > +	  files can be placed into BR2_GLOBAL_PATCH_DIR directories.  
> 
> I guess it is really s/can be/must be/, E.G. the build fails if not
> done, right?

I am not sure, I guess this is really a linguistic difference here. To
me the hash files must not be placed, they can be placed, if needed.
No-one forces anyone to have those hash files, but if they are needed,
then indeed the only option today is to have them in the
BR2_GLOBAL_PATCH_DIR.

I will not complain if you insist on "must be".

> Maybe we should mention utils/add-custom-hashes to create such .hash
> files?

Good point, added.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Yann E. MORIN]

Thomas, All,

On 2023-12-27 18:07 +0100, Thomas Petazzoni via buildroot spake thusly:
> BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
> dependency:
> 
> 	depends on BR2_GLOBAL_PATCH_DIR != ""
> 
> However, strictly speaking checking all hashes does not necessarily
> require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
> versions.
> 
> But more importantly:
> 
> - Having this dependency means that this options is hidden when people
>   don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
>   made visible, encouraging people to turn it on.
> 
> - The Config.in comment was there to mitigate this previous argument,
>   but this comment then shows up all the time when you have an empty
>   global patch dir.
> 
> This seems over-complicated, and it sounds much easier to have the
> option unconditionally available, and visible, and clarify in its help
> text that in order to this to work fully with custom package versions,
> BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master,i after fixing the typo noticed by Peter, and after
rewording the last sentence to avoid the can/must dilemma. Thanks.

Regards,
Yann E. MORIN.

> ---
>  Config.in | 16 +++++++---------
>  1 file changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/Config.in b/Config.in
> index 554b4062eb..75f699154d 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -711,20 +711,18 @@ config BR2_FORCE_HOST_BUILD
>  
>  config BR2_DOWNLOAD_FORCE_CHECK_HASHES
>  	bool "Force all downloads to have a valid hash"
> -	depends on BR2_GLOBAL_PATCH_DIR != ""
>  	help
> -	  For packages where a custom version or location can be set,
> -	  Buildroot does not carry a hash for those custom versions or
> -	  locations, so the integrity of such downloads is not verified.
> -
>  	  Say 'y' here to enforce downloads to have at least one valid
>  	  hash (and of course, that all hashes be valid).
>  
> -	  Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR,
> -	  see above.
> +	  By default, Buildroot checks hashes of all packages
> +	  downloaded, except those for which a custom version is
> +	  used.
>  
> -comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
> -	depends on BR2_GLOBAL_PATCH_DIR = ""
> +	  With this option turned on, Buildroot will check hashes of
> +	  all packages, including those have use a custom version. In
> +	  order to provide hashes for such packages, additional hash
> +	  files can be placed into BR2_GLOBAL_PATCH_DIR directories.
>  
>  config BR2_REPRODUCIBLE
>  	bool "Make the build reproducible (experimental)"
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Config.in: rework BR2_DOWNLOAD_FORCE_CHECK_HASHES

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
 > dependency:

 > 	depends on BR2_GLOBAL_PATCH_DIR != ""

 > However, strictly speaking checking all hashes does not necessarily
 > require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
 > versions.

 > But more importantly:

 > - Having this dependency means that this options is hidden when people
 >   don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
 >   made visible, encouraging people to turn it on.

 > - The Config.in comment was there to mitigate this previous argument,
 >   but this comment then shows up all the time when you have an empty
 >   global patch dir.

 > This seems over-complicated, and it sounds much easier to have the
 > option unconditionally available, and visible, and clarify in its help
 > text that in order to this to work fully with custom package versions,
 > BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot