Skip to content
Jump to bottom

gtkt+: fix PATCHURL #1587

Merged
merged 1 commit into from
Jan 15, 2020
Merged

gtkt+: fix PATCHURL #1587

merged 1 commit into from
Jan 15, 2020

Conversation

wwwutz
Copy link
Collaborator

@wwwutz wwwutz commented Jan 13, 2020

bee update gtk+-1.2.10-2

  • BEE_DOWNLOADDIR is highly volatile
  • nail patchfiles to md5-wired location

@wwwutz
gtkt+: fix PATCHURL
22798f6 
bee update gtk+-1.2.10-2

- BEE_DOWNLOADDIR is highly volatile
- nail patchfiles to md5-wired location
@donald
Copy link
Collaborator

donald commented Jan 14, 2020

Why not just /src/mariux/downloads or /src/mariux/patches ? I don't see the advantage of the md5 tree.

@wwwutz
Copy link
Collaborator Author

wwwutz commented Jan 15, 2020

  • security
  • availability.
  • the identity and source of the files in downloads|patches is unstable
  • there are packages which have a github realease, assets or otherwse stored source URL and all with the same name, but different contents
  • there is no check (yet) to prove "this package has been build with this downloaded file"
  • once in a while you just rebuild a new revision and the source might have removed the source.
  • even when trusting the https-URL the contents might change
  • when the srcurl is down and you change the source it might also change contents

It's not a question of "this might happen" but "this happened" and could be changed easily.

@donald
Copy link
Collaborator

donald commented Jan 15, 2020

Okay, this

even when trusting the https-URL the contents might change

justifies the md5 for me.

@donald donald merged commit d6fe957 into master Jan 15, 2020
Sign in to join this conversation on GitHub.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wwwutz @donald