[Buildroot] [PATCH] package/open2300: add hash file

[Buildroot] [PATCH] package/open2300: add hash file

[Heiko Thiery]

- add sha256 tarball hash
- add sha256 license hash

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
---
 package/open2300/open2300.hash | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 package/open2300/open2300.hash

diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
new file mode 100644
index 0000000000..913cccf4d2
--- /dev/null
+++ b/package/open2300/open2300.hash
@@ -0,0 +1,2 @@
+sha256	f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
+sha256	91df39d1816bfb17a4dda2d3d2c83b1f6f2d38d53e53e41e8f97ad5ac46a0cad  COPYING
-- 
2.20.1

[Buildroot] [PATCH] package/open2300: add hash file

[Thomas Petazzoni]

On Sun, 22 Dec 2019 09:37:08 +0100
Heiko Thiery <heiko.thiery@gmail.com> wrote:

> - add sha256 tarball hash
> - add sha256 license hash
> 
> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> ---
>  package/open2300/open2300.hash | 2 ++
>  1 file changed, 2 insertions(+)
>  create mode 100644 package/open2300/open2300.hash
> 
> diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
> new file mode 100644
> index 0000000000..913cccf4d2
> --- /dev/null
> +++ b/package/open2300/open2300.hash
> @@ -0,0 +1,2 @@

We need a comment at the top of the file that says where the hashes come from.

> +sha256	f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz

The source code for this package is fetched from Subversion. Are the
tarballs we create out of SVN repositories reproducible ? I guess so,
but let's loop in Yann Morin for some additional feedback on this.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH] package/open2300: add hash file

[Yann E. MORIN]

Heiko, Thomas, All,

On 2019-12-22 10:57 +0100, Thomas Petazzoni spake thusly:
> On Sun, 22 Dec 2019 09:37:08 +0100
> Heiko Thiery <heiko.thiery@gmail.com> wrote:
> 
> > - add sha256 tarball hash
> > - add sha256 license hash
> > 
> > Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> > ---
> >  package/open2300/open2300.hash | 2 ++
> >  1 file changed, 2 insertions(+)
> >  create mode 100644 package/open2300/open2300.hash
> > 
> > diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
> > new file mode 100644
> > index 0000000000..913cccf4d2
> > --- /dev/null
> > +++ b/package/open2300/open2300.hash
> > @@ -0,0 +1,2 @@
> 
> We need a comment at the top of the file that says where the hashes come from.
> 
> > +sha256	f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
> 
> The source code for this package is fetched from Subversion. Are the
> tarballs we create out of SVN repositories reproducible ? I guess so,
> but let's loop in Yann Morin for some additional feedback on this.

Seeing the dance we do in the git backend, and that we don't do it in
the svn backend, I doubt the svn backend is reproducible...

Yet, I just checked, and I indeed get the same sha256 as Heiko provided
in this patch...

Which prompted me in lookig at it. And we are not getting it from the
svn repository, for the good reason that the repository is dead and
off-line.

Instead, we're getting in from s.b.o instead, and thus the reason why
the sha256 is reproducible...

Dang... :-(

So I suggest we do indeed add this hash, because in the end, that's
s.b.o providing it, so it is stable.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Heiko Thiery]

Hi Thomas, Yann,

Am So., 22. Dez. 2019 um 11:08 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Heiko, Thomas, All,
>
> On 2019-12-22 10:57 +0100, Thomas Petazzoni spake thusly:
> > On Sun, 22 Dec 2019 09:37:08 +0100
> > Heiko Thiery <heiko.thiery@gmail.com> wrote:
> >
> > > - add sha256 tarball hash
> > > - add sha256 license hash
> > >
> > > Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> > > ---
> > >  package/open2300/open2300.hash | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >  create mode 100644 package/open2300/open2300.hash
> > >
> > > diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
> > > new file mode 100644
> > > index 0000000000..913cccf4d2
> > > --- /dev/null
> > > +++ b/package/open2300/open2300.hash
> > > @@ -0,0 +1,2 @@
> >
> > We need a comment at the top of the file that says where the hashes come from.
> >
> > > +sha256     f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
> >
> > The source code for this package is fetched from Subversion. Are the
> > tarballs we create out of SVN repositories reproducible ? I guess so,
> > but let's loop in Yann Morin for some additional feedback on this.
>
> Seeing the dance we do in the git backend, and that we don't do it in
> the svn backend, I doubt the svn backend is reproducible...
>
> Yet, I just checked, and I indeed get the same sha256 as Heiko provided
> in this patch...
>
> Which prompted me in lookig at it. And we are not getting it from the
> svn repository, for the good reason that the repository is dead and
> off-line.
>
> Instead, we're getting in from s.b.o instead, and thus the reason why
> the sha256 is reproducible...
>
> Dang... :-(
>
> So I suggest we do indeed add this hash, because in the end, that's
> s.b.o providing it, so it is stable.

Sorry, I didn't want to create this work ;-/ I just wanted to do some
cleanup for the stats. So I picked a simple package to improve.

I was not aware that special handling is needed for making builds
reproducible at this point.

By the way ... what does s.b.o mean?

> Regards,
> Yann E. MORIN.
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Heiko Thiery]

Am So., 22. Dez. 2019 um 10:57 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> On Sun, 22 Dec 2019 09:37:08 +0100
> Heiko Thiery <heiko.thiery@gmail.com> wrote:
>
> > - add sha256 tarball hash
> > - add sha256 license hash
> >
> > Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> > ---
> >  package/open2300/open2300.hash | 2 ++
> >  1 file changed, 2 insertions(+)
> >  create mode 100644 package/open2300/open2300.hash
> >
> > diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
> > new file mode 100644
> > index 0000000000..913cccf4d2
> > --- /dev/null
> > +++ b/package/open2300/open2300.hash
> > @@ -0,0 +1,2 @@
>
> We need a comment at the top of the file that says where the hashes come from.

is a simple "# Locally generated" ok?

I will update the patch.

> > +sha256       f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
>
> The source code for this package is fetched from Subversion. Are the
> tarballs we create out of SVN repositories reproducible ? I guess so,
> but let's loop in Yann Morin for some additional feedback on this.
>
> Thanks,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [PATCH] package/open2300: add hash file

[Yann E. MORIN]

Heiko, All,

On 2019-12-22 11:56 +0100, Heiko Thiery spake thusly:
> Am So., 22. Dez. 2019 um 11:08 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> > On 2019-12-22 10:57 +0100, Thomas Petazzoni spake thusly:
> > > On Sun, 22 Dec 2019 09:37:08 +0100
> > > Heiko Thiery <heiko.thiery@gmail.com> wrote:
> > > > - add sha256 tarball hash
> > > > - add sha256 license hash
> > > The source code for this package is fetched from Subversion. Are the
> > > tarballs we create out of SVN repositories reproducible ? I guess so,
> > > but let's loop in Yann Morin for some additional feedback on this.
> > Seeing the dance we do in the git backend, and that we don't do it in
> > the svn backend, I doubt the svn backend is reproducible...
> >
> > Yet, I just checked, and I indeed get the same sha256 as Heiko provided
> > in this patch...
> >
> > Which prompted me in lookig at it. And we are not getting it from the
> > svn repository, for the good reason that the repository is dead and
> > off-line.
> >
> > Instead, we're getting in from s.b.o instead, and thus the reason why
> > the sha256 is reproducible...
> >
> > Dang... :-(
> >
> > So I suggest we do indeed add this hash, because in the end, that's
> > s.b.o providing it, so it is stable.
> 
> Sorry, I didn't want to create this work ;-/ I just wanted to do some
> cleanup for the stats. So I picked a simple package to improve.

No problem. It was nice that you picked it up, because that made us
notice the problem! :-)

> I was not aware that special handling is needed for making builds
> reproducible at this point.

Yeah... Reproducibility is not a given. :-(

The subversion backend would need some love for that, so if you have a
bit of time on your hnads, that's be nice if you could tackle it (if
you're interested).

> By the way ... what does s.b.o mean?

Sources.Buildroot.Org, our fallback mirror:

    http://sources.buildroot.org/

Regards,
Yann E. MORIN.

> > Regards,
> > Yann E. MORIN.
> >
> > --
> > .-----------------.--------------------.------------------.--------------------.
> > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > '------------------------------^-------^------------------^--------------------'

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Yann E. MORIN]

Heiko, All,

On 2019-12-22 12:00 +0100, Heiko Thiery spake thusly:
> Am So., 22. Dez. 2019 um 10:57 Uhr schrieb Thomas Petazzoni
> <thomas.petazzoni@bootlin.com>:
> > On Sun, 22 Dec 2019 09:37:08 +0100
> > Heiko Thiery <heiko.thiery@gmail.com> wrote:
> > > - add sha256 tarball hash
> > > - add sha256 license hash
> > We need a comment at the top of the file that says where the hashes come from.
> is a simple "# Locally generated" ok?

Yes, that's all that is needed. If you got the value from elsewhere,
that would need to eb said as well (e.g. in the mailing list archive for
the announcement mail, for example...)

> I will update the patch.

No need to respin, it can be done manualy when applying.

Regards,
Yann E. MORIN.

> > > +sha256       f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
> >
> > The source code for this package is fetched from Subversion. Are the
> > tarballs we create out of SVN repositories reproducible ? I guess so,
> > but let's loop in Yann Morin for some additional feedback on this.
> >
> > Thanks,
> >
> > Thomas
> > --
> > Thomas Petazzoni, CTO, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Heiko Thiery]

Hi,

Am So., 22. Dez. 2019 um 12:05 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Heiko, All,
>
> On 2019-12-22 11:56 +0100, Heiko Thiery spake thusly:
> > Am So., 22. Dez. 2019 um 11:08 Uhr schrieb Yann E. MORIN
> > <yann.morin.1998@free.fr>:
> > > On 2019-12-22 10:57 +0100, Thomas Petazzoni spake thusly:
> > > > On Sun, 22 Dec 2019 09:37:08 +0100
> > > > Heiko Thiery <heiko.thiery@gmail.com> wrote:
> > > > > - add sha256 tarball hash
> > > > > - add sha256 license hash
> > > > The source code for this package is fetched from Subversion. Are the
> > > > tarballs we create out of SVN repositories reproducible ? I guess so,
> > > > but let's loop in Yann Morin for some additional feedback on this.
> > > Seeing the dance we do in the git backend, and that we don't do it in
> > > the svn backend, I doubt the svn backend is reproducible...
> > >
> > > Yet, I just checked, and I indeed get the same sha256 as Heiko provided
> > > in this patch...
> > >
> > > Which prompted me in lookig at it. And we are not getting it from the
> > > svn repository, for the good reason that the repository is dead and
> > > off-line.
> > >
> > > Instead, we're getting in from s.b.o instead, and thus the reason why
> > > the sha256 is reproducible...
> > >
> > > Dang... :-(
> > >
> > > So I suggest we do indeed add this hash, because in the end, that's
> > > s.b.o providing it, so it is stable.
> >
> > Sorry, I didn't want to create this work ;-/ I just wanted to do some
> > cleanup for the stats. So I picked a simple package to improve.
>
> No problem. It was nice that you picked it up, because that made us
> notice the problem! :-)
>
> > I was not aware that special handling is needed for making builds
> > reproducible at this point.
>
> Yeah... Reproducibility is not a given. :-(
>
> The subversion backend would need some love for that, so if you have a
> bit of time on your hnads, that's be nice if you could tackle it (if
> you're interested).

If I will get the time I can take a look on. Is this implemented in
the dl-wrapper and co? And should it be treated like the git one?

> > By the way ... what does s.b.o mean?
>
> Sources.Buildroot.Org, our fallback mirror:
>
>     http://sources.buildroot.org/
>
> Regards,
> Yann E. MORIN.
>
> > > Regards,
> > > Yann E. MORIN.
> > >
> > > --
> > > .-----------------.--------------------.------------------.--------------------.
> > > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > > '------------------------------^-------^------------------^--------------------'
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Yann E. MORIN]

Heiko, All,

On 2019-12-22 13:50 +0100, Heiko Thiery spake thusly:
> Am So., 22. Dez. 2019 um 12:05 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> > The subversion backend would need some love for that, so if you have a
> > bit of time on your hnads, that's be nice if you could tackle it (if
> > you're interested).
> 
> If I will get the time I can take a look on. Is this implemented in
> the dl-wrapper and co? And should it be treated like the git one?

It's handled in each backend. See for example how it's done in the git
backend, in support/download/git, lines 181 thhrough 196.

Regards,
Yann E. MORIN.

> > > By the way ... what does s.b.o mean?
> >
> > Sources.Buildroot.Org, our fallback mirror:
> >
> >     http://sources.buildroot.org/
> >
> > Regards,
> > Yann E. MORIN.
> >
> > > > Regards,
> > > > Yann E. MORIN.
> > > >
> > > > --
> > > > .-----------------.--------------------.------------------.--------------------.
> > > > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > > > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > > > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > > > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > > > '------------------------------^-------^------------------^--------------------'
> >
> > --
> > .-----------------.--------------------.------------------.--------------------.
> > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > '------------------------------^-------^------------------^--------------------'

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] package/open2300: add hash file

[Yann E. MORIN]

Heiko, All,

On 2019-12-22 09:37 +0100, Heiko Thiery spake thusly:
> - add sha256 tarball hash
> - add sha256 license hash
> 
> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>

Applied to master, after adding a comment about the svn upsteream
status. Thanks!
Regards,
Yann E. MORIN.

> ---
>  package/open2300/open2300.hash | 2 ++
>  1 file changed, 2 insertions(+)
>  create mode 100644 package/open2300/open2300.hash
> 
> diff --git a/package/open2300/open2300.hash b/package/open2300/open2300.hash
> new file mode 100644
> index 0000000000..913cccf4d2
> --- /dev/null
> +++ b/package/open2300/open2300.hash
> @@ -0,0 +1,2 @@
> +sha256	f4239d2f16d52156586d06be38f06a3eb58168377e243a8de8720b66e33ddb8f  open2300-12.tar.gz
> +sha256	91df39d1816bfb17a4dda2d3d2c83b1f6f2d38d53e53e41e8f97ad5ac46a0cad  COPYING
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'