Re: [OE-core] [PATCH] recipetool: pypi: do not clobber SRC_URI checksums

Fri, 08 Dec 2023 17:42:12 -0800 

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org 
> <openembedded-core@lists.openembedded.org> On Behalf Of Tim Orling
> Sent: den 9 december 2023 02:37
> To: openembedded-core@lists.openembedded.org
> Cc: Tim Orling <tim.orl...@konsulko.com>
> Subject: [OE-core] [PATCH] recipetool: pypi: do not clobber SRC_URI checksums
> 
> The pypi change:
> "85a2a6f68af recipetool: create_buildsys_python: add pypi support"
> deleted all the SRC_URI variables, including the SRC_URI checksums.
> These are not generated by the pypi.bbclass (how could they be trusted?)
> 
> Without the checksum(s), we are vulnerable to a man-in-the-middle attack
> and zero checks on the validity of the downloaded tarball from pypi.org.
> 
> Fix by only setting S and SRC_URI to None.
> 
> Signed-off-by: Tim Orling <tim.orl...@konsulko.com>
> ---
>  scripts/lib/recipetool/create_buildsys_python.py | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/scripts/lib/recipetool/create_buildsys_python.py 
> b/scripts/lib/recipetool/create_buildsys_python.py
> index 5e07222ece1..66de36ba3e4 100644
> --- a/scripts/lib/recipetool/create_buildsys_python.py
> +++ b/scripts/lib/recipetool/create_buildsys_python.py
> @@ -172,11 +172,6 @@ class PythonRecipeHandler(RecipeHandler):
>              # extravalues['SRC_URI(?:\[.*?\])?'] = None

The TODO comment above should also be removed as it should not be done.

>              extravalues['S'] = None
>              extravalues['SRC_URI'] = None
> -            extravalues['SRC_URI[md5sum]'] = None
> -            extravalues['SRC_URI[sha1sum]'] = None
> -            extravalues['SRC_URI[sha256sum]'] = None
> -            extravalues['SRC_URI[sha384sum]'] = None
> -            extravalues['SRC_URI[sha512sum]'] = None
> 
>              classes.append('pypi')
> 
> --
> 2.34.1

//Peter


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192095): 
https://lists.openembedded.org/g/openembedded-core/message/192095
Mute This Topic: https://lists.openembedded.org/mt/103067452/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to