[Buildroot] [PATCH 5/6] pkg-infra: add possiblity to check downloaded files against known hashes
Arnout Vandecappelle
arnout at mind.be
Wed Jan 15 08:22:49 UTC 2014
On 15/01/14 00:34, Yann E. MORIN wrote:
> Arnout, All,
>
> On 2014-01-14 22:37 +0100, Arnout Vandecappelle spake thusly:
>> On 13/01/14 00:44, Yann E. MORIN wrote:
[snip]
>>> Note-2: The laternative to sha1 would be sha2 (256- or 512-bit), but
>>> oldish "enterprise-class" distributions may be missing them entirely.
>>> sha256sum and sha512sum were added to coreutils in 2005-10-23, and RHEL5
>>> seems to have them. But better be safe than sorry. If sha2 should be
>>> considered instead of sha1, then it is very easy to switch now. Switching
>>> later would require that we revalidate all packages that have hashes,
>>> which could prove to be quite time-demanding if we have lots of
>>> packages using hashes.
>>
>> We can be more future-safe by storing the hash that is used in the .hash
>> file itself.
>
> Hu?
If the hash file contains the following:
486fb55c3efa71148fe07895fd713ea3a5ae343a sha1 libfoo-1.2.3.tar.bz2
then you can now let the script check that the second field is sha1, and
later you can support different hash methods. In that case, it is not
necessary to update all the files when we want to switch to a new hash
method.
(Incidentally, it also enables Gustavo's suggestion to use whatever
upstream provides.)
[snip]
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F
More information about the buildroot
mailing list