Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-10-25 Thread Jeff Law
On 10/24/2016 06:16 PM, Moritz Klammler wrote: Jeff Law writes: On 10/24/2016 02:44 AM, Richard Biener wrote: On Fri, Oct 7, 2016 at 3:10 PM, Moritz Klammler wrote: I would like to bump my patch that makes the `contrib/download_prerequisites` script verify the checksums of the downloaded pa

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-10-24 Thread Moritz Klammler
Jeff Law writes: > On 10/24/2016 02:44 AM, Richard Biener wrote: >> On Fri, Oct 7, 2016 at 3:10 PM, Moritz Klammler wrote: >>> I would like to bump my patch that makes the >>> `contrib/download_prerequisites` script verify the checksums of the >>> downloaded packages and augments it with a few a

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-10-24 Thread Jeff Law
On 10/24/2016 02:44 AM, Richard Biener wrote: On Fri, Oct 7, 2016 at 3:10 PM, Moritz Klammler wrote: I would like to bump my patch that makes the `contrib/download_prerequisites` script verify the checksums of the downloaded packages and augments it with a few additional options. All feedback I

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-10-24 Thread Richard Biener
On Fri, Oct 7, 2016 at 3:10 PM, Moritz Klammler wrote: > I would like to bump my patch that makes the > `contrib/download_prerequisites` script verify the checksums of > the downloaded packages and augments it with a few additional options. > All feedback I have received has been incorporated. Is

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-10-07 Thread Moritz Klammler
I would like to bump my patch that makes the `contrib/download_prerequisites` script verify the checksums of the downloaded packages and augments it with a few additional options. All feedback I have received has been incorporated. Is it okay like this? Below is again the latest iteration of the

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Mike Stump
On Sep 14, 2016, at 1:19 PM, Moritz Klammler wrote: > > Joseph Myers writes: > >> On Wed, 14 Sep 2016, Moritz Klammler wrote: >> >>> Ok, I didn't know about the workflow. Do you think I should dike the >>> `--strip-sums` option out again then? >> >> I don't see any use for such an option. A

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Moritz Klammler
Joseph Myers writes: > On Wed, 14 Sep 2016, Moritz Klammler wrote: > >> Ok, I didn't know about the workflow. Do you think I should dike the >> `--strip-sums` option out again then? > > I don't see any use for such an option. Anyone changing the versions > should always have a copy of the new

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Joseph Myers
On Wed, 14 Sep 2016, Moritz Klammler wrote: > Ok, I didn't know about the workflow. Do you think I should dike the > `--strip-sums` option out again then? I don't see any use for such an option. Anyone changing the versions should always have a copy of the new tarball (obtained securely if po

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Moritz Klammler
Joseph Myers writes: > On Wed, 14 Sep 2016, Moritz Klammler wrote: > >> be cleaner to only include those checksums that are actually needed. On >> the other hand, it means an increased maintenance burden each time the >> version of the dependency is changed. In order to mitigate this and > > I

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Joseph Myers
On Wed, 14 Sep 2016, Moritz Klammler wrote: > be cleaner to only include those checksums that are actually needed. On > the other hand, it means an increased maintenance burden each time the > version of the dependency is changed. In order to mitigate this and I really don't see it as an increa

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Moritz Klammler
Richard Biener writes: > On Tue, Sep 13, 2016 at 6:01 PM, Joseph Myers wrote: >> On Tue, 13 Sep 2016, Moritz Klammler wrote: >> >>> I have made an actual diff now, containing also the checksum files. >>> I >> >> I don't think checksums of lots of miscellaneous files should be >> included, just t

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-14 Thread Richard Biener
On Tue, Sep 13, 2016 at 6:01 PM, Joseph Myers wrote: > On Tue, 13 Sep 2016, Moritz Klammler wrote: > >> I have made an actual diff now, containing also the checksum files. I > > I don't think checksums of lots of miscellaneous files should be included, > just the checksums for those files the cur

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-13 Thread Joseph Myers
On Tue, 13 Sep 2016, Moritz Klammler wrote: > I have made an actual diff now, containing also the checksum files. I I don't think checksums of lots of miscellaneous files should be included, just the checksums for those files the current script will actually use. -- Joseph S. Myers jos...@cod

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-13 Thread Moritz Klammler
Joseph Myers writes: > On Sun, 11 Sep 2016, Moritz Klammler wrote: > >> gmp='gmp-4.3.2.tar.bz2' >> mpfr='mpfr-2.4.2.tar.bz2' >> mpc='mpc-0.8.1.tar.gz' >> isl='isl-0.15.tar.bz2' > > These are not the versions used in the current script (given which, > presumably you need to check for any other cha

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-12 Thread Joseph Myers
On Sun, 11 Sep 2016, Moritz Klammler wrote: > gmp='gmp-4.3.2.tar.bz2' > mpfr='mpfr-2.4.2.tar.bz2' > mpc='mpc-0.8.1.tar.gz' > isl='isl-0.15.tar.bz2' These are not the versions used in the current script (given which, presumably you need to check for any other changes to the script since you star

Re: Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-11 Thread Mike Stump
On Sep 11, 2016, at 8:35 AM, Moritz Klammler wrote: > > There is a long-standing > [bug report](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61439) > pointing out that the `download_prerequisites` script doesn't verify the > integrity of the packages it downloads. I like the script.

Verify package integrity of downloaded prerequisites (partially fixes 61439)

2016-09-11 Thread Moritz Klammler
There is a long-standing [bug report](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61439) pointing out that the `download_prerequisites` script doesn't verify the integrity of the packages it downloads. The original bug report is only concerned about stability but for me, this is first and foremos