On 7/9/20 8:46 AM, e9hack wrote: > Am 09.07.2020 um 08:36 schrieb e9hack: >> Hi, >> >> something in the source definition of package stubby is wrong. The build >> process tries to download >> https://github.com/getdnsapi/stubby/stubby-0.3.0.tar.xz but the real >> download location is >> https://github.com/getdnsapi/stubby/archive/stubby-0.3.0.tar.gz. It fails >> and it builds its own source package from git checkout. For checkout no hash >> is used. The given hash from Makefile is never used. I can change the hash >> to what I want. The build process doesn't complain about a wrong hash. >> >> Regards, >> Hartmut >> > > Sorry the download path is > https://github.com/getdnsapi/stubby/archive/v0.3.0.tar.gz which results in > downloading of stubby-0.3.0.tar.gz from somewhere in the github code cloud. > > Regards, > Hartmut > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel >
>From what I see in include/download.mk, if dl_github_archive.py fails (e.g. >due to a PKG_MIRROR_HASH mismatch), then DownloadMethod/rawgit is used - which >does not check the hash but is fine if the sha1 commit id is valid. This does not look good, since the commit hash is not meant to be a security guarantee. No? best, mwarning _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
