Commit 74ce748d authored by Yann E. MORIN's avatar Yann E. MORIN Committed by Peter Korsgaard
Browse files

docs/manual: also document md5 hash 



We accept an md5 hash, but only if coming from upstream, and if also
accompanied with a stronger hash.

Signed-off-by: default avatar"Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
parent 8c488211

docs/manual/adding-packages-directory.txt

+18 −11
Original line number Diff line number Diff line
@@ -415,9 +415,10 @@ The format of this file is one line for each file for which to check the 
hash, each line being space-separated, with these three fields:



* the type of hash, one of:

** +sha1+, +sha224+, +sha256+, +sha384+, +sha512+, +none+

** +md5+, +sha1+, +sha224+, +sha256+, +sha384+, +sha512+, +none+

* the hash of the file:

** for +none+, one or more non-space chars, usually just the string +xxx+

** for +md5+, 32 hexadecimal characters

** for +sha1+, 40 hexadecimal characters

** for +sha224+, 56 hexadecimal characters

** for +sha256+, 64 hexadecimal characters
@@ -431,14 +432,17 @@ lines are ignored. 
There can be more than one hash for a single file, each on its own line. In

this case, all hashes must match.



.Note

Ideally, the hashes stored in this file should match the hashes published by

upstream, e.g. on their website, in the e-mail announcement... If upstream

provides more than one type of hash (say, +sha1+ and +sha512+), then it is

provides more than one type of hash (e.g. +sha1+ and +sha512+), then it is

best to add all those hashes in the +.hash+ file. If upstream does not

provide any hash, then compute at least one yourself, and mention this in a

comment line above the hashes.

provide any hash, or only provides an +md5+ hash, then compute at least one

strong hash yourself (preferably +sha256+, but not +md5+), and mention

this in a comment line above the hashes.



*Note:* the number of spaces does not matter, so one can use spaces to

.Note

The number of spaces does not matter, so one can use spaces (or tabs) to

properly align the different fields.



The +none+ hash type is reserved to those archives downloaded from a
@@ -446,20 +450,23 @@ repository, like a 'git clone', a 'subversion checkout'... or archives 
downloaded with the xref:github-download-url[github helper].



The example below defines a +sha1+ and a +sha256+ published by upstream for

the main +libfoo-1.2.3.tar.bz2+ tarball, plus two locally-computed hashes,

a +sha256+ for a downloaded patch, a +sha1+ for a downloaded binary blob,

and an archive with no hash:

the main +libfoo-1.2.3.tar.bz2+ tarball, an +md5+ from upstream and a

locally-computed +sha256+ hashes for a binary blob, a +sha256+ for a

downloaded patch, and an archive with no hash:



----

# Hashes from: http://www.foosoftware.org/download/libfoo-1.2.3.tar.bz2.{sha1,sha256}:

sha1   486fb55c3efa71148fe07895fd713ea3a5ae343a                         libfoo-1.2.3.tar.bz2

sha256 efc8103cc3bcb06bda6a781532d12701eb081ad83e8f90004b39ab81b65d4369 libfoo-1.2.3.tar.bz2



# No upstream hashes for the following:

# md5 from: http://www.foosoftware.org/download/libfoo-1.2.3.tar.bz2.md5, sha256 locally computed:

md5    2d608f3c318c6b7557d551a5a09314f03452f1a1                         libfoo-data.bin

sha256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b libfoo-data.bin



# Locally computed:

sha256 ff52101fb90bbfc3fe9475e425688c660f46216d7e751c4bbdb1dc85cdccacb9 libfoo-fix-blabla.patch

sha1   2d608f3c318c6b7557d551a5a09314f03452f1a1                         libfoo-data.bin



# Explicitly no hash for that file, comes from a git-clone:

# No hash for 1234, comes from the github-helper:

none   xxx                                                              libfoo-1234.tar.gz

----