The pypi change: "85a2a6f68af recipetool: create_buildsys_python: add pypi support" deleted all the SRC_URI variables, including the SRC_URI checksums. These are not generated by the pypi.bbclass (how could they be trusted?)
Without the checksum(s), we are vulnerable to a man-in-the-middle attack and zero checks on the validity of the downloaded tarball from pypi.org. Fix by only setting S and SRC_URI to None. Signed-off-by: Tim Orling <[email protected]> --- scripts/lib/recipetool/create_buildsys_python.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts/lib/recipetool/create_buildsys_python.py b/scripts/lib/recipetool/create_buildsys_python.py index 5e07222ece1..66de36ba3e4 100644 --- a/scripts/lib/recipetool/create_buildsys_python.py +++ b/scripts/lib/recipetool/create_buildsys_python.py @@ -172,11 +172,6 @@ class PythonRecipeHandler(RecipeHandler): # extravalues['SRC_URI(?:\[.*?\])?'] = None extravalues['S'] = None extravalues['SRC_URI'] = None - extravalues['SRC_URI[md5sum]'] = None - extravalues['SRC_URI[sha1sum]'] = None - extravalues['SRC_URI[sha256sum]'] = None - extravalues['SRC_URI[sha384sum]'] = None - extravalues['SRC_URI[sha512sum]'] = None classes.append('pypi') -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#192093): https://lists.openembedded.org/g/openembedded-core/message/192093 Mute This Topic: https://lists.openembedded.org/mt/103067452/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
