Hi Michael, > Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to > download them all. > And the first step must be to support checking md5 or sha256, whichever is > available. We still need md5 so we don't break BSPs with local packages > during the transition. > > > Sounds like a good idea, but then I would prefer that 2-3 ppl run the > > script, just to make sure different proxies are used. > > While this is a nice idea, this only works for the existing packages. I can't > do the same for new packages or new versions of existing packages.
I don't expect we do this for new packages, only on exiting due to the sheer number of packages. > So far the checksum has only been a protection against broken archives or > stupid upstream. It is not a security feature. If we change that, then we > need a way to verify, that the initial checksums are correct. I don't know > how I can do that for new packages. Ideally all upstream packages should include a SHA256 hash when they are releasing new versions. Unfortunate we can't change the whole world in day :) So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download. Suggested actions: 1) include SHA256 hash in rules 2) include audit info in commit message (hash source + date) 3) push upstream packages to include SHA256 4) prefer HTTPS/FTPS as source URL in rules /Bruno -- ptxdist mailing list ptxdist@pengutronix.de