| 1 |
commit: 10d4fefbbf0ffe61026b219059eba52a340bbe92 |
| 2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Mar 8 07:33:58 2020 +0000 |
| 4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Mar 8 07:34:11 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10d4fefb |
| 7 |
|
| 8 |
eclass/go-module: clarify that h1: should be omitted from EGO_SUM |
| 9 |
|
| 10 |
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> |
| 11 |
|
| 12 |
eclass/go-module.eclass | 26 ++++++++++++++++++++++---- |
| 13 |
1 file changed, 22 insertions(+), 4 deletions(-) |
| 14 |
|
| 15 |
diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass |
| 16 |
index cdd5b07a930..74f7bb6aa70 100644 |
| 17 |
--- a/eclass/go-module.eclass |
| 18 |
+++ b/eclass/go-module.eclass |
| 19 |
@@ -97,11 +97,29 @@ EXPORT_FUNCTIONS src_unpack pkg_postinst |
| 20 |
# The format of go.sum is described upstream here: |
| 21 |
# https://tip.golang.org/cmd/go/#hdr-Module_authentication_using_go_sum |
| 22 |
# |
| 23 |
+# For inclusion in EGO_SUM, the h1: value and other future extensions SHOULD be |
| 24 |
+# omitted at this time. The EGO_SUM parser will accept them for ease of ebuild |
| 25 |
+# creation. |
| 26 |
+# |
| 27 |
# h1:<hash> is the Hash1 structure used by upstream Go |
| 28 |
-# Note that Hash1 is MORE stable than Gentoo distfile hashing, and upstream |
| 29 |
-# warns that it's conceptually possible for the Hash1 value to remain stable |
| 30 |
-# while the upstream zipfiles change. E.g. it does NOT capture mtime changes in |
| 31 |
-# files within a zipfile. |
| 32 |
+# The Hash1 is MORE stable than Gentoo distfile hashing, and upstream warns |
| 33 |
+# that it's conceptually possible for the Hash1 value to remain stable while |
| 34 |
+# the upstream zipfiles change. Here are examples that do NOT change the h1: |
| 35 |
+# hash, but do change a regular checksum over all bytes of the file: |
| 36 |
+# - Differing mtimes within zipfile |
| 37 |
+# - Differing filename ordering with the zipfile |
| 38 |
+# - Differing zipfile compression parameters |
| 39 |
+# - Differing zipfile extra fields |
| 40 |
+# |
| 41 |
+# For Gentoo usage, the authors of this eclass feel that the h1: hash should |
| 42 |
+# NOT be included in the EGO_SUM at this time in order to reduce size of the |
| 43 |
+# ebuilds. This position will be reconsidered in future when a Go module |
| 44 |
+# distfile collision comes to light, where the Hash1 value of two distfiles is |
| 45 |
+# the same, but checksums over the file as a byte stream consider the files to |
| 46 |
+# be different. |
| 47 |
+# |
| 48 |
+# This decision does NOT weaken Go module security, as Go will verify the |
| 49 |
+# go.sum copy of the Hash1 values during building of the package. |
| 50 |
|
| 51 |
# @ECLASS-VARIABLE: EGO_VENDOR |
| 52 |
# @DESCRIPTION: |
Archives