[OE-core] opkg and gpg signed ipk packages
Sona Sarmadi
sona.sarmadi at enea.com
Wed May 20 10:44:39 UTC 2015
> >> Do you think this patch would be of interest for someone?
> >
> > Yes but it would be good to make it choosable at distro level.
Opkg has support for 'sha256' but opkg-utils only supports md5.
We could pass the sha256 option to opkg-utils (like other parameters such as Maintainer),
and make it configurable. We just need to figure out how to pass this option to opkg-utils.
Since MD5 is not very secure, wouldn't it be better to use sha256 as default?
Or is there any specific reason that someone would want MD5 to be kept as the
default (due to e.g. performance, backwards compatibility .. ?).
It takes longer time to compute a sha256 checksum compared to md5 but
sha256 is more secure & reliable.
Any way it would be good to have this optional (sha256 or md5).
> I agree.. and RPM(5) has the ability to switch the default checksum from MD5
> to others as well. So a global distro setting would make sense. (I don't know
> how the deb package manager is configured.)
>
> Let me know if we come up with a distribution level switch (or if we just want
> to make the policy be sha256, as it's definitely better then MD5) and I can
> help make the RPM configuration change as well.
I think a configuration at high level would be good to use for all PMS, to choose MD5 or sha256.
conf/local.conf:
# Package Management configuration
PACKAGE_CLASSES ?= "package_ipk"
Or
PACKAGE_CLASSES ?= "package_rpm"
PACKAGE_CHECKSUM ?= "sha256" <<< something like this
Or
PACKAGE_CHECKSUM ?= "md5"
//Sona
More information about the Openembedded-core
mailing list