diff mbox series

[yocto-autobuilder-helper,02/11] scripts/utils: warn and force re-download for HTTPS sources without SHA256

Message ID cb29a66ef6906c4bf576afbaf6cc42b41815d535.1778202125.git.tim.orling@konsulko.com
State New
Headers show
Series [yocto-autobuilder-helper,01/11] scripts/utils: fix stale extraction dir when tarball is updated | expand

Commit Message

Tim Orling May 8, 2026, 2 a.m. UTC 
From: Tim Orling <tim.orling@konsulko.com>

Without a SHA256 checksum there is no way to verify that a cached HTTPS
download is still current. Rather than silently reusing a potentially
stale copy, delete the cached file and force a re-download each run,
and emit a clear WARNING telling the operator how to avoid the overhead
(by appending ;sha256=<hash> to the URL in their config).

AI-Generated: Claude Cowork Sonnet 4.6
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
 scripts/utils.py | 8 ++++++++
 1 file changed, 8 insertions(+)
diff mbox series

Patch

diff --git a/scripts/utils.py b/scripts/utils.py
index 87acad6..ea905d9 100644
--- a/scripts/utils.py
+++ b/scripts/utils.py
@@ -505,6 +505,14 @@  def setup_tools_tarball(ourconfig, btdir, bttarball, name="buildtools"):
                         # that a freshly-published tarball is always picked up.
                         if os.path.getmtime(bttarball) > os.path.getmtime(btdlpath):
                             os.unlink(btdlpath)
+                    elif not bttarball.startswith("/") and os.path.exists(btdlpath):
+                        # HTTPS/FTP source with no SHA256: there is no way to
+                        # verify the cached copy is current, so force a
+                        # re-download every run.  Add a sha256=<hash> suffix to
+                        # the URL in your config to avoid this.
+                        print("WARNING: no SHA256 provided for %s source %s; "
+                              "forcing re-download to avoid using a stale cached copy"
+                              % (name, bttarball))
                         os.unlink(btdlpath)
                     if not os.path.exists(btdlpath):
                         if bttarball.startswith("/"):