[LEDE-DEV] SHA256 hashes for packages

Alberto Bursi alberto.bursi at outlook.it
Thu Jan 5 14:59:28 PST 2017


Older OpenWRT releases won't get the new package (or the updates) anyway 
so breaking compatibility is not an issue.

Although using a misleading name is still an issue. In LEDE core repo 
that var was renamed into PKG_HASH and contains a SHA256sum.

The LEDE buildsystem works with both variables
https://github.com/lede-project/source/commit/7416d2e046b87b262b407f8af70b8dd9b2927c70

Some packages in OpenWRT feeds are being updated with PKG_HASH in 
addition to the MD5 var.
https://github.com/openwrt/packages/commit/e73964fa8fae94473e9046dfd8fd505206b50ab3

I think the official way forward is to use PKG_HASH instead of placing a 
SHA256sum in a var called MD5.

-Alberto

On 01/05/2017 11:28 PM, Heinrich Schuchardt wrote:
> Hello Hannu,
>
> why should a variable be called MD5 if it holds an SHA256 hash? That
> does not make any sense.
>
> Could you, please, point me to the thread on the openwrt or lede list
> that discussed this weird idea.
>
> Abusing the MD5 variable with SHA256 hashes will break compatibility
> with older openwrt releases.
>
> If you want an SHA256 hash, please, use an SHA256 variable.
>
> This was already pointed out in
> https://bugs.lede-project.org/index.php?do=details&task_id=326&order=id&sort=asc&order2=summary&sort2=desc
>
> Anyway it is safer to use multiple hashes.
>
> Best regards
>
> Heinrich Schuchardt
>
>
> On 01/05/2017 11:05 PM, Hannu Nyman wrote:
>> Could you please update the PR a bit and replace the MD5 hash with a
>> SHA256 hash.
>>
>> (Leave the variable name as it is now, but replace the hash itself with
>> the longer SHA256 hash.)
>>
>> Same goes for other packages that you maintaining. MD5 is being phased
>> out, so please use SHA256 when issuing updates as PRs.
>>
>
>




More information about the Lede-dev mailing list