[OE-core] [PATCH] package_ipk: Clean up Source entry in ipk packages
Richard Purdie
richard.purdie at linuxfoundation.org
Fri Jun 16 22:11:05 UTC 2017
On Fri, 2017-06-16 at 13:43 -0500, Alejandro del Castillo wrote:
>
> On 06/16/2017 03:46 AM, Richard Purdie wrote:
> >
> > There is the potential for sensitive information to leak through
> > the urls
> > there and removing it brings this into the behavior of the other
> > package
> > backends since filtering it is likely error prone.
> >
> > Since ipks don't appear to be generated at all if we don't set
> > this, set
> > the field to the recipe name used (basename only, no paths). This
> > avoids
> > information leaking. We may want to drop the field if opkg can
> > allow that
> > at a future point but the recipe name is a suitable identifier for
> > now.
> Looking at opkg-build, opkg requires:
>
> Package, Version, Architecture, Maintainer, Section, Priority,
> Source
>
> while deb requires:
>
> Package, Version, Maintainer, Description
>
> It does makes sense to require Architecture, but doesn't make sense
> to me to make Section, Priority and Source mandatory. Opkg does
> process packages that lack those fields.
>
> This should be a trivial change to opkg-build, which I can submit
> into opkg-utils. Including that patch in the opkg-utils recipe may
> simplify things here.
I agree, I think that may be a worthwhile change. I was a little
surprised it didn't do that already and appears to silently fail if
Source: isn't set (or we fail to check the exit code).
I also have found out some people are using this Source: data to find
recipe information so we likely do need some way to map it back to the
recipe, I'm hoping the filename is good enough for that purpose...
Cheers,
Richard
More information about the Openembedded-core
mailing list