[Buildroot] [PATCH 1/3] package/libva: Bump version to 1.4.0

Yann E. MORIN yann.morin.1998 at free.fr
Tue Oct 7 21:06:31 UTC 2014 

Bernd, All,

On 2014-10-07 22:58 +0200, Bernd Kuhls spake thusly:
> Peter Korsgaard <jacmet at uclibc.org> wrote in 
> news:87ppe3fwnn.fsf at dell.be.48ers.dk:
> 
> > Committed all 3, thanks. For future patches, it would be good if you
> > would add the tarball hashes as the libva* release announcements had
> > them (I've added them now).
> 
> Hi,
> 
> ok, I will do so.
> 
> Until now I did not really bother for my non-security-related packages 
> because I remembered the commit description
> http://git.buildroot.net/buildroot/commit/support/download/check-hash?id=
> 9bd8b59526c4521879f0ae5f765cb1a748725c49 where Yann talked about "sensitive 
> packages, related to security: openssl, dropbear, ca-certificates...", so I 
> thought hashes are optional[1].

Yes, that is the primary reason for adding hashes. And we do want hashes
for those sensitive packages. However...

> It seems I did not notice the change of 
> policy regarding hashes.
> In other words: Is there a reason _not_ to include a hash for a source 
> tarball?

... there are a few other good reasons we accept hashes:

  - it ensures a broken download is detected, so the user quickly knows
    that the tarball is broken because of the download; sometimes,
    upstreams breaks their distributions (e.g. the recent sourceforge
    breakage...).

  - non-compliant downloads are removed (rm -f) so they are not
    accidentally used in another context (e.g. I do share my BR2_DL_DIR
    with other stuff).

  - consequently, it helps the autobuilders prune their failed
    downloads.

But in the end there is no clear policy, except:

  - we *do* want hashes for security-related packages;
  - hashes for other packages are a nice bonus.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list