[LEDE-DEV] SHA256 hashes for packages

Alberto Bursi alberto.bursi at outlook.it
Thu Jan 5 14:59:28 PST 2017

Older OpenWRT releases won't get the new package (or the updates) anyway 
so breaking compatibility is not an issue.

Although using a misleading name is still an issue. In LEDE core repo 
that var was renamed into PKG_HASH and contains a SHA256sum.

The LEDE buildsystem works with both variables

Some packages in OpenWRT feeds are being updated with PKG_HASH in 
addition to the MD5 var.

I think the official way forward is to use PKG_HASH instead of placing a 
SHA256sum in a var called MD5.


On 01/05/2017 11:28 PM, Heinrich Schuchardt wrote:
> Hello Hannu,
> why should a variable be called MD5 if it holds an SHA256 hash? That
> does not make any sense.
> Could you, please, point me to the thread on the openwrt or lede list
> that discussed this weird idea.
> Abusing the MD5 variable with SHA256 hashes will break compatibility
> with older openwrt releases.
> If you want an SHA256 hash, please, use an SHA256 variable.
> This was already pointed out in
> https://bugs.lede-project.org/index.php?do=details&task_id=326&order=id&sort=asc&order2=summary&sort2=desc
> Anyway it is safer to use multiple hashes.
> Best regards
> Heinrich Schuchardt
> On 01/05/2017 11:05 PM, Hannu Nyman wrote:
>> Could you please update the PR a bit and replace the MD5 hash with a
>> SHA256 hash.
>> (Leave the variable name as it is now, but replace the hash itself with
>> the longer SHA256 hash.)
>> Same goes for other packages that you maintaining. MD5 is being phased
>> out, so please use SHA256 when issuing updates as PRs.

More information about the Lede-dev mailing list