* Re: opkg and gpg signed ipk packages
[not found] ` <20150508162311.GA20977@bang.betafive.co.uk>
@ 2015-05-13 20:20 ` Sona Sarmadi
2015-05-14 8:49 ` Paul Eggleton
0 siblings, 1 reply; 8+ messages in thread
From: Sona Sarmadi @ 2015-05-13 20:20 UTC (permalink / raw)
To: openembedded-core@lists.openembedded.org
Hi
> SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG
> 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line
> for each package.
Does anyone know where do I specify this PACKAGECONFIG configuration? I want all ipk packages to be checksummed using sha256 (in the Packages file that describes the ipk packages). The default seems to be md5:
tmp/deploy/ipk/ppce500v2/Packages
Package: acl-dbg
Version: 2.2.52-r0
Recommends: libc6-dbg, libattr-dbg, libacl-dbg
Section: devel
Architecture: ppce500v2
Maintainer: Poky <poky@yoctoproject.org>
MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc <<<<<
Thanks
//Sona
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: opkg and gpg signed ipk packages
2015-05-13 20:20 ` opkg and gpg signed ipk packages Sona Sarmadi
@ 2015-05-14 8:49 ` Paul Eggleton
2015-05-14 14:15 ` Sona Sarmadi
0 siblings, 1 reply; 8+ messages in thread
From: Paul Eggleton @ 2015-05-14 8:49 UTC (permalink / raw)
To: Sona Sarmadi; +Cc: openembedded-core
Hi Sona,
On Wednesday 13 May 2015 20:20:51 Sona Sarmadi wrote:
> > SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG
> > 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...'
> > line for each package.
>
> Does anyone know where do I specify this PACKAGECONFIG configuration? I want
> all ipk packages to be checksummed using sha256 (in the Packages file that
> describes the ipk packages). The default seems to be md5:
>
> tmp/deploy/ipk/ppce500v2/Packages
> Package: acl-dbg
> Version: 2.2.52-r0
> Recommends: libc6-dbg, libattr-dbg, libacl-dbg
> Section: devel
> Architecture: ppce500v2
> Maintainer: Poky <poky@yoctoproject.org>
> MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc <<<<<
I'm guessing you would want something like this in your custom distro config
(or local.conf if you must):
PACKAGECONFIG_append_pn-opkg = " sha256"
PACKAGECONFIG_append_pn-opkg-native = " sha256"
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: opkg and gpg signed ipk packages
2015-05-14 8:49 ` Paul Eggleton
@ 2015-05-14 14:15 ` Sona Sarmadi
2015-05-19 11:47 ` Sona Sarmadi
0 siblings, 1 reply; 8+ messages in thread
From: Sona Sarmadi @ 2015-05-14 14:15 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-core@lists.openembedded.org
> I'm guessing you would want something like this in your custom distro config
> (or local.conf if you must):
>
> PACKAGECONFIG_append_pn-opkg = " sha256"
> PACKAGECONFIG_append_pn-opkg-native = " sha256"
Thanks Paul, it looks like this should be the configuration but I have tried this and didn't help.
I try to find out some info about "Packages" file, how it is generated, where this checksum is computed, etc ...
I see in the opkg.py how the content of the "Packages" file is generated but I don't understand how this file is generated.
./build-p2020/tmp/sysroots/x86_64-linux/usr/bin/opkg.py
if self.md5: out = out + "MD5Sum: %s\n" % (self.md5)
//Sona
hashval = bb.utils.md5_file(f)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: opkg and gpg signed ipk packages
2015-05-14 14:15 ` Sona Sarmadi
@ 2015-05-19 11:47 ` Sona Sarmadi
2015-05-19 11:56 ` Gary Thomas
2015-05-19 12:01 ` Otavio Salvador
0 siblings, 2 replies; 8+ messages in thread
From: Sona Sarmadi @ 2015-05-19 11:47 UTC (permalink / raw)
To: 'Paul Eggleton', 'Paul Barker', Maxin John
Cc: 'openembedded-core@lists.openembedded.org'
> > I'm guessing you would want something like this in your custom distro
> > config (or local.conf if you must):
> >
> > PACKAGECONFIG_append_pn-opkg = " sha256"
> > PACKAGECONFIG_append_pn-opkg-native = " sha256"
>
Thanks a lot guys for your help, this is now working :)
There is support for sha256 in opkg but not in the opkg-utils.
opkg-utils (opkg.py) just uses md5 as default option. I changed
opkg.py:
........
# compute the MD5.
if not self.fn:
self.md5 = 'Unknown'
else:
f = open(self.fn, "rb")
sum = hashlib.md5()
to
sum = hashlib.sha256()
and now I get checksum sha256 in the "Packages" file:
SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
Do you think this patch would be of interest for someone?
//Sona
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: opkg and gpg signed ipk packages
2015-05-19 11:47 ` Sona Sarmadi
@ 2015-05-19 11:56 ` Gary Thomas
2015-05-19 12:01 ` Otavio Salvador
1 sibling, 0 replies; 8+ messages in thread
From: Gary Thomas @ 2015-05-19 11:56 UTC (permalink / raw)
To: openembedded-core
On 2015-05-19 05:47, Sona Sarmadi wrote:
>
>>> I'm guessing you would want something like this in your custom distro
>>> config (or local.conf if you must):
>>>
>>> PACKAGECONFIG_append_pn-opkg = " sha256"
>>> PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>
>
> Thanks a lot guys for your help, this is now working :)
> There is support for sha256 in opkg but not in the opkg-utils.
> opkg-utils (opkg.py) just uses md5 as default option. I changed
>
> opkg.py:
> ........
> # compute the MD5.
> if not self.fn:
> self.md5 = 'Unknown'
> else:
> f = open(self.fn, "rb")
> sum = hashlib.md5()
> to
> sum = hashlib.sha256()
>
> and now I get checksum sha256 in the "Packages" file:
>
> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>
> Do you think this patch would be of interest for someone?
Yes, including everything you found that needs to be set up to
support these checksums.
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: opkg and gpg signed ipk packages
2015-05-19 11:47 ` Sona Sarmadi
2015-05-19 11:56 ` Gary Thomas
@ 2015-05-19 12:01 ` Otavio Salvador
2015-05-19 14:23 ` Mark Hatle
1 sibling, 1 reply; 8+ messages in thread
From: Otavio Salvador @ 2015-05-19 12:01 UTC (permalink / raw)
To: Sona Sarmadi
Cc: Paul Eggleton, Maxin John,
openembedded-core@lists.openembedded.org
On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>
>> > I'm guessing you would want something like this in your custom distro
>> > config (or local.conf if you must):
>> >
>> > PACKAGECONFIG_append_pn-opkg = " sha256"
>> > PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>
>
> Thanks a lot guys for your help, this is now working :)
> There is support for sha256 in opkg but not in the opkg-utils.
> opkg-utils (opkg.py) just uses md5 as default option. I changed
>
> opkg.py:
> ........
> # compute the MD5.
> if not self.fn:
> self.md5 = 'Unknown'
> else:
> f = open(self.fn, "rb")
> sum = hashlib.md5()
> to
> sum = hashlib.sha256()
>
> and now I get checksum sha256 in the "Packages" file:
>
> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>
> Do you think this patch would be of interest for someone?
Yes but it would be good to make it choosable at distro level.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: opkg and gpg signed ipk packages
2015-05-19 12:01 ` Otavio Salvador
@ 2015-05-19 14:23 ` Mark Hatle
2015-05-20 10:44 ` Sona Sarmadi
0 siblings, 1 reply; 8+ messages in thread
From: Mark Hatle @ 2015-05-19 14:23 UTC (permalink / raw)
To: openembedded-core
On 5/19/15 7:01 AM, Otavio Salvador wrote:
> On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>>
>>>> I'm guessing you would want something like this in your custom distro
>>>> config (or local.conf if you must):
>>>>
>>>> PACKAGECONFIG_append_pn-opkg = " sha256"
>>>> PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>>
>>
>> Thanks a lot guys for your help, this is now working :)
>> There is support for sha256 in opkg but not in the opkg-utils.
>> opkg-utils (opkg.py) just uses md5 as default option. I changed
>>
>> opkg.py:
>> ........
>> # compute the MD5.
>> if not self.fn:
>> self.md5 = 'Unknown'
>> else:
>> f = open(self.fn, "rb")
>> sum = hashlib.md5()
>> to
>> sum = hashlib.sha256()
>>
>> and now I get checksum sha256 in the "Packages" file:
>>
>> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>>
>> Do you think this patch would be of interest for someone?
>
> Yes but it would be good to make it choosable at distro level.
I agree.. and RPM(5) has the ability to switch the default checksum from MD5 to
others as well. So a global distro setting would make sense. (I don't know how
the deb package manager is configured.)
Let me know if we come up with a distribution level switch (or if we just want
to make the policy be sha256, as it's definitely better then MD5) and I can help
make the RPM configuration change as well.
--Mark
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: opkg and gpg signed ipk packages
2015-05-19 14:23 ` Mark Hatle
@ 2015-05-20 10:44 ` Sona Sarmadi
0 siblings, 0 replies; 8+ messages in thread
From: Sona Sarmadi @ 2015-05-20 10:44 UTC (permalink / raw)
To: Mark Hatle, 'Otavio Salvador', Gary Thomas
Cc: openembedded-core@lists.openembedded.org
> >> Do you think this patch would be of interest for someone?
> >
> > Yes but it would be good to make it choosable at distro level.
Opkg has support for 'sha256' but opkg-utils only supports md5.
We could pass the sha256 option to opkg-utils (like other parameters such as Maintainer),
and make it configurable. We just need to figure out how to pass this option to opkg-utils.
Since MD5 is not very secure, wouldn't it be better to use sha256 as default?
Or is there any specific reason that someone would want MD5 to be kept as the
default (due to e.g. performance, backwards compatibility .. ?).
It takes longer time to compute a sha256 checksum compared to md5 but
sha256 is more secure & reliable.
Any way it would be good to have this optional (sha256 or md5).
> I agree.. and RPM(5) has the ability to switch the default checksum from MD5
> to others as well. So a global distro setting would make sense. (I don't know
> how the deb package manager is configured.)
>
> Let me know if we come up with a distribution level switch (or if we just want
> to make the policy be sha256, as it's definitely better then MD5) and I can
> help make the RPM configuration change as well.
I think a configuration at high level would be good to use for all PMS, to choose MD5 or sha256.
conf/local.conf:
# Package Management configuration
PACKAGE_CLASSES ?= "package_ipk"
Or
PACKAGE_CLASSES ?= "package_rpm"
PACKAGE_CHECKSUM ?= "sha256" <<< something like this
Or
PACKAGE_CHECKSUM ?= "md5"
//Sona
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-20 10:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <3230301C09DEF9499B442BBE162C5E48258ED362@sestoex09.enea.se>
[not found] ` <20150507200911.GA19158@bang.betafive.co.uk>
[not found] ` <3230301C09DEF9499B442BBE162C5E48258EEECD@sestoex09.enea.se>
[not found] ` <20150508162311.GA20977@bang.betafive.co.uk>
2015-05-13 20:20 ` opkg and gpg signed ipk packages Sona Sarmadi
2015-05-14 8:49 ` Paul Eggleton
2015-05-14 14:15 ` Sona Sarmadi
2015-05-19 11:47 ` Sona Sarmadi
2015-05-19 11:56 ` Gary Thomas
2015-05-19 12:01 ` Otavio Salvador
2015-05-19 14:23 ` Mark Hatle
2015-05-20 10:44 ` Sona Sarmadi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox