@@ -167,16 +167,11 @@ class PythonRecipeHandler(RecipeHandler):
if pypi_package_ext != "tar.gz":
extravalues["PYPI_PACKAGE_EXT"] = pypi_package_ext
- # Pypi class will handle S and SRC_URIxxx variables, so remove them
+ # Pypi class will handle S and SRC_URI variables, so remove them
# TODO: allow oe.recipeutils.patch_recipe_lines() to accept regexp so we can simplify the following to:
# extravalues['SRC_URI(?:\[.*?\])?'] = None
extravalues['S'] = None
extravalues['SRC_URI'] = None
- extravalues['SRC_URI[md5sum]'] = None
- extravalues['SRC_URI[sha1sum]'] = None
- extravalues['SRC_URI[sha256sum]'] = None
- extravalues['SRC_URI[sha384sum]'] = None
- extravalues['SRC_URI[sha512sum]'] = None
classes.append('pypi')
The pypi change: "85a2a6f68af recipetool: create_buildsys_python: add pypi support" deleted all the SRC_URI variables, including the SRC_URI checksums. These are not generated by the pypi.bbclass (how could they be trusted?) Without the checksum(s), we are vulnerable to a man-in-the-middle attack and zero checks on the validity of the downloaded tarball from pypi.org. Fix by only setting S and SRC_URI to None. Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- Changes in v2: - clarify the pypi.bbclass comment scripts/lib/recipetool/create_buildsys_python.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-)