[Buildroot] [PATCH 0/6] core: look for package's hashes in versioned sub-directory

[Buildroot] [PATCH 0/6] core: look for package's hashes in versioned sub-directory

[Yann E. MORIN]

Hello All!

When we support two (or more) versions for a package (e.g. qt5base), and
those versions have different licensing terms but stored in the same
file (e.g. 'LICENSE'), we can't store the hashes for the license files
in the same .hash file, as all hashes for a file must match, which would
obviously not be the case here.

So, we've already started moving those hash files in a sub-directory
named after the version, but only for the license files hashes; the
hashes for the downloaded files were left in the main .hash file.

This is not so consistent; hashes for a version should be in the same
file.

This series allows that, by introducing a per-package variable that
contains the path to the license file, so that it can be used both by
the download and legal-info infras.

To be noted: for packages that already have a per-version hash file for
their licensing terms, but a common hash file for their downloads, we
have to carefully switch them over to a per-version hash file only,
while still ensuring that both download and license hashes are still
checked for at every point in the series.

If we were to move the download hashes before the download infra learns
to look into subdirs, the download hashes would not be checked for.
Conversely, if the download infra were to learn to look into subdirs
before the download hashes are moved to the per-version hash file, then
the download hashes would not be checked for either.

So we have to duplicate the download hashes, then teach the download
infra to look into per-version subdir, and finally remove the common
hash file.

Fortunately, only a few qt5 packages and glibc currently have both a
per-version hash file and a common hash file.

There are a few more packages for which we offer a version choice (not a
free-form), like gcc, gdb et al. For those, the licensing terms do not
change across those versions, so we do not need to have per-version hash
files. Ditto for those packages for which we offer a free-form version
option, like linux, uboot, barebox...

Notes:
How to find packages that have both a main and per-version hash files:

    $ find . -type f -name '*.hash' -printf '%h %f\n' \
      |while read d f; do
        for sub in "${d}/"*; do
          [ -d "${sub}" ] || continue
          [ -L "${sub}/${f}" ] && continue
          printf '%s %s' "${d}" "${sub##*/}"
          if [ -e "${sub}/${f}" ]; then
            printf ' present\n'
          else
            printf ' missing\n'
          fi
        done
      done |sort

For each package:
  - only 'missing': we don't need to add per-version hash files;
  - only 'present': we need to move the download hashes to the
    per-version hash files, if not already done;
  - a mix of 'missing' and 'present': we need to add the missing ones,
    and move the download hashes to the per-version has files.

---
Changes v1 -> v2:
  - improve commit-log for 3/6  (Luca)
  - carry Luca's reviewed tags where he sent them.


Regards,
Yann E. MORIN.


The following changes since commit e954ad62a61c4b552796c27e9a176e8453fd6b3f

  xerces: fix static linking with curl (2018-10-14 10:59:24 +0200)


are available in the git repository at:

  git://git.buildroot.org/~ymorin/git/buildroot.git

for you to fetch changes up to 12cce94c6a5ee554f580f8b3dfca566d4673f2a0

  docs/manual: document location of hash files for multi-versions packages (2018-10-14 11:37:42 +0200)


----------------------------------------------------------------
Yann E. MORIN (6):
      core: add a variable that points to the package's hash file
      legal-info: use the per-package variable to get the hash file
      package: prepare for per-version hash files
      core/download: do not hard-code the path to hte package hash file
      package: drop unversioned hash files
      docs/manual: document location of hash files for multi-versions packages

 Makefile                                                 |  2 +-
 docs/manual/adding-packages-directory.txt                |  7 +++++++
 package/glibc/arc-2018.03-release/glibc.hash             |  4 ++++
 .../glibc.hash                                           |  4 ++++
 package/glibc/glibc.hash                                 |  6 ++----
 package/pkg-download.mk                                  |  2 +-
 package/pkg-generic.mk                                   |  8 +++++++-
 package/pkg-utils.mk                                     |  8 ++------
 package/qt5/qt5base/{ => 5.11.2}/qt5base.hash            |  3 ---
 package/qt5/qt5base/5.6.3/qt5base.hash                   |  3 +++
 package/qt5/qt5base/qt5base.hash                         | 16 ++--------------
 package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash  |  3 +++
 package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash   |  3 +++
 package/qt5/qt5connectivity/qt5connectivity.hash         |  7 ++-----
 .../{ => 5.11.2}/qt5quickcontrols2.hash                  |  3 ---
 .../qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash   |  3 +++
 package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash     | 12 ++----------
 package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash        |  3 +++
 package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash         |  3 +++
 package/qt5/qt5serialbus/qt5serialbus.hash               |  7 ++-----
 package/qt5/qt5serialport/5.11.2/qt5serialport.hash      |  3 +++
 package/qt5/qt5serialport/5.6.3/qt5serialport.hash       |  3 +++
 package/qt5/qt5serialport/qt5serialport.hash             |  7 ++-----
 .../qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash   |  3 +++
 .../{ => 5.11.2}/qt5virtualkeyboard.hash                 |  3 ---
 package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash   | 14 ++------------
 26 files changed, 67 insertions(+), 73 deletions(-)
 copy package/qt5/qt5base/{ => 5.11.2}/qt5base.hash (79%)
 copy package/qt5/qt5quickcontrols2/{ => 5.11.2}/qt5quickcontrols2.hash (68%)
 copy package/qt5/qt5virtualkeyboard/{ => 5.11.2}/qt5virtualkeyboard.hash (77%)

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/6] core: add a variable that points to the package's hash file

[Yann E. MORIN]

When a package has a version selection (e.g. Qt5), the licensing terms
may be different across versions, but lie in similarly named files (e.g.
'LICENSE').

However, when we check a file, all the hashes for it must match. So, we
can't have the hashes for two different content of the same file. We
overcame that limitation in the legal-license-file macro, which checks
whether a package has a .hash file in a versioned subdir.

For consistency, we would like to also store the source hashes in that
per-version subdir.

Rather than reconstruct the path to the hash file everywhere we need it,
add a variable that points to it.

Existing users will be converted over in followup patches.

Note: the check for a missing hash file is done in the check-hash helper
script, so this variable must always yield a filename, even of a missing
file, thus we do not use $(wildcard...) to resolve the hash file path;
we use $(wildcard...) only to check if the versioned .hash file exists.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/pkg-generic.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index daf24594de..7dfad2d1be 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -434,6 +434,12 @@ else
 endif
 $(2)_VERSION := $$(call sanitize,$$($(2)_DL_VERSION))
 
+$(2)_HASH_FILE = \
+	$$(strip \
+		$$(if $$(wildcard $$($(2)_PKGDIR)/$$($(2)_VERSION)/$$($(2)_RAWNAME).hash),\
+			$$($(2)_PKGDIR)/$$($(2)_VERSION)/$$($(2)_RAWNAME).hash,\
+			$$($(2)_PKGDIR)/$$($(2)_RAWNAME).hash))
+
 ifdef $(3)_OVERRIDE_SRCDIR
   $(2)_OVERRIDE_SRCDIR ?= $$($(3)_OVERRIDE_SRCDIR)
 endif
-- 
2.14.1

[Buildroot] [PATCH 2/6] legal-info: use the per-package variable to get the hash file

[Yann E. MORIN]

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 Makefile               | 2 +-
 package/pkg-generic.mk | 2 +-
 package/pkg-utils.mk   | 8 ++------
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 82dd76ea76..4948b7f5b1 100644
--- a/Makefile
+++ b/Makefile
@@ -792,7 +792,7 @@ legal-info-clean:
 .PHONY: legal-info-prepare
 legal-info-prepare: $(LEGAL_INFO_DIR)
 	@$(call MESSAGE,"Buildroot $(BR2_VERSION_FULL) Collecting legal info")
-	@$(call legal-license-file,buildroot,buildroot,support/legal-info,COPYING,COPYING,HOST)
+	@$(call legal-license-file,buildroot,buildroot,support/legal-info/buildroot.hash,COPYING,COPYING,HOST)
 	@$(call legal-manifest,PACKAGE,VERSION,LICENSE,LICENSE FILES,SOURCE ARCHIVE,SOURCE SITE,TARGET)
 	@$(call legal-manifest,PACKAGE,VERSION,LICENSE,LICENSE FILES,SOURCE ARCHIVE,SOURCE SITE,HOST)
 	@$(call legal-manifest,buildroot,$(BR2_VERSION_FULL),GPL-2.0+,COPYING,not saved,not saved,HOST)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 7dfad2d1be..b8de0a9aac 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -912,7 +912,7 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 ifeq ($$(call qstrip,$$($(2)_LICENSE_FILES)),)
 	$(Q)$$(call legal-warning-pkg,$$($(2)_BASENAME_RAW),cannot save license ($(2)_LICENSE_FILES not defined))
 else
-	$(Q)$$(foreach F,$$($(2)_LICENSE_FILES),$$(call legal-license-file,$$($(2)_RAWNAME),$$($(2)_BASENAME_RAW),$$($(2)_PKGDIR),$$(F),$$($(2)_DIR)/$$(F),$$(call UPPERCASE,$(4)))$$(sep))
+	$(Q)$$(foreach F,$$($(2)_LICENSE_FILES),$$(call legal-license-file,$$($(2)_RAWNAME),$$($(2)_BASENAME_RAW),$$($(2)_HASH_FILE),$$(F),$$($(2)_DIR)/$$(F),$$(call UPPERCASE,$(4)))$$(sep))
 endif # license files
 
 ifeq ($$($(2)_SITE_METHOD),local)
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index c3acc22b17..be287dc817 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -83,14 +83,10 @@ define legal-manifest # pkg, version, license, license-files, source, url, {HOST
 	echo '"$(1)","$(2)","$(3)","$(4)","$(5)","$(6)"' >>$(LEGAL_MANIFEST_CSV_$(7))
 endef
 
-define legal-license-file # pkgname, pkgname-pkgver, pkgdir, filename, file-fullpath, {HOST|TARGET}
+define legal-license-file # pkgname, pkgname-pkgver, pkg-hashfile, filename, file-fullpath, {HOST|TARGET}
 	mkdir -p $(LICENSE_FILES_DIR_$(6))/$(2)/$(dir $(4)) && \
 	{ \
-		if [ -f $(3)/$($(PKG)_VERSION)/$(1).hash ]; then \
-			support/download/check-hash $(3)/$($(PKG)_VERSION)/$(1).hash $(5) $(4); \
-		else \
-			support/download/check-hash $(3)/$(1).hash $(5) $(4); \
-		fi; \
+		support/download/check-hash $(3) $(5) $(4); \
 		case $${?} in (0|3) ;; (*) exit 1;; esac; \
 	} && \
 	cp $(5) $(LICENSE_FILES_DIR_$(6))/$(2)/$(4)
-- 
2.14.1

[Buildroot] [PATCH 3/6] package: prepare for per-version hash files

[Yann E. MORIN]

The Qt5 packages may have different licensing terms between the two
versions we support, and in some cases, those different terms are
expressed in similarly named files, like files named plain 'LICENSE' for
example.

Similarly, glibc also has different license files, especially since the
arc version still has libidn, which got dropped from upstream.

This is problematic, because, in a .hash file, we can't store two
different hashes for the same file. We've started to handle this case by
moving the licenses hashes to the per-version sub directories.

However, the hashes for the downloads are still stored inside the non-
versioned hash file of the package, which is not totally coherent: if we
have a per-version hash file, it should list all the hases for that
version, downloads included, and there should be no unversioned hash
file.

In preparation for this, we duplicate the downloads hashes from the main
hash files, and into the versioned ones. Once the download infra learns
to look for those hashes in these per-version subdirs, we'll remove the
unversioned hash files.

Note that, now that we have versioned hash files, the main hash files
will not be used to check license files, so we can already drop the
hashes for license files from the main hash files.

Note also that there are a few other packages for which we support
different versions (binutils, gcc, gdb, lua, xserver_xorg-server,
uboot), but none of those have different licensing terms due to the
version. Qt5 and glibc are alone in this case.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ga?l Portay <gael.portay@savoirfairelinux.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>

---
Changes v1 -> v2:
  - also handle glibc and a few other qt5 packages previously omitted
  - drop license hashes from main hash files  (Luca)
  - expand the commit log accordingly  (Luca)
---
 package/glibc/arc-2018.03-release/glibc.hash                  |  4 ++++
 .../glibc.hash                                                |  4 ++++
 package/qt5/qt5base/5.11.2/qt5base.hash                       | 11 +++++++++++
 package/qt5/qt5base/5.6.3/qt5base.hash                        |  3 +++
 package/qt5/qt5base/qt5base.hash                              |  9 ---------
 package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash       |  3 +++
 package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash        |  3 +++
 package/qt5/qt5quickcontrols2/5.11.2/qt5quickcontrols2.hash   |  7 +++++++
 package/qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash    |  3 +++
 package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash          |  5 -----
 package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash             |  3 +++
 package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash              |  3 +++
 package/qt5/qt5serialport/5.11.2/qt5serialport.hash           |  3 +++
 package/qt5/qt5serialport/5.6.3/qt5serialport.hash            |  3 +++
 package/qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash    |  3 +++
 package/qt5/qt5virtualkeyboard/5.11.2/qt5virtualkeyboard.hash |  9 +++++++++
 package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash        |  7 -------
 17 files changed, 62 insertions(+), 21 deletions(-)
 create mode 100644 package/qt5/qt5base/5.11.2/qt5base.hash
 create mode 100644 package/qt5/qt5quickcontrols2/5.11.2/qt5quickcontrols2.hash
 create mode 100644 package/qt5/qt5virtualkeyboard/5.11.2/qt5virtualkeyboard.hash

diff --git a/package/glibc/arc-2018.03-release/glibc.hash b/package/glibc/arc-2018.03-release/glibc.hash
index 4c9830e6f6..d073c9166f 100644
--- a/package/glibc/arc-2018.03-release/glibc.hash
+++ b/package/glibc/arc-2018.03-release/glibc.hash
@@ -1,3 +1,7 @@
+# Locally calculated (fetched from Github)
+sha256  e08ab67b2db2d0f0e8f3311d23c54fb8f6d4c1ef6fa0b4047fd5da400e3ce9de  glibc-arc-2018.03-release.tar.gz
+
+$ Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB
 sha256  61abdd6930c9c599062d89e916b3e7968783879b6be0ee1c6229dd6169def431  LICENSES
diff --git a/package/glibc/glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab/glibc.hash b/package/glibc/glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab/glibc.hash
index 03abf1e96a..a95c990c99 100644
--- a/package/glibc/glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab/glibc.hash
+++ b/package/glibc/glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab/glibc.hash
@@ -1,3 +1,7 @@
+# Locally calculated (fetched from Github)
+sha256  6e88cea4002efa7f78d86ea5e98eb92ed423d5a35068751517c4f00f56b8666c  glibc-glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab.tar.gz
+
+# Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB
 sha256  35bdb41dc0bcb10702ddacbd51ec4c0fe6fb3129f734e8c85fc02e4d3eb0ce3f  LICENSES
diff --git a/package/qt5/qt5base/5.11.2/qt5base.hash b/package/qt5/qt5base/5.11.2/qt5base.hash
new file mode 100644
index 0000000000..1c11adba2d
--- /dev/null
+++ b/package/qt5/qt5base/5.11.2/qt5base.hash
@@ -0,0 +1,11 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtbase-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 6381e7c3468d5a1dcfe3683b29eeced192faa0f8a32434fec071a59b8bcd0107 qtbase-everywhere-src-5.11.2.tar.xz
+
+# Hashes for license files:
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2
+sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
+sha256 0dbe024961f6ab5c52689cbd036c977975d0d0f6a67ff97762d96cb819dd5652 LICENSE.GPL3-EXCEPT
+sha256 88ec689407cf2df9b2eb5c45952564d51ce73c129a3bdffb15c0d2d161ad7558 LICENSE.LGPLv3
+sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
+sha256 1f4fa3d202198f5d836993748eac9d91157e2cec7fb8426f56000a02a677cdc5 header.BSD
+sha256 2a886915de4f296cdae5ed67064f86dba01d0c55286d86e8487f2a5caaf40216 src/3rdparty/harfbuzz-ng/COPYING
diff --git a/package/qt5/qt5base/5.6.3/qt5base.hash b/package/qt5/qt5base/5.6.3/qt5base.hash
index f113f82c73..2dae2e8bf0 100644
--- a/package/qt5/qt5base/5.6.3/qt5base.hash
+++ b/package/qt5/qt5base/5.6.3/qt5base.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtbase-opensource-src-5.6.3.tar.xz.mirrorlist
+sha256 fef48529a6fc2617a30d75d952cb327c6be341fd104154993922184b3b3b4da1 qtbase-opensource-src-5.6.3.tar.xz
+
 # Hashes for license files:
 sha256 245248009fd0af1725d183248380e476c1283383909358a13686606352bf2a17 LICENSE.GPLv3
 sha256 66f6bb53f6d985a4d651bf1ecfe8bbcbe32b0f744708d588f047580ee85d8ec8 LICENSE.LGPLv21
diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
index daac4e06a3..b72e8c71f1 100644
--- a/package/qt5/qt5base/qt5base.hash
+++ b/package/qt5/qt5base/qt5base.hash
@@ -3,12 +3,3 @@ sha256 fef48529a6fc2617a30d75d952cb327c6be341fd104154993922184b3b3b4da1 qtbase-o
 
 # Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtbase-everywhere-src-5.11.2.tar.xz.mirrorlist
 sha256 6381e7c3468d5a1dcfe3683b29eeced192faa0f8a32434fec071a59b8bcd0107 qtbase-everywhere-src-5.11.2.tar.xz
-
-# Hashes for license files:
-sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2
-sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
-sha256 0dbe024961f6ab5c52689cbd036c977975d0d0f6a67ff97762d96cb819dd5652 LICENSE.GPL3-EXCEPT
-sha256 88ec689407cf2df9b2eb5c45952564d51ce73c129a3bdffb15c0d2d161ad7558 LICENSE.LGPLv3
-sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
-sha256 1f4fa3d202198f5d836993748eac9d91157e2cec7fb8426f56000a02a677cdc5 header.BSD
-sha256 2a886915de4f296cdae5ed67064f86dba01d0c55286d86e8487f2a5caaf40216 src/3rdparty/harfbuzz-ng/COPYING
diff --git a/package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash b/package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash
index 6438065c62..e8255bdd7e 100644
--- a/package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash
+++ b/package/qt5/qt5connectivity/5.11.2/qt5connectivity.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtconnectivity-opensource-src-5.6.3.tar.xz.mirrorlist
+sha256 fa406e3d63fa4a2acc8ecae6d110f20c766f19a21c7061a12f3c167deb07ccde qtconnectivity-opensource-src-5.6.3.tar.xz
+
 # Hashes for license files:
 sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2
 sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
diff --git a/package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash b/package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash
index 8b885f7098..5b61e31cf9 100644
--- a/package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash
+++ b/package/qt5/qt5connectivity/5.6.3/qt5connectivity.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtconnectivity-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 58901bbd14d3bc472f27fe305fd8dc33cffbd10da83616e9691c04c3290d42c5 qtconnectivity-everywhere-src-5.11.2.tar.xz
+
 # Hashes for license files:
 sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
 sha256 edfe70e99be2a7c109d860b19204609e582720b211c50caedac729da372a1253 LICENSE.GPLv2
diff --git a/package/qt5/qt5quickcontrols2/5.11.2/qt5quickcontrols2.hash b/package/qt5/qt5quickcontrols2/5.11.2/qt5quickcontrols2.hash
new file mode 100644
index 0000000000..bdf844eb91
--- /dev/null
+++ b/package/qt5/qt5quickcontrols2/5.11.2/qt5quickcontrols2.hash
@@ -0,0 +1,7 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtquickcontrols2-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 aa0549f9a4135f9d600b57f53347ebf344e60d21f90c6d844109755da12dcb84 qtquickcontrols2-everywhere-src-5.11.2.tar.xz
+
+# Hashes for license files:
+sha256 d2cfc059acb4abd8e513cd0a73cd8489f34cbafa7bc34d5d31fb3210821cf8ca LICENSE.GPLv3
+sha256 9e63a04ce021b8bf811b30881fa51c8c3db88afeead942cd59322f2fb69c75bc LICENSE.LGPLv3
+sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
diff --git a/package/qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash b/package/qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash
index 6f5bf29400..01fe5dcd61 100644
--- a/package/qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash
+++ b/package/qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtquickcontrols2-opensource-src-5.6.3.tar.xz.mirrorlist
+sha256 ec5078470abe2da888c2be5d1749b5961ef5132487c180ce4d4aa19ea7ff81cb qtquickcontrols2-opensource-src-5.6.3.tar.xz
+
 # Hashes for license files:
 sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
 sha256 245248009fd0af1725d183248380e476c1283383909358a13686606352bf2a17 LICENSE.GPLv3
diff --git a/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash b/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
index 1ebed34166..eb97371337 100644
--- a/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
+++ b/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
@@ -3,8 +3,3 @@ sha256 ec5078470abe2da888c2be5d1749b5961ef5132487c180ce4d4aa19ea7ff81cb qtquickc
 
 # Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtquickcontrols2-everywhere-src-5.11.2.tar.xz.mirrorlist
 sha256 aa0549f9a4135f9d600b57f53347ebf344e60d21f90c6d844109755da12dcb84 qtquickcontrols2-everywhere-src-5.11.2.tar.xz
-
-# Hashes for license files:
-sha256 d2cfc059acb4abd8e513cd0a73cd8489f34cbafa7bc34d5d31fb3210821cf8ca LICENSE.GPLv3
-sha256 9e63a04ce021b8bf811b30881fa51c8c3db88afeead942cd59322f2fb69c75bc LICENSE.LGPLv3
-sha256 ed8742a95cb9db653a09b050e27ccff5e67ba69c14aa2c3137f2a4e1892f6c0d LICENSE.FDL
diff --git a/package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash b/package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash
index 1dd9a56487..a74bb324b6 100644
--- a/package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash
+++ b/package/qt5/qt5serialbus/5.11.2/qt5serialbus.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtserialbus-opensource-src-5.6.3.tar.xz.mirrorlist
+sha256 71c89be3879414e2a11cad93a4882758f9259b1c0aec980560309192c99f9a9e qtserialbus-opensource-src-5.6.3.tar.xz
+
 # Hashes for license files:
 sha256 edfe70e99be2a7c109d860b19204609e582720b211c50caedac729da372a1253 LICENSE.GPLv2
 sha256 245248009fd0af1725d183248380e476c1283383909358a13686606352bf2a17 LICENSE.GPLv3
diff --git a/package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash b/package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash
index 574fcc5294..6c9ad6be3c 100644
--- a/package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash
+++ b/package/qt5/qt5serialbus/5.6.3/qt5serialbus.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtserialbus-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 1774c2c162f85f7cbcb2bdd2ef47507b110a01bc261627b46aa718e87079641e qtserialbus-everywhere-src-5.11.2.tar.xz
+
 # Hashes for license files:
 sha256 edfe70e99be2a7c109d860b19204609e582720b211c50caedac729da372a1253 LICENSE.GPLv2
 sha256 245248009fd0af1725d183248380e476c1283383909358a13686606352bf2a17 LICENSE.GPLv3
diff --git a/package/qt5/qt5serialport/5.11.2/qt5serialport.hash b/package/qt5/qt5serialport/5.11.2/qt5serialport.hash
index 6438065c62..a5719e9652 100644
--- a/package/qt5/qt5serialport/5.11.2/qt5serialport.hash
+++ b/package/qt5/qt5serialport/5.11.2/qt5serialport.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtserialport-opensource-src-5.6.3.tar.xz.mirrorlist
+sha256 082d1fee2703aed19f840c4e4031e37c9b929e5bd8ebef2ebac4b28c509bae1a qtserialport-opensource-src-5.6.3.tar.xz
+
 # Hashes for license files:
 sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2
 sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
diff --git a/package/qt5/qt5serialport/5.6.3/qt5serialport.hash b/package/qt5/qt5serialport/5.6.3/qt5serialport.hash
index 56f2f6e500..ab402e8d25 100644
--- a/package/qt5/qt5serialport/5.6.3/qt5serialport.hash
+++ b/package/qt5/qt5serialport/5.6.3/qt5serialport.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtserialport-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 b01b69ce421d449402363c0cf617fcc8856e39d6d2c28aa3d06d1f5359dc6f6e qtserialport-everywhere-src-5.11.2.tar.xz
+
 # Hashes for license files:
 sha256 edfe70e99be2a7c109d860b19204609e582720b211c50caedac729da372a1253 LICENSE.GPLv2
 sha256 245248009fd0af1725d183248380e476c1283383909358a13686606352bf2a17 LICENSE.GPLv3
diff --git a/package/qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash b/package/qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash
index 266fc3b695..0cc4f9c82e 100644
--- a/package/qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash
+++ b/package/qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash
@@ -1,3 +1,6 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtvirtualkeyboard-opensource-src-2.0.tar.xz.mirrorlist
+sha256 1d543a851e83fc3de40f48c2935f70278e842589b9a235c2b22f41733e561aec qtvirtualkeyboard-opensource-src-2.0.tar.xz
+
 # Hashes for license files:
 sha256 6148d2793ca4e62ba3935a27bd3e46971a5d7c871dbe8f2687a867bd2c2589fb src/virtualkeyboard/3rdparty/lipi-toolkit/license.txt
 sha256 05cc719deafd0ab083b03296bb2911de10d116953b626a7629b9ca59938038b1 src/virtualkeyboard/3rdparty/openwnn/NOTICE
diff --git a/package/qt5/qt5virtualkeyboard/5.11.2/qt5virtualkeyboard.hash b/package/qt5/qt5virtualkeyboard/5.11.2/qt5virtualkeyboard.hash
new file mode 100644
index 0000000000..c065a9e807
--- /dev/null
+++ b/package/qt5/qt5virtualkeyboard/5.11.2/qt5virtualkeyboard.hash
@@ -0,0 +1,9 @@
+# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz.mirrorlist
+sha256 2709500071e7e98ca6f6eecef0f5c80d19ae22aba562293352debd516633b197 qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz
+
+# Hashes for license files:
+sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
+sha256 7a45a9769d19545480a241230e6ea520b5156fac00930dcd69b6886749743d10 src/virtualkeyboard/3rdparty/lipi-toolkit/MIT_LICENSE.txt
+sha256 05cc719deafd0ab083b03296bb2911de10d116953b626a7629b9ca59938038b1 src/virtualkeyboard/3rdparty/openwnn/NOTICE
+sha256 b5830d96fb5a7e7e7ebcc295f352846b4b998e78fdc8f9aa68e134d2e4b39986 src/virtualkeyboard/3rdparty/pinyin/NOTICE
+sha256 9400a6128693d2f25653698e695f554660c71efccc8c21af28bf143e35199db6 src/virtualkeyboard/3rdparty/tcime/COPYING
diff --git a/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash b/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
index d4b7e58e38..7a17677ec4 100644
--- a/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
+++ b/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
@@ -3,10 +3,3 @@ sha256 1d543a851e83fc3de40f48c2935f70278e842589b9a235c2b22f41733e561aec qtvirtua
 
 # Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz.mirrorlist
 sha256 2709500071e7e98ca6f6eecef0f5c80d19ae22aba562293352debd516633b197 qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz
-
-# Hashes for license files:
-sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 LICENSE.GPL3
-sha256 7a45a9769d19545480a241230e6ea520b5156fac00930dcd69b6886749743d10 src/virtualkeyboard/3rdparty/lipi-toolkit/MIT_LICENSE.txt
-sha256 05cc719deafd0ab083b03296bb2911de10d116953b626a7629b9ca59938038b1 src/virtualkeyboard/3rdparty/openwnn/NOTICE
-sha256 b5830d96fb5a7e7e7ebcc295f352846b4b998e78fdc8f9aa68e134d2e4b39986 src/virtualkeyboard/3rdparty/pinyin/NOTICE
-sha256 9400a6128693d2f25653698e695f554660c71efccc8c21af28bf143e35199db6 src/virtualkeyboard/3rdparty/tcime/COPYING
-- 
2.14.1

[Buildroot] [PATCH 4/6] core/download: do not hard-code the path to hte package hash file

[Yann E. MORIN]

Now that packges may have hashes for their downloaded files in a
versioned subdir or in the unversioned hash file, we can no longer
hard-code the path to the package hash file anymore.

Instead, we now make use of the per-package variable, that points to the
package hash file.

Note: of the packages for which we offer a version choice, almost none,
but some of the qt5 ones, have a per-version hash file, so we still use
the unversioned hash file for them. As for the few qt5 packages that do
have a per-version hash file for their licensing terms, they've already
been updated to duplicate their download hashes in both the unversioned
and per-version hash files. So, one way or the other, no hash check
would go missing with this change.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/pkg-download.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/pkg-download.mk b/package/pkg-download.mk
index bf93b9a08e..73ea2a69f8 100644
--- a/package/pkg-download.mk
+++ b/package/pkg-download.mk
@@ -97,7 +97,7 @@ define DOWNLOAD
 		-d '$($(PKG)_DL_DIR)' \
 		-D '$(DL_DIR)' \
 		-f '$(notdir $(1))' \
-		-H '$(PKGDIR)/$($(PKG)_RAWNAME).hash' \
+		-H '$($(PKG)_HASH_FILE)' \
 		-n '$($(PKG)_BASENAME_RAW)' \
 		-N '$($(PKG)_RAWNAME)' \
 		-o '$($(PKG)_DL_DIR)/$(notdir $(1))' \
-- 
2.14.1

[Buildroot] [PATCH 5/6] package: drop unversioned hash files

[Yann E. MORIN]

The download infra now knows to look for per-version hash files, so we
can now drop the unversioned hash files.

Instead of removing them, add a comment that redirects the developper to
update the per-version hash files instead (so they do not re-add a
unversioned one in the future).

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ga?l Portay <gael.portay@savoirfairelinux.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>

---
Changes v1 -> v2;
  - also handle glibc and a few Qt5 packages previously omitted
---
 package/glibc/glibc.hash                               | 6 ++----
 package/qt5/qt5base/qt5base.hash                       | 7 ++-----
 package/qt5/qt5connectivity/qt5connectivity.hash       | 7 ++-----
 package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash   | 7 ++-----
 package/qt5/qt5serialbus/qt5serialbus.hash             | 7 ++-----
 package/qt5/qt5serialport/qt5serialport.hash           | 7 ++-----
 package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash | 7 ++-----
 7 files changed, 14 insertions(+), 34 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 093392371a..5316f03b10 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,4 +1,2 @@
-# Locally calculated (fetched from Github)
-sha256  6e88cea4002efa7f78d86ea5e98eb92ed423d5a35068751517c4f00f56b8666c     glibc-glibc-2.28-18-g2339d6a55eb7a7e040ae888e906adc49eeb59eab.tar.gz
-# Locally calculated (fetched from Github)
-sha256  e08ab67b2db2d0f0e8f3311d23c54fb8f6d4c1ef6fa0b4047fd5da400e3ce9de     glibc-arc-2018.03-release.tar.gz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
index b72e8c71f1..5316f03b10 100644
--- a/package/qt5/qt5base/qt5base.hash
+++ b/package/qt5/qt5base/qt5base.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtbase-opensource-src-5.6.3.tar.xz.mirrorlist
-sha256 fef48529a6fc2617a30d75d952cb327c6be341fd104154993922184b3b3b4da1 qtbase-opensource-src-5.6.3.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtbase-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 6381e7c3468d5a1dcfe3683b29eeced192faa0f8a32434fec071a59b8bcd0107 qtbase-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5connectivity/qt5connectivity.hash b/package/qt5/qt5connectivity/qt5connectivity.hash
index 96f22db60a..5316f03b10 100644
--- a/package/qt5/qt5connectivity/qt5connectivity.hash
+++ b/package/qt5/qt5connectivity/qt5connectivity.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtconnectivity-opensource-src-5.6.3.tar.xz.mirrorlist
-sha256 fa406e3d63fa4a2acc8ecae6d110f20c766f19a21c7061a12f3c167deb07ccde qtconnectivity-opensource-src-5.6.3.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtconnectivity-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 58901bbd14d3bc472f27fe305fd8dc33cffbd10da83616e9691c04c3290d42c5 qtconnectivity-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash b/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
index eb97371337..5316f03b10 100644
--- a/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
+++ b/package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtquickcontrols2-opensource-src-5.6.3.tar.xz.mirrorlist
-sha256 ec5078470abe2da888c2be5d1749b5961ef5132487c180ce4d4aa19ea7ff81cb qtquickcontrols2-opensource-src-5.6.3.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtquickcontrols2-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 aa0549f9a4135f9d600b57f53347ebf344e60d21f90c6d844109755da12dcb84 qtquickcontrols2-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5serialbus/qt5serialbus.hash b/package/qt5/qt5serialbus/qt5serialbus.hash
index ce66f22e93..5316f03b10 100644
--- a/package/qt5/qt5serialbus/qt5serialbus.hash
+++ b/package/qt5/qt5serialbus/qt5serialbus.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtserialbus-opensource-src-5.6.3.tar.xz.mirrorlist
-sha256 71c89be3879414e2a11cad93a4882758f9259b1c0aec980560309192c99f9a9e qtserialbus-opensource-src-5.6.3.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtserialbus-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 1774c2c162f85f7cbcb2bdd2ef47507b110a01bc261627b46aa718e87079641e qtserialbus-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5serialport/qt5serialport.hash b/package/qt5/qt5serialport/qt5serialport.hash
index 5f7115f669..5316f03b10 100644
--- a/package/qt5/qt5serialport/qt5serialport.hash
+++ b/package/qt5/qt5serialport/qt5serialport.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtserialport-opensource-src-5.6.3.tar.xz.mirrorlist
-sha256 082d1fee2703aed19f840c4e4031e37c9b929e5bd8ebef2ebac4b28c509bae1a qtserialport-opensource-src-5.6.3.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtserialport-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 b01b69ce421d449402363c0cf617fcc8856e39d6d2c28aa3d06d1f5359dc6f6e qtserialport-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
diff --git a/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash b/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
index 7a17677ec4..5316f03b10 100644
--- a/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
+++ b/package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash
@@ -1,5 +1,2 @@
-# Hash from: https://download.qt.io/official_releases/qt/5.6/5.6.3/submodules/qtvirtualkeyboard-opensource-src-2.0.tar.xz.mirrorlist
-sha256 1d543a851e83fc3de40f48c2935f70278e842589b9a235c2b22f41733e561aec qtvirtualkeyboard-opensource-src-2.0.tar.xz
-
-# Hash from: https://download.qt.io/official_releases/qt/5.11/5.11.2/submodules/qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz.mirrorlist
-sha256 2709500071e7e98ca6f6eecef0f5c80d19ae22aba562293352debd516633b197 qtvirtualkeyboard-everywhere-src-5.11.2.tar.xz
+# This hash file is not used; instead, update the
+# hash files in the per-version sub-directories.
-- 
2.14.1

[Buildroot] [PATCH 6/6] docs/manual: document location of hash files for multi-versions packages

[Yann E. MORIN]

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 docs/manual/adding-packages-directory.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
index 9f85ac63e6..e6201bb86b 100644
--- a/docs/manual/adding-packages-directory.txt
+++ b/docs/manual/adding-packages-directory.txt
@@ -446,6 +446,13 @@ contains the hashes of the downloaded files for the +libfoo+
 package. The only reason for not adding a +.hash+ file is when hash
 checking is not possible due to how the package is downloaded.
 
+When a package has a version selection choice, then the hash file may be
+stored in a subdirectory named after the version, e.g.
++package/libfoo/1.2.3/libfoo.hash+. This is especially important if the
+different versions have different licensing terms, but they are stored
+in the same file. Otherwise, the hash file should stay in the package's
+directory.
+
 The hashes stored in that file are used to validate the integrity of the
 downloaded files and of the license files.
 
-- 
2.14.1

[Buildroot] [PATCH 0/6] core: look for package's hashes in versioned sub-directory

[Thomas Petazzoni]

Hello,

On Sun, 14 Oct 2018 14:25:22 +0200, Yann E. MORIN wrote:

> Yann E. MORIN (6):
>       core: add a variable that points to the package's hash file
>       legal-info: use the per-package variable to get the hash file
>       package: prepare for per-version hash files
>       core/download: do not hard-code the path to hte package hash file
>       package: drop unversioned hash files
>       docs/manual: document location of hash files for multi-versions packages

I've applied to master. However, there was an issue with "package:
prepare for per-version hash files", where the hashes for three Qt5
tarballs were inverted between the two versions. I fixed that up when
applying.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 0/6] core: look for package's hashes in versioned sub-directory

[Thomas Petazzoni]

Hello,

On Sun,  7 Oct 2018 13:57:19 +0200, Yann E. MORIN wrote:

> Yann E. MORIN (6):
>       core: add a variable that points to the package's hash file
>       legal-info: use the per-package variable to get the hash file
>       package/qt5: prepare for per-version hash files
>       core/download: do not hard-code the path to hte package hash file
>       package/qt5: drop unversioned hash files
>       docs/manual: document location of hash files for multi-versions packages

This looks good to me. When applying, we will have to adjust the glibc
package as well, which now uses per-version hash files as well, but
no need to resend for that.

If nobody complains by tomorrow, I'll apply this patch series.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 0/6] core: look for package's hashes in versioned sub-directory

[Yann E. MORIN]

Hello All!

When we support two (or more) versions for a package (e.g. qt5base), and
those versions have different licensing terms but stored in the same
file (e.g. 'LICENSE'), we can't store the hashes for the license files
in the same .hash file, as all hashes for a file must match, which would
obviously not be the case here.

So, we've already started moving those hash files in a sub-directory
named after the version, but only for the license files hashes; the
hashes for the downloaded files were left in the main .hash file.

This is not so consistent; hashes for a version should be in the same
file.

This series allows that, by introducing a per-package variable that
contains the path to the license file, so that it can be used both by
the download and legal-info infras.

To be noted: for packages that already have a per-version hash file for
their licensing terms, but a common hash file for their downloads, we
have to carefully switch them over to a per-version hash file only,
while still ensuring that both download and license hashes are still
checked for at every point in the series.

If we were to move the download hashes before the download infra learns
to look into subdirs, the download hashes woudl not be checked for.
Conversely, if the download infra were to learn to look into subdirs
before the download hashes are moved to the per-version hash file, then
the download hashes would not be checked for either.

So we have to duplicate the download hashes, then teach the download
infra to look into per-version subdir, and finally remove the common
hash file.

Fortunately, only a few qt5 packages currently have both a per-version
hash file and a common hash file.

There are a few more packages for which we offer a version choice (not a
free-form), like gcc, gdb et al. For those, the licensing terms do not
change across those versions, so we do not need to have per-version hash
files. Ditto for those packages for which we offer a free-form version
option, like linux, uboot, barebox...


Regards,
Yann E. MORIN.


The following changes since commit d522be6e0bf2631e3c68298e810d5cb2eb7ebefe

  docs/website: update for 2018.08.1 (2018-10-07 11:46:29 +0200)


are available in the git repository at:

  git://git.buildroot.org/~ymorin/git/buildroot.git

for you to fetch changes up to e2b0c44702c93f2610f58c09fd8e1aeb41d594aa

  docs/manual: document location of hash files for multi-versions packages (2018-10-07 12:49:58 +0200)


----------------------------------------------------------------
Yann E. MORIN (6):
      core: add a variable that points to the package's hash file
      legal-info: use the per-package variable to get the hash file
      package/qt5: prepare for per-version hash files
      core/download: do not hard-code the path to hte package hash file
      package/qt5: drop unversioned hash files
      docs/manual: document location of hash files for multi-versions packages

 Makefile                                                 |  2 +-
 docs/manual/adding-packages-directory.txt                |  7 +++++++
 package/pkg-download.mk                                  |  2 +-
 package/pkg-generic.mk                                   |  8 +++++++-
 package/pkg-utils.mk                                     |  8 ++------
 package/qt5/qt5base/{ => 5.11.2}/qt5base.hash            |  3 ---
 package/qt5/qt5base/5.6.3/qt5base.hash                   |  3 +++
 package/qt5/qt5base/qt5base.hash                         | 16 ++--------------
 .../{ => 5.11.2}/qt5quickcontrols2.hash                  |  3 ---
 .../qt5/qt5quickcontrols2/5.6.3/qt5quickcontrols2.hash   |  3 +++
 package/qt5/qt5quickcontrols2/qt5quickcontrols2.hash     | 12 ++----------
 .../qt5/qt5virtualkeyboard/2.0/qt5virtualkeyboard.hash   |  3 +++
 .../{ => 5.11.2}/qt5virtualkeyboard.hash                 |  3 ---
 package/qt5/qt5virtualkeyboard/qt5virtualkeyboard.hash   | 14 ++------------
 14 files changed, 33 insertions(+), 54 deletions(-)
 copy package/qt5/qt5base/{ => 5.11.2}/qt5base.hash (79%)
 copy package/qt5/qt5quickcontrols2/{ => 5.11.2}/qt5quickcontrols2.hash (68%)
 copy package/qt5/qt5virtualkeyboard/{ => 5.11.2}/qt5virtualkeyboard.hash (77%)

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'