1 |
commit: 10d4fefbbf0ffe61026b219059eba52a340bbe92 |
2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Mar 8 07:33:58 2020 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 8 07:34:11 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10d4fefb |
7 |
|
8 |
eclass/go-module: clarify that h1: should be omitted from EGO_SUM |
9 |
|
10 |
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> |
11 |
|
12 |
eclass/go-module.eclass | 26 ++++++++++++++++++++++---- |
13 |
1 file changed, 22 insertions(+), 4 deletions(-) |
14 |
|
15 |
diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass |
16 |
index cdd5b07a930..74f7bb6aa70 100644 |
17 |
--- a/eclass/go-module.eclass |
18 |
+++ b/eclass/go-module.eclass |
19 |
@@ -97,11 +97,29 @@ EXPORT_FUNCTIONS src_unpack pkg_postinst |
20 |
# The format of go.sum is described upstream here: |
21 |
# https://tip.golang.org/cmd/go/#hdr-Module_authentication_using_go_sum |
22 |
# |
23 |
+# For inclusion in EGO_SUM, the h1: value and other future extensions SHOULD be |
24 |
+# omitted at this time. The EGO_SUM parser will accept them for ease of ebuild |
25 |
+# creation. |
26 |
+# |
27 |
# h1:<hash> is the Hash1 structure used by upstream Go |
28 |
-# Note that Hash1 is MORE stable than Gentoo distfile hashing, and upstream |
29 |
-# warns that it's conceptually possible for the Hash1 value to remain stable |
30 |
-# while the upstream zipfiles change. E.g. it does NOT capture mtime changes in |
31 |
-# files within a zipfile. |
32 |
+# The Hash1 is MORE stable than Gentoo distfile hashing, and upstream warns |
33 |
+# that it's conceptually possible for the Hash1 value to remain stable while |
34 |
+# the upstream zipfiles change. Here are examples that do NOT change the h1: |
35 |
+# hash, but do change a regular checksum over all bytes of the file: |
36 |
+# - Differing mtimes within zipfile |
37 |
+# - Differing filename ordering with the zipfile |
38 |
+# - Differing zipfile compression parameters |
39 |
+# - Differing zipfile extra fields |
40 |
+# |
41 |
+# For Gentoo usage, the authors of this eclass feel that the h1: hash should |
42 |
+# NOT be included in the EGO_SUM at this time in order to reduce size of the |
43 |
+# ebuilds. This position will be reconsidered in future when a Go module |
44 |
+# distfile collision comes to light, where the Hash1 value of two distfiles is |
45 |
+# the same, but checksums over the file as a byte stream consider the files to |
46 |
+# be different. |
47 |
+# |
48 |
+# This decision does NOT weaken Go module security, as Go will verify the |
49 |
+# go.sum copy of the Hash1 values during building of the package. |
50 |
|
51 |
# @ECLASS-VARIABLE: EGO_VENDOR |
52 |
# @DESCRIPTION: |