Re: [OE-core] opkg and gpg signed ipk packages
Do you think this patch would be of interest for someone? Yes but it would be good to make it choosable at distro level. Opkg has support for 'sha256' but opkg-utils only supports md5. We could pass the sha256 option to opkg-utils (like other parameters such as Maintainer), and make it configurable. We just need to figure out how to pass this option to opkg-utils. Since MD5 is not very secure, wouldn't it be better to use sha256 as default? Or is there any specific reason that someone would want MD5 to be kept as the default (due to e.g. performance, backwards compatibility .. ?). It takes longer time to compute a sha256 checksum compared to md5 but sha256 is more secure reliable. Any way it would be good to have this optional (sha256 or md5). I agree.. and RPM(5) has the ability to switch the default checksum from MD5 to others as well. So a global distro setting would make sense. (I don't know how the deb package manager is configured.) Let me know if we come up with a distribution level switch (or if we just want to make the policy be sha256, as it's definitely better then MD5) and I can help make the RPM configuration change as well. I think a configuration at high level would be good to use for all PMS, to choose MD5 or sha256. conf/local.conf: # Package Management configuration PACKAGE_CLASSES ?= package_ipk Or PACKAGE_CLASSES ?= package_rpm PACKAGE_CHECKSUM ?= sha256something like this Or PACKAGE_CHECKSUM ?= md5 //Sona -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Thanks a lot guys for your help, this is now working :) There is support for sha256 in opkg but not in the opkg-utils. opkg-utils (opkg.py) just uses md5 as default option. I changed opkg.py: # compute the MD5. if not self.fn: self.md5 = 'Unknown' else: f = open(self.fn, rb) sum = hashlib.md5() to sum = hashlib.sha256() and now I get checksum sha256 in the Packages file: SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594 Do you think this patch would be of interest for someone? //Sona -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
On 2015-05-19 05:47, Sona Sarmadi wrote: I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Thanks a lot guys for your help, this is now working :) There is support for sha256 in opkg but not in the opkg-utils. opkg-utils (opkg.py) just uses md5 as default option. I changed opkg.py: # compute the MD5. if not self.fn: self.md5 = 'Unknown' else: f = open(self.fn, rb) sum = hashlib.md5() to sum = hashlib.sha256() and now I get checksum sha256 in the Packages file: SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594 Do you think this patch would be of interest for someone? Yes, including everything you found that needs to be set up to support these checksums. -- Gary Thomas | Consulting for the MLB Associates |Embedded world -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi sona.sarm...@enea.com wrote: I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Thanks a lot guys for your help, this is now working :) There is support for sha256 in opkg but not in the opkg-utils. opkg-utils (opkg.py) just uses md5 as default option. I changed opkg.py: # compute the MD5. if not self.fn: self.md5 = 'Unknown' else: f = open(self.fn, rb) sum = hashlib.md5() to sum = hashlib.sha256() and now I get checksum sha256 in the Packages file: SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594 Do you think this patch would be of interest for someone? Yes but it would be good to make it choosable at distro level. -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
On 5/19/15 7:01 AM, Otavio Salvador wrote: On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi sona.sarm...@enea.com wrote: I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Thanks a lot guys for your help, this is now working :) There is support for sha256 in opkg but not in the opkg-utils. opkg-utils (opkg.py) just uses md5 as default option. I changed opkg.py: # compute the MD5. if not self.fn: self.md5 = 'Unknown' else: f = open(self.fn, rb) sum = hashlib.md5() to sum = hashlib.sha256() and now I get checksum sha256 in the Packages file: SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594 Do you think this patch would be of interest for someone? Yes but it would be good to make it choosable at distro level. I agree.. and RPM(5) has the ability to switch the default checksum from MD5 to others as well. So a global distro setting would make sense. (I don't know how the deb package manager is configured.) Let me know if we come up with a distribution level switch (or if we just want to make the policy be sha256, as it's definitely better then MD5) and I can help make the RPM configuration change as well. --Mark -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Thanks Paul, it looks like this should be the configuration but I have tried this and didn't help. I try to find out some info about Packages file, how it is generated, where this checksum is computed, etc ... I see in the opkg.py how the content of the Packages file is generated but I don't understand how this file is generated. ./build-p2020/tmp/sysroots/x86_64-linux/usr/bin/opkg.py if self.md5: out = out + MD5Sum: %s\n % (self.md5) //Sona hashval = bb.utils.md5_file(f) -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
Hi Sona, On Wednesday 13 May 2015 20:20:51 Sona Sarmadi wrote: SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line for each package. Does anyone know where do I specify this PACKAGECONFIG configuration? I want all ipk packages to be checksummed using sha256 (in the Packages file that describes the ipk packages). The default seems to be md5: tmp/deploy/ipk/ppce500v2/Packages Package: acl-dbg Version: 2.2.52-r0 Recommends: libc6-dbg, libattr-dbg, libacl-dbg Section: devel Architecture: ppce500v2 Maintainer: Poky p...@yoctoproject.org MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc I'm guessing you would want something like this in your custom distro config (or local.conf if you must): PACKAGECONFIG_append_pn-opkg = sha256 PACKAGECONFIG_append_pn-opkg-native = sha256 Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] opkg and gpg signed ipk packages
Hi SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line for each package. Does anyone know where do I specify this PACKAGECONFIG configuration? I want all ipk packages to be checksummed using sha256 (in the Packages file that describes the ipk packages). The default seems to be md5: tmp/deploy/ipk/ppce500v2/Packages Package: acl-dbg Version: 2.2.52-r0 Recommends: libc6-dbg, libattr-dbg, libacl-dbg Section: devel Architecture: ppce500v2 Maintainer: Poky p...@yoctoproject.org MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc Thanks //Sona -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core