From: Tim Orling Date: Sat, 9 Dec 2023 01:40:04 +0000 (-0800) Subject: recipetool: pypi: do not clobber SRC_URI checksums X-Git-Tag: yocto-5.2~4342 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=560181a52111569f7bc57b09139b42510e0d0325;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git recipetool: pypi: do not clobber SRC_URI checksums The pypi change: "85a2a6f68af recipetool: create_buildsys_python: add pypi support" deleted all the SRC_URI variables, including the SRC_URI checksums. These are not generated by the pypi.bbclass (how could they be trusted?) Without the checksum(s), we are vulnerable to a man-in-the-middle attack and zero checks on the validity of the downloaded tarball from pypi.org. Fix by only setting S and SRC_URI to None. Signed-off-by: Tim Orling Signed-off-by: Richard Purdie --- diff --git a/scripts/lib/recipetool/create_buildsys_python.py b/scripts/lib/recipetool/create_buildsys_python.py index 5e07222ece1..a2af41fdda8 100644 --- a/scripts/lib/recipetool/create_buildsys_python.py +++ b/scripts/lib/recipetool/create_buildsys_python.py @@ -167,16 +167,11 @@ class PythonRecipeHandler(RecipeHandler): if pypi_package_ext != "tar.gz": extravalues["PYPI_PACKAGE_EXT"] = pypi_package_ext - # Pypi class will handle S and SRC_URIxxx variables, so remove them + # Pypi class will handle S and SRC_URI variables, so remove them # TODO: allow oe.recipeutils.patch_recipe_lines() to accept regexp so we can simplify the following to: # extravalues['SRC_URI(?:\[.*?\])?'] = None extravalues['S'] = None extravalues['SRC_URI'] = None - extravalues['SRC_URI[md5sum]'] = None - extravalues['SRC_URI[sha1sum]'] = None - extravalues['SRC_URI[sha256sum]'] = None - extravalues['SRC_URI[sha384sum]'] = None - extravalues['SRC_URI[sha512sum]'] = None classes.append('pypi')