On 5/6/20 12:10 AM, Adrian Bunk wrote:
> On Tue, May 05, 2020 at 01:55:35PM +0200, Richard Leitner wrote:
>> ...
>> --- a/meta/recipes-kernel/dtc/dtc_1.5.1.bb
>> +++ b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
>> @@ -3,7 +3,7 @@ require dtc.inc
>> LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>>
>> file://libfdt/libfdt.h;beginline=4;endline=7;md5=05bb357cfb75cae7d2b01d2ee8d76407"
>>
>> -SRCREV = "60e0db3d65a1218b0d5a29474e769f28a18e3ca6"
>> +SRCREV = "v${PV}"
>> ...
>
> It is tempting to use tags, but it is a bad idea.
> Upstream might move a tag to a different commit.
> Someone might do a man-in-the-middle attack on a specific user,
> and there is no other verification of the sources apart from
> the commit hash.
>
moreover bitbake will still need to enquire the repository since tags
are floating revisions. and this might fail to work if network does not
allow access to internet etc. This is a good document describing the problem
https://pelux.io/software-factory/PELUX-3.0/swf-blueprint/docs/articles/baseplatform/reproducible-yocto-builds.html
> cu
> Adrian
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#138036):
https://lists.openembedded.org/g/openembedded-core/message/138036
Mute This Topic: https://lists.openembedded.org/mt/73995755/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
