From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 21 Dec 2024 10:54:42 +0000 (+0000)
Subject: make.sh: Explicitely check the source tarballs
X-Git-Tag: v2.29-core191~14^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=50f8a13985fd804dc6c9a71cccbfd179ae62a732;p=ipfire-2.x.git

make.sh: Explicitely check the source tarballs

The Makefiles do not automatically perform the check that I expected
them to perform when running a build. They check if the source tarballs
are all present, but they don't check whether they match the checksum.
This is only being done when "./make.sh downloadsrc" is being run.

In case of the automated builds, we explicitely run "./make.sh
downloadsrc", so I don't think that this might have introduced any
malicious source into the published builds.

Reported-by: Stephen Cuka <stephen@firemypi.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/make.sh b/make.sh
index 3fc127ce09..0a21b94899 100755
--- a/make.sh
+++ b/make.sh
@@ -939,7 +939,7 @@ lfsmake1() {
 		exiterror "Downloading ${pkg}"
 	fi
 
-	if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" "$@"; then
+	if ! make_pkg --timer="update_runtime" "${pkg}" TOOLCHAIN=1 ROOT="${BUILD_DIR}" b2 "$@"; then
 		print_status FAIL
 
 		exiterror "Building ${pkg}"
@@ -962,7 +962,7 @@ lfsmake2() {
 	fi
 
 	# Run install on the package
-	if ! make_pkg --chroot --timer="update_runtime" "${pkg}" install "$@"; then
+	if ! make_pkg --chroot --timer="update_runtime" "${pkg}" b2 install "$@"; then
 		print_status FAIL
 
 		exiterror "Building ${pkg}"