Message ID | 20231209013715.1212333-1-tim.orling@konsulko.com |
---|---|
State | Accepted, archived |
Commit | 560181a52111569f7bc57b09139b42510e0d0325 |
Headers | show |
Series | recipetool: pypi: do not clobber SRC_URI checksums | expand |
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Tim Orling > Sent: den 9 december 2023 02:37 > To: openembedded-core@lists.openembedded.org > Cc: Tim Orling <tim.orling@konsulko.com> > Subject: [OE-core] [PATCH] recipetool: pypi: do not clobber SRC_URI checksums > > The pypi change: > "85a2a6f68af recipetool: create_buildsys_python: add pypi support" > deleted all the SRC_URI variables, including the SRC_URI checksums. > These are not generated by the pypi.bbclass (how could they be trusted?) > > Without the checksum(s), we are vulnerable to a man-in-the-middle attack > and zero checks on the validity of the downloaded tarball from pypi.org. > > Fix by only setting S and SRC_URI to None. > > Signed-off-by: Tim Orling <tim.orling@konsulko.com> > --- > scripts/lib/recipetool/create_buildsys_python.py | 5 ----- > 1 file changed, 5 deletions(-) > > diff --git a/scripts/lib/recipetool/create_buildsys_python.py b/scripts/lib/recipetool/create_buildsys_python.py > index 5e07222ece1..66de36ba3e4 100644 > --- a/scripts/lib/recipetool/create_buildsys_python.py > +++ b/scripts/lib/recipetool/create_buildsys_python.py > @@ -172,11 +172,6 @@ class PythonRecipeHandler(RecipeHandler): > # extravalues['SRC_URI(?:\[.*?\])?'] = None The TODO comment above should also be removed as it should not be done. > extravalues['S'] = None > extravalues['SRC_URI'] = None > - extravalues['SRC_URI[md5sum]'] = None > - extravalues['SRC_URI[sha1sum]'] = None > - extravalues['SRC_URI[sha256sum]'] = None > - extravalues['SRC_URI[sha384sum]'] = None > - extravalues['SRC_URI[sha512sum]'] = None > > classes.append('pypi') > > -- > 2.34.1 //Peter
diff --git a/scripts/lib/recipetool/create_buildsys_python.py b/scripts/lib/recipetool/create_buildsys_python.py index 5e07222ece1..66de36ba3e4 100644 --- a/scripts/lib/recipetool/create_buildsys_python.py +++ b/scripts/lib/recipetool/create_buildsys_python.py @@ -172,11 +172,6 @@ class PythonRecipeHandler(RecipeHandler): # extravalues['SRC_URI(?:\[.*?\])?'] = None extravalues['S'] = None extravalues['SRC_URI'] = None - extravalues['SRC_URI[md5sum]'] = None - extravalues['SRC_URI[sha1sum]'] = None - extravalues['SRC_URI[sha256sum]'] = None - extravalues['SRC_URI[sha384sum]'] = None - extravalues['SRC_URI[sha512sum]'] = None classes.append('pypi')
The pypi change: "85a2a6f68af recipetool: create_buildsys_python: add pypi support" deleted all the SRC_URI variables, including the SRC_URI checksums. These are not generated by the pypi.bbclass (how could they be trusted?) Without the checksum(s), we are vulnerable to a man-in-the-middle attack and zero checks on the validity of the downloaded tarball from pypi.org. Fix by only setting S and SRC_URI to None. Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- scripts/lib/recipetool/create_buildsys_python.py | 5 ----- 1 file changed, 5 deletions(-)