| Message ID | 20250922195059.1052515-1-jeroen@myspectrum.nl |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] fetch2: npm: do keep the sha256sum | expand |
Am 22.09.2025 um 22:05 schrieb Jeroen Hofstee via lists.openembedded.org: > cc-ing Stefan Herbrechtsmeier who is the author of mentioned > patch. Please revert the mention patch. The npm fetcher inject the checksum on the fly from the remote source. The mention patch was part of a proposed rework of the npm fetcher to use local checksum and remove the dependency to the npm binary. > > On 9/22/25 21:50, jeroen@myspectrum.nl wrote: >> From: Jeroen Hofstee <jhofstee@victronenergy.com> >> >> commit 8d3232152e ("fetch2: read checksum from SRC_URI flag for npm") >> added npm to require a checksum. The checksum is also added with the >> `npm view` command which relies on downloaded data. Furthermore in >> _setup_proxy all the SRC_URI variables are removed, so an explicit >> local SRC_URI[sha256sum] is removed and it only checks the online >> checksum from npm view. >> >> This removes the data.delVarFlags("SRC_URI"), so the check works again, >> but given the comment "Avoid conflicts between the environment data and >> the proxy url checksum", there might be reason for that, but I wouldn't >> expect tarballs to differ when served directly or via a proxy. >> >> We might consider getting rid of npm_integrity completely and force >> having a local checksum and not depend on the npm infrastructure. >> --- >> lib/bb/fetch2/npm.py | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py >> index e469d6676..ad740f832 100644 >> --- a/lib/bb/fetch2/npm.py >> +++ b/lib/bb/fetch2/npm.py >> @@ -269,7 +269,8 @@ class Npm(FetchMethod): >> # Avoid conflicts between the environment data and: >> # - the proxy url checksum >> data = bb.data.createCopy(d) >> - data.delVarFlags("SRC_URI") >> + # XXX: What is the purpose of removing SRC_URI, it also >> removes the checksum... >> + #data.delVarFlags("SRC_URI") >> ud.proxy = Fetch([url], data) >> def _get_proxy_method(self, ud, d): > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#18075): https://lists.openembedded.org/g/bitbake-devel/message/18075 > Mute This Topic: https://lists.openembedded.org/mt/115382619/6374899 > Group Owner: bitbake-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [stefan.herbrechtsmeier-oss@weidmueller.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hello Stefan, On 9/23/25 12:25, Stefan Herbrechtsmeier wrote: > Am 22.09.2025 um 22:05 schrieb Jeroen Hofstee via lists.openembedded.org: >> cc-ing Stefan Herbrechtsmeier who is the author of mentioned >> patch. > > Please revert the mention patch. The npm fetcher inject the checksum > on the fly from the remote source. The mention patch was part of a > proposed rework of the npm fetcher to use local checksum and remove > the dependency to the npm binary. > I would say what you did actually a good thing. Afaiac we should get rid of "The npm fetcher inject the checksum on the fly from the remote source" Regards, Jeroen
diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py index e469d6676..ad740f832 100644 --- a/lib/bb/fetch2/npm.py +++ b/lib/bb/fetch2/npm.py @@ -269,7 +269,8 @@ class Npm(FetchMethod): # Avoid conflicts between the environment data and: # - the proxy url checksum data = bb.data.createCopy(d) - data.delVarFlags("SRC_URI") + # XXX: What is the purpose of removing SRC_URI, it also removes the checksum... + #data.delVarFlags("SRC_URI") ud.proxy = Fetch([url], data) def _get_proxy_method(self, ud, d):
From: Jeroen Hofstee <jhofstee@victronenergy.com> commit 8d3232152e ("fetch2: read checksum from SRC_URI flag for npm") added npm to require a checksum. The checksum is also added with the `npm view` command which relies on downloaded data. Furthermore in _setup_proxy all the SRC_URI variables are removed, so an explicit local SRC_URI[sha256sum] is removed and it only checks the online checksum from npm view. This removes the data.delVarFlags("SRC_URI"), so the check works again, but given the comment "Avoid conflicts between the environment data and the proxy url checksum", there might be reason for that, but I wouldn't expect tarballs to differ when served directly or via a proxy. We might consider getting rid of npm_integrity completely and force having a local checksum and not depend on the npm infrastructure. --- lib/bb/fetch2/npm.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)