[OpenWrt-Devel] [LEDE-DEV] [PATCH] download: skip hash check without a download hash

Hauke Mehrtens hauke at hauke-m.de
Thu May 24 14:30:28 EDT 2018



On 05/06/2018 07:17 PM, Paul Oranje wrote:
> 
> 
>> Op 30 apr. 2018, om 08:39 heeft John Crispin <john at phrozen.org> het volgende geschreven:
>>
>> On 30/03/18 17:34, Hauke Mehrtens wrote:
>>> If the package doe not contain a PKG_HASH just skip the check instead of
>>> making the download fail. The scripts/download.pl script will
>>> automatically skip the hash check in case the hash value equals skip,
>>> otherwise it fails.
>>>
>>> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
>>> ---
>>>  include/download.mk | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/include/download.mk b/include/download.mk
>>> index 2ba8a7bdf4..b14ce2a39a 100644
>>> --- a/include/download.mk
>>> +++ b/include/download.mk
>>> @@ -239,11 +239,11 @@ define Download/Defaults
>>>    URL_FILE:=
>>>    PROTO:=
>>>    HASH=$$(MD5SUM)
>>> -  MD5SUM:=x
>>> +  MD5SUM:=skip
>>>    SUBDIR:=
>>>    MIRROR:=1
>>>    MIRROR_HASH=$$(MIRROR_MD5SUM)
>>> -  MIRROR_MD5SUM:=x
>>> +  MIRROR_MD5SUM:=skip
>>>    VERSION:=
>>>    OPTS:=
>>>  endef
>>
>> Hi,
>> I am against merging this patch. b30ba14e2a858cfebcfdbc38348ab96a6d179556 fixed an error where we had a copy/paste mess up of a hash causing a none valid length. we would think that there is hash that gets checked but it would never be validated. Adding your patch would introduce a similar case where a typo in the variable name would make us believe that a hash is present but in reality there it none. I'd prefer that the Makefile would have the skip inside it and that the buildsystem would then skip the validation.
>>
>>     John
>>
>>
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
> 
> Sometime last year there has been some discussion about skipping hash validations in development workflows and IIRC that it could (likewise) be controlled with setting a HASH to skip and that once a change would be ready for submission a true hash value would be set.
> 
> In the context of a development workflow the effect of a hash validation being skipped is limited to the environment of the developer, but after submission that would be different (and dangerous; I presume that a merge of a patch without a proper hash value should never occur).
> 
> Please correct me if I'am wrong, regards,
> Paul
> 

I am ok with dropping this patch, I just wanted to get some opinions on
this topic and it makes sense to enforce the hash check.

@Paul: you can either build your package like this:
	make package/foo/download PKG_HASH=skip
or you can define the skip directly in your package Makefile to skip the
hash check.

Hauke

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list