source definition in package stubby
moritzwarning at web.de
Thu Jul 9 04:51:21 EDT 2020
On 7/9/20 10:40 AM, Moritz Warning wrote:
> On 7/9/20 8:46 AM, e9hack wrote:
>> Am 09.07.2020 um 08:36 schrieb e9hack:
>>> something in the source definition of package stubby is wrong. The build process tries to download https://github.com/getdnsapi/stubby/stubby-0.3.0.tar.xz but the real download location is https://github.com/getdnsapi/stubby/archive/stubby-0.3.0.tar.gz. It fails and it builds its own source package from git checkout. For checkout no hash is used. The given hash from Makefile is never used. I can change the hash to what I want. The build process doesn't complain about a wrong hash.
>> Sorry the download path is https://github.com/getdnsapi/stubby/archive/v0.3.0.tar.gz which results in downloading of stubby-0.3.0.tar.gz from somewhere in the github code cloud.
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>>From what I see in include/download.mk, if dl_github_archive.py fails (e.g. due to a PKG_MIRROR_HASH mismatch), then DownloadMethod/rawgit is used - which does not check the hash but is fine if the sha1 commit id is valid.
> This does not look good, since the commit hash is not meant to be a security guarantee. No?
The stubby package does not even have a commit hash, but a git tag (PKG_SOURCE_VERSION:=v$(PKG_VERSION)).
That means, the git tag can be changed by the source repository and openwrt won't complain. :/
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
More information about the openwrt-devel