make.sh: Explicitely check the source tarballs

The Makefiles do not automatically perform the check that I expected
them to perform when running a build. They check if the source tarballs
are all present, but they don't check whether they match the checksum.
This is only being done when "./make.sh downloadsrc" is being run.

In case of the automated builds, we explicitely run "./make.sh
downloadsrc", so I don't think that this might have introduced any
malicious source into the published builds.

Reported-by: Stephen Cuka <stephen@firemypi.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/make.sh b/make.sh
index 3fc127ce095de04ece0698c860896345283dd26d..0a21b948999ce182a9ffdcbf6ccc75284f0cfb78 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -939,7 +939,7 @@ lfsmake1() {
                exiterror "Downloading ${pkg}"
        fi
 
-       if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" "$@"; then
+       if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" b2 "$@"; then
                print_status FAIL
 
                exiterror "Building ${pkg}"
@@ -962,7 +962,7 @@ lfsmake2() {
        fi
 
        # Run install on the package
-       if ! make_pkg --chroot --timer="update_runtime" "${pkg}" install "$@"; then
+       if ! make_pkg --chroot --timer="update_runtime" "${pkg}" b2 install "$@"; then
                print_status FAIL
 
                exiterror "Building ${pkg}"