source definition in package stubby

Moritz Warning moritzwarning at web.de
Thu Jul 9 04:40:16 EDT 2020


On 7/9/20 8:46 AM, e9hack wrote:
> Am 09.07.2020 um 08:36 schrieb e9hack:
>> Hi,
>>
>> something in the source definition of package stubby is wrong. The build process tries to download https://github.com/getdnsapi/stubby/stubby-0.3.0.tar.xz but the real download location is https://github.com/getdnsapi/stubby/archive/stubby-0.3.0.tar.gz. It fails and it builds its own source package from git checkout. For checkout no hash is used. The given hash from Makefile is never used. I can change the hash to what I want. The build process doesn't complain about a wrong hash.
>>
>> Regards,
>> Hartmut
>>
>
> Sorry the download path is https://github.com/getdnsapi/stubby/archive/v0.3.0.tar.gz which results in downloading of stubby-0.3.0.tar.gz from somewhere in the github code cloud.
>
> Regards,
> Hartmut
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>

From what I see in include/download.mk, if dl_github_archive.py fails (e.g. due to a PKG_MIRROR_HASH mismatch), then DownloadMethod/rawgit is used - which does not check the hash but is fine if the sha1 commit id is valid.
This does not look good, since the commit hash is not meant to be a security guarantee. No?

best,
mwarning



More information about the openwrt-devel mailing list