首页 发现 帮助
登录
PUBLIC_REPOS
/
buildroot
镜像自地址 git://git.buildroot.net/buildroot
2
1
派生 0
文件
浏览代码

docs/manual: update details about hashes

This commit updates the manual about hashes, fixing a number of
issues:

 - Adding the .hash file should no longer be optional: it *must* be
   added. Therefore the wording "You can add ..." is changed to "When
   possible, you must add ...".

 - We are now checking hashes for Git downloaded packages, so fix this
   as well, and indicate more clearly which download methods have hash
   checking.

 - We no longer want to have auto-generated patches be downloaded
   through <pkg>_PATCH because such patches are not stable over time,
   and their hash can change. For example, downloading patches from
   github.com should no longer be done.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni 8 年之前
父节点
a2538e4b19
当前提交
a0c9b36b80
共有 1 个文件被更改,包括 16 次插入7 次删除
合并视图 显示文件统计
  1. 16 7
      docs/manual/adding-packages-directory.txt

+ 16 - 7
docs/manual/adding-packages-directory.txt
查看文件 

@@ -439,8 +439,10 @@ rules].
 
 [[adding-packages-hash]]
 
 [[adding-packages-hash]]
 
 === The +.hash+ file
 
 === The +.hash+ file
 
 
 
-Optionally, you can add a third file, named +libfoo.hash+, that contains
 
-the hashes of the downloaded files for the +libfoo+ package.
 
+When possible, you must add a third file, named +libfoo.hash+, that
 
+contains the hashes of the downloaded files for the +libfoo+
 
+package. The only reason for not adding a +.hash+ file is when hash
 
+checking is not possible due to how the package is downloaded.
 
 
 
 The hashes stored in that file are used to validate the integrity of the
 
 The hashes stored in that file are used to validate the integrity of the
 
 downloaded files.
 
 downloaded files.
 
@@ -515,10 +517,17 @@ the downloaded file is left in the download directory since this
 
 typically indicates that the +.hash+ file is wrong but the downloaded
 
 typically indicates that the +.hash+ file is wrong but the downloaded
 
 file is probably OK.
 
 file is probably OK.
 
 
 
-Sources that are downloaded from a version control system (git, subversion,
 
-etc...) can not have a hash, because the version control system and tar
 
-may not create exactly the same file (dates, files ordering...), so the
 
-hash could be wrong even for a valid download. Therefore, the hash check
 
-is entirely skipped for such sources.
 
+Hashes are currently checked for files fetched from http/ftp servers,
 
+Git repositories, files copied using scp and local files. Hashes are
 
+not checked for other version control systems (such as Subversion,
 
+CVS, etc.) because Buildroot currently does not generate reproducible
 
+tarballs when source code is fetched from such version control
 
+systems.
 
+
 
+Hashes should only be added in +.hash+ files for files that are
 
+guaranteed to be stable. For example, patches auto-generated by Github
 
+are not guaranteed to be stable, and therefore their hashes can change
 
+over time. Such patches should not be downloaded, and instead be added
 
+locally to the package folder.
 
 
 
 If the +.hash+ file is missing, then no check is done at all.
 
 If the +.hash+ file is missing, then no check is done at all.