[yocto] [meta-raspberrypi][PATCH] firmware.inc: Fetch a zip instead of cloning a git repo
Jon Szymaniak
jon.szymaniak at gmail.com
Fri Jun 26 07:42:55 PDT 2015
On Fri, Jun 26, 2015 at 10:19 AM, Burton, Ross <ross.burton at intel.com>
wrote:
>
>
> On 26 June 2015 at 15:16, Jon Szymaniak <jon.szymaniak at gmail.com> wrote:
>
>> I'm open to other suggestions as well, as this was just a first stab at
>> it. I've been seeing that cloning this git repo containing binary firmware
>> blobs takes an absurd amount of time, if it even finishes at all
>> successfully.
>>
>
> I believe github offers hosting of "release" tarballs too, so upstream
> could take advantage of that. Having verified checksums of firmware is
> useful from a security point of view as you can't really inspect the
> sources for it...
>
That's actually what I looked for first, and definitely would use that if
it were available.
Generally when you apply a tag or manually create a release on GitHub, and
etnry under "Tags" or "Releases" is created. It will automatically provide
a zip and/or tar.gz of the repo sources -- I suspect this would suffer from
the same risk of changing checksums that you expressed concern over.
Therefore, it would require the upstream maintainer to upload a specific
.tar.gz, preferably with .sha256sum and .md5sum files.
Back to the git depth point... why is "--depth 1" not the default for all
cases? Could anyone elaborate on some use cases where we'd actually want
the entire history for builds?
- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20150626/b8710fc3/attachment.html>
More information about the yocto
mailing list