[Buildroot] [PATCH 1/3] package/libva: Bump version to 1.4.0
Yann E. MORIN
yann.morin.1998 at free.fr
Tue Oct 7 21:06:31 UTC 2014
Bernd, All,
On 2014-10-07 22:58 +0200, Bernd Kuhls spake thusly:
> Peter Korsgaard <jacmet at uclibc.org> wrote in
> news:87ppe3fwnn.fsf at dell.be.48ers.dk:
>
> > Committed all 3, thanks. For future patches, it would be good if you
> > would add the tarball hashes as the libva* release announcements had
> > them (I've added them now).
>
> Hi,
>
> ok, I will do so.
>
> Until now I did not really bother for my non-security-related packages
> because I remembered the commit description
> http://git.buildroot.net/buildroot/commit/support/download/check-hash?id=
> 9bd8b59526c4521879f0ae5f765cb1a748725c49 where Yann talked about "sensitive
> packages, related to security: openssl, dropbear, ca-certificates...", so I
> thought hashes are optional[1].
Yes, that is the primary reason for adding hashes. And we do want hashes
for those sensitive packages. However...
> It seems I did not notice the change of
> policy regarding hashes.
> In other words: Is there a reason _not_ to include a hash for a source
> tarball?
... there are a few other good reasons we accept hashes:
- it ensures a broken download is detected, so the user quickly knows
that the tarball is broken because of the download; sometimes,
upstreams breaks their distributions (e.g. the recent sourceforge
breakage...).
- non-compliant downloads are removed (rm -f) so they are not
accidentally used in another context (e.g. I do share my BR2_DL_DIR
with other stuff).
- consequently, it helps the autobuilders prune their failed
downloads.
But in the end there is no clear policy, except:
- we *do* want hashes for security-related packages;
- hashes for other packages are a nice bonus.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list