From c24e3b9f676ea68c100154f1aa865430ed2c99f1 Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt Date: Wed, 6 Dec 2023 19:40:41 +0100 Subject: dev-manual: Discourage the use of SRC_URI[md5sum] SRC_URI[md5sum] has been deprecated for a long time. Discourage its use by removing it from examples and note that it should be replaced by SRC_URI[sha256sum] when updating recipes. Also mention that bitbake supports other checksums, though they are not commonly used. (From yocto-docs rev: 806c6cb0b457248ac7401487ba2cdd17a1eba320) Signed-off-by: Peter Kjellerstedt Reviewed-by: Michael Opdenacker Signed-off-by: Richard Purdie --- documentation/dev-manual/debugging.rst | 2 +- documentation/dev-manual/new-recipe.rst | 27 ++++++++++++++++----------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/documentation/dev-manual/debugging.rst b/documentation/dev-manual/debugging.rst index fea2cb30a1..bd1e716b0b 100644 --- a/documentation/dev-manual/debugging.rst +++ b/documentation/dev-manual/debugging.rst @@ -327,7 +327,7 @@ BitBake has determined by doing the following: the task. This list also includes indirect dependencies from variables depending on other variables, recursively:: - Task dependencies: ['PV', 'SRCREV', 'SRC_URI', 'SRC_URI[md5sum]', 'SRC_URI[sha256sum]', 'base_do_fetch'] + Task dependencies: ['PV', 'SRCREV', 'SRC_URI', 'SRC_URI[sha256sum]', 'base_do_fetch'] .. note:: diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst index e741cef0e8..2c1033eb35 100644 --- a/documentation/dev-manual/new-recipe.rst +++ b/documentation/dev-manual/new-recipe.rst @@ -303,28 +303,33 @@ If your :term:`SRC_URI` statement includes URLs pointing to individual files fetched from a remote server other than a version control system, BitBake attempts to verify the files against checksums defined in your recipe to ensure they have not been tampered with or otherwise modified -since the recipe was written. Two checksums are used: -``SRC_URI[md5sum]`` and ``SRC_URI[sha256sum]``. +since the recipe was written. Multiple checksums are supported: +``SRC_URI[md5sum]``, ``SRC_URI[sha1sum]``, ``SRC_URI[sha256sum]``. +``SRC_URI[sha384sum]`` and ``SRC_URI[sha512sum]``, but only +``SRC_URI[sha256sum]`` is commonly used. + +.. note:: + + ``SRC_URI[md5sum]`` used to also be commonly used, but it is deprecated + and should be replaced by ``SRC_URI[sha256sum]`` when updating existing + recipes. If your :term:`SRC_URI` variable points to more than a single URL (excluding -SCM URLs), you need to provide the ``md5`` and ``sha256`` checksums for -each URL. For these cases, you provide a name for each URL as part of -the :term:`SRC_URI` and then reference that name in the subsequent checksum -statements. Here is an example combining lines from the files -``git.inc`` and ``git_2.24.1.bb``:: +SCM URLs), you need to provide the ``sha256`` checksum for each URL. For these +cases, you provide a name for each URL as part of the :term:`SRC_URI` and then +reference that name in the subsequent checksum statements. Here is an example +combining lines from the files ``git.inc`` and ``git_2.24.1.bb``:: SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" - SRC_URI[tarball.md5sum] = "166bde96adbbc11c8843d4f8f4f9811b" SRC_URI[tarball.sha256sum] = "ad5334956301c86841eb1e5b1bb20884a6bad89a10a6762c958220c7cf64da02" - SRC_URI[manpages.md5sum] = "31c2272a8979022497ba3d4202df145d" SRC_URI[manpages.sha256sum] = "9a7ae3a093bea39770eb96ca3e5b40bff7af0b9f6123f089d7821d0e5b8e1230" -Proper values for ``md5`` and ``sha256`` checksums might be available +The proper value for the ``sha256`` checksum might be available together with other signatures on the download page for the upstream source (e.g. ``md5``, ``sha1``, ``sha256``, ``GPG``, and so forth). Because the -OpenEmbedded build system only deals with ``sha256sum`` and ``md5sum``, +OpenEmbedded build system typically only deals with ``sha256sum``, you should verify all the signatures you find by hand. If no :term:`SRC_URI` checksums are specified when you attempt to build the -- cgit v1.2.3-54-g00ecf