On 7/9/20 10:40 AM, Moritz Warning wrote: > On 7/9/20 8:46 AM, e9hack wrote: >> Am 09.07.2020 um 08:36 schrieb e9hack: >>> Hi, >>> >>> something in the source definition of package stubby is wrong. The build >>> process tries to download >>> https://github.com/getdnsapi/stubby/stubby-0.3.0.tar.xz but the real >>> download location is >>> https://github.com/getdnsapi/stubby/archive/stubby-0.3.0.tar.gz. It fails >>> and it builds its own source package from git checkout. For checkout no >>> hash is used. The given hash from Makefile is never used. I can change the >>> hash to what I want. The build process doesn't complain about a wrong hash. >>> >>> Regards, >>> Hartmut >>> >> >> Sorry the download path is >> https://github.com/getdnsapi/stubby/archive/v0.3.0.tar.gz which results in >> downloading of stubby-0.3.0.tar.gz from somewhere in the github code cloud. >> >> Regards, >> Hartmut >> >> _______________________________________________ >> openwrt-devel mailing list >> [email protected] >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> > >>From what I see in include/download.mk, if dl_github_archive.py fails (e.g. >>due to a PKG_MIRROR_HASH mismatch), then DownloadMethod/rawgit is used - >>which does not check the hash but is fine if the sha1 commit id is valid. > This does not look good, since the commit hash is not meant to be a security > guarantee. No? The stubby package does not even have a commit hash, but a git tag (PKG_SOURCE_VERSION:=v$(PKG_VERSION)). That means, the git tag can be changed by the source repository and openwrt won't complain. :/
> > best, > mwarning > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
