[oe] checksums situation

Marcin Juszkiewicz openembedded at haerwu.biz
Fri Feb 13 16:28:08 UTC 2009 

Hi

It is nearly two years since conf/checksums.ini was introduced. We 
populated it with over 6000 entries during that time (mostly by 
automatic fetching of all source on CELF and EWI machines). But there 
are problems with it's format.

First problem is how to use it when overlays are used. Not every entry 
of SRC_URI can be provided into public (NDA binaries etc) so people 
starts to switch off checking of checksums which is not good idea. OE 
reads only one copy of file. OK, such users can copy it to their overlay 
and extend with own entries which will work with properly created value 
of BBPATH variable. But this does not sound as solution.

Second problem which I hit few times is using of DEBIAN_MIRROR etc 
variables. We allow users to choose fastest Debian, kernel.org, 
SourceForge mirror but this also mean that URLs for sources will differ 
from ones in checksums.ini. Of course users can submit new entries but 
we will have duplicates then (we have about 700 of them already). There 
were ideas how to solve that which were sent to this mailing list.

One of ideas was to use filename as key (instead of URL). But I can 
imagine few situations when it will be wrong way (similiar names for 
different files, different contents of same name tarballs etc).

Other was to use filename as key and add "url[0-xx]" fields which will 
list alternative locations. This one looks better but still does not 
solve situation when someone use DEBIAN_MIRROR which is not present in 
checksums.ini file.

Possible solution would be going to keeping MD5/SHA256 sums in recipes. 
We used 'md5' parametr in SRC_URI for that in past. We can switch to 
using it for md5 and sha256, but some purists can say that it will make 
SRC_URI entries much longer.

Example:

SRC_URI = "${SOURCEFORGE_MIRROR}/zziplib/zziplib-${PV}.tar.bz2"

will change to:

SRC_URI = 
"${SOURCEFORGE_MIRROR}/zziplib/zziplib-${PV}.tar.bz2;md5=a6538f6c44ceeed0ed7e8e356f444168;sha256=f684397ce39ec400ba3369521892b7c3a8711d3ef1be59115db9f8d57707bbb8"

which is very long line.

This solution also has one nasty part - now we can keep SRC_URI for 
multiple versions in common file, but if we switch to storing it in 
SRC_URI we will have to change that.

Other solution proposed on IRC was to keep checksums in extra file in 
each directory of packages/ subdirectory. I think that it is not best 
but sounds better then one file.

What do you think? Which way we should go? Do you have other ideas?

Regards, 
-- 
JID:      hrw at jabber.org
Website:  http://marcin.juszkiewicz.com.pl/
LinkedIn: http://www.linkedin.com/in/marcinjuszkiewicz

More information about the Openembedded-devel mailing list