On Tue, May 05, 2020 at 01:55:35PM +0200, Richard Leitner wrote:
>...
> --- a/meta/recipes-kernel/dtc/dtc_1.5.1.bb
> +++ b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
> @@ -3,7 +3,7 @@ require dtc.inc
> LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>
> file://libfdt/libfdt.h;beginline=4;endline=7;md5=05bb357cfb75cae7d2b01d2ee8d76407"
>
> -SRCREV = "60e0db3d65a1218b0d5a29474e769f28a18e3ca6"
> +SRCREV = "v${PV}"
>...
It is tempting to use tags, but it is a bad idea.
Upstream might move a tag to a different commit.
Someone might do a man-in-the-middle attack on a specific user,
and there is no other verification of the sources apart from
the commit hash.
cu
Adrian
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#137962):
https://lists.openembedded.org/g/openembedded-core/message/137962
Mute This Topic: https://lists.openembedded.org/mt/73995755/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
