[Buildroot] [PATCH 5/6] pkg-infra: add possiblity to check downloaded files against known hashes

Arnout Vandecappelle arnout at mind.be
Wed Jan 15 08:22:49 UTC 2014


On 15/01/14 00:34, Yann E. MORIN wrote:
> Arnout, All,
>
> On 2014-01-14 22:37 +0100, Arnout Vandecappelle spake thusly:
>> On 13/01/14 00:44, Yann E. MORIN wrote:
[snip]
>>> Note-2: The laternative to sha1 would be sha2 (256- or 512-bit), but
>>> oldish "enterprise-class" distributions  may be missing them entirely.
>>> sha256sum and sha512sum were added to coreutils in 2005-10-23, and RHEL5
>>> seems to have them. But better be safe than sorry. If sha2 should be
>>> considered instead of sha1, then it is very easy to switch now. Switching
>>> later would require that we revalidate all packages that have hashes,
>>> which could prove to be quite time-demanding if we have lots of
>>> packages using hashes.
>>
>>   We can be more future-safe by storing the hash that is used in the .hash
>> file itself.
>
> Hu?

  If the hash file contains the following:

486fb55c3efa71148fe07895fd713ea3a5ae343a  sha1  libfoo-1.2.3.tar.bz2

then you can now let the script check that the second field is sha1, and 
later you can support different hash methods. In that case, it is not 
necessary to update all the files when we want to switch to a new hash 
method.

  (Incidentally, it also enables Gustavo's suggestion to use whatever 
upstream provides.)

[snip]


-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F


More information about the buildroot mailing list