recipetool: pypi: do not clobber SRC_URI checksums

The pypi change:
"85a2a6f68af recipetool: create_buildsys_python: add pypi support"
deleted all the SRC_URI variables, including the SRC_URI checksums.
These are not generated by the pypi.bbclass (how could they be trusted?)

Without the checksum(s), we are vulnerable to a man-in-the-middle attack
and zero checks on the validity of the downloaded tarball from pypi.org.

Fix by only setting S and SRC_URI to None.

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/scripts/lib/recipetool/create_buildsys_python.py b/scripts/lib/recipetool/create_buildsys_python.py
index 5e07222ece1334d53103593afc29451c161746a3..a2af41fdda8a0fd6728eb2d74b0baa60b27bd5cc 100644 (file)
--- a/scripts/lib/recipetool/create_buildsys_python.py
+++ b/scripts/lib/recipetool/create_buildsys_python.py
@@ -167,16 +167,11 @@ class PythonRecipeHandler(RecipeHandler):
                 if pypi_package_ext != "tar.gz":
                     extravalues["PYPI_PACKAGE_EXT"] = pypi_package_ext
 
-            # Pypi class will handle S and SRC_URIxxx variables, so remove them
+            # Pypi class will handle S and SRC_URI variables, so remove them
             # TODO: allow oe.recipeutils.patch_recipe_lines() to accept regexp so we can simplify the following to:
             # extravalues['SRC_URI(?:\[.*?\])?'] = None
             extravalues['S'] = None
             extravalues['SRC_URI'] = None
-            extravalues['SRC_URI[md5sum]'] = None
-            extravalues['SRC_URI[sha1sum]'] = None
-            extravalues['SRC_URI[sha256sum]'] = None
-            extravalues['SRC_URI[sha384sum]'] = None
-            extravalues['SRC_URI[sha512sum]'] = None
 
             classes.append('pypi')