[LEDE-DEV] SHA256 hashes for packages

Hannu Nyman hannu.nyman at iki.fi
Fri Jan 6 00:41:03 PST 2017

On 6.1.2017 0:28, Heinrich Schuchardt wrote:
 > Hello Hannu,
 > why should a variable be called MD5 if it holds an SHA256 hash? That does 
not make any sense.
 > Could you, please, point me to the thread on the openwrt or lede list that 
discussed this weird idea.

Not sure if that widely discussed in mailing lists in advance, but PKG_MD5SUM 
has accepted also SHA256 hash since January 2016 ( 
https://dev.openwrt.org/changeset/48253/ ) and the first core package was 
converted to use the mixed syntax immediately afterwards by 
https://dev.openwrt.org/changeset/48254 in January 2016.

Quite many packages in the packages feed repo have already been similarly 
converted to use sha256 although the field is named PKG_MD5SUM.

 > why should a variable be called MD5 if it holds an SHA256 hash?

You are right, that is confusing. To avoid confusion LEDE has already 
introduced PKG_HASH with lede-project/source at 7416d2e . Most core packages in 
LEDE were switched to use sha256 and the new variable with 
lede-project/source at 720b992

But as Openwrt has not yet introduced PKG_HASH, we can't use only PKG_HASH in 
the packages feed repo that is common to both.

As Jow already suggested in his answer, one non-confusing alternative is to 
use both PKG_MD5SUM with MD5 hash and PKG_HASH with SHA256 hash. Some 
packages have been committed that way.

 > Abusing the MD5 variable with SHA256 hashes will break compatibility with 
older openwrt releases.

To my knowledge the master branch in packages in only target DD/master/trunk 
in Openwrt and master in LEDE. Older release have their own branches like 
for-15.05 etc.

Ps. I had already answered to you in Github, but I only now noticed that you 
had written also this to the mailing lists at the same time.

More information about the Lede-dev mailing list