On 06/16/2017 05:11 PM, Richard Purdie wrote: > On Fri, 2017-06-16 at 13:43 -0500, Alejandro del Castillo wrote: >> >> On 06/16/2017 03:46 AM, Richard Purdie wrote: >>> >>> There is the potential for sensitive information to leak through >>> the urls >>> there and removing it brings this into the behavior of the other >>> package >>> backends since filtering it is likely error prone. >>> >>> Since ipks don't appear to be generated at all if we don't set >>> this, set >>> the field to the recipe name used (basename only, no paths). This >>> avoids >>> information leaking. We may want to drop the field if opkg can >>> allow that >>> at a future point but the recipe name is a suitable identifier for >>> now. >> Looking at opkg-build, opkg requires: >> >> Package, Version, Architecture, Maintainer, Section, Priority, >> Source >> >> while deb requires: >> >> Package, Version, Maintainer, Description >> >> It does makes sense to require Architecture, but doesn't make sense >> to me to make Section, Priority and Source mandatory. Opkg does >> process packages that lack those fields. >> >> This should be a trivial change to opkg-build, which I can submit >> into opkg-utils. Including that patch in the opkg-utils recipe may >> simplify things here. > > I agree, I think that may be a worthwhile change. I was a little > surprised it didn't do that already and appears to silently fail if > Source: isn't set (or we fail to check the exit code).
FWIW the opkg-utils patch is already on the opkg mailing list, in case you think it's worth pulling it nevertheless. -- Cheers, Alejandro -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
