[OE-core] [PATCH] package_ipk: Clean up Source entry in ipk packages
Denys Dmytriyenko
denis at denix.org
Fri Jun 16 15:24:26 UTC 2017
On Fri, Jun 16, 2017 at 10:22:35AM +0100, Richard Purdie wrote:
> On Fri, 2017-06-16 at 09:46 +0100, Richard Purdie wrote:
> > There is the potential for sensitive information to leak through the
> > urls
> > there and removing it brings this into the behavior of the other
> > package
> > backends since filtering it is likely error prone.
> >
> > Since ipks don't appear to be generated at all if we don't set this,
> > set
> > the field to the recipe name used (basename only, no paths). This
> > avoids
> > information leaking. We may want to drop the field if opkg can allow
> > that
> > at a future point but the recipe name is a suitable identifier for
> > now.
> >
> > Reported-by: Andrej Valek <andrej.valek at siemens.com>
> > Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
> > ---
> > meta/classes/package_ipk.bbclass | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
>
> Since this is rather important I have backported this to
> pyro/morty/krogoth with the appropriate tweaks.
Ouch! We were actually using that field to generate the URL list for the
Software Manifest out of the package feed...
Was this discussed before? Can this change be made optional?
--
Denys
More information about the Openembedded-core
mailing list