Staging tree of Christian Lamparter https://git.openwrt.org/openwrt/staging/chunkeey/atom?h=v19.07.5 2020-12-05T19:50:19Z 2020-12-05T19:50:19Z Petr Štetiar 2020-11-27T20:56:30Z urn:sha1:a47caacaf37e57389acc7618f23a7e64afaa9d8c It seems like after a build the /dl dir seems to now contain a .hash file for each source file due to inproper cleanup so fix it by removing those intermediate files before leaving the download action. Fixes: 4e19cbc55335 ("download: handle possibly invalid local tarballs") Reported-by: Hannu Nyman <hannu.nyman@iki.fi> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 52a5d0d27f2557db99fc5435fbd7783b649cb9b2) 2020-12-05T19:50:19Z Petr Štetiar 2020-11-19T15:32:46Z urn:sha1:605adb1023efda0c29d160839fccc20801b717cd Currently it's assumed, that already downloaded tarballs are always fine, so no checksum checking is performed and the tarball is used even if it might be corrupted. From now on, we're going to always check the downloaded tarballs before considering them valid. Steps to reproduce: 1. Remove cached tarball rm dl/libubox-2020-08-06-9e52171d.tar.xz 2. Download valid tarball again make package/libubox/download 3. Invalidate the tarball sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile 4. Now compile with corrupt tarball source make package/libubox/{clean,compile} Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 4e19cbc553350b8146985367ba46514cf50e3393) 2020-11-20T10:58:01Z David Bauer 2020-11-18T15:02:23Z urn:sha1:39c5635714aacac4e94f4ac60d191e9b0582d6b5 With this commit, the download script will try downloading source files using the filename instead of the url-filename in case the previous download attempt using the url-filename failed. This is required, as the OpenWrt sources mirrors serve files using the filename files might be renamed to after downloading. If the original mirror for a file where url-filename and filename do not match goes down, the download failed prior to this patch. Further improvement can be done by performing this only for the OpenWrt sources mirrors. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit d36999389890fb952fc7cc8c0db8e1bbb671af12) 2020-08-24T13:56:27Z Jo-Philipp Wich 2020-08-24T13:53:17Z urn:sha1:350883bb90e05433d755cbe87eb7c75a7af9a535 This reverts commit c737a9ee6a9c47b6e553ac81bf293b1161e59799. The source CDN has been discontinued in its current form and will take a while to be reestablished. Even then it makes little sense to put a CDN before other CDNs such as kernel.org, apache.org, sourceforge etc. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit bf96eb55c82191701030b68810e6f19adbb91eeb) 2020-05-04T22:05:28Z Paul Spooren 2020-04-06T11:53:19Z urn:sha1:96d280cc370020e5d2ea7555119f2f2bfeb221f2 OpenWrt now has a CDN for sources at sources.cdn.openwrt.org which mirrors sources.openwrt.org. Downloading sources outside Europe or US (mainland) could result in low throughput, extremely slowing down the first compilation of the build system. This patch adds sources.cdn.openwrt.org as the first mirror to offer worldwide fast download speeds by default. If the CDN goes down for whatever reason, the script jumps to the next available mirror and downloads requested files as before (in regional varying speed). Signed-off-by: Paul Spooren <mail@aparcar.org> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit c737a9ee6a9c47b6e553ac81bf293b1161e59799) 2019-12-22T23:32:01Z Jiri Kastner 2019-11-28T15:29:31Z urn:sha1:0c07224b5a3dbb3733432f97d68085d11bdb92d9 apache mirrors holds only latest releases, to download older releases, one must use archive.apache.org to get them. Signed-off-by: Jiri Kastner <cz172638@gmail.com> (cherry picked from commit dc34c695c4faa46efc6e2367a2ba06a47caa4840) 2019-09-04T11:41:25Z Yousong Zhou 2019-08-18T15:18:10Z urn:sha1:a929c1bad028ef71477685f1d71c2ded4f737d1a https://sources.lede-openwrt.org now redirects to there https://downloads.openwrt.org/sources returns 404, so remove it here Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (cherry picked from commit 0f3667864d5391c2d9ace63ccfc83ab270405cc9) 2018-05-01T09:12:15Z Rosen Penev 2018-02-20T20:43:01Z urn:sha1:1ce846580a638bb8a9f9c2571840be65331be38e These have supported HTTPS for quite a while. I have not seen any obvious breakage. Signed-off-by: Rosen Penev <rosenp@gmail.com> 2018-05-01T09:12:15Z Rosen Penev 2018-02-20T20:43:00Z urn:sha1:9ea90209f9ef3a786b34995092e830c50a65ddfd SourceForge has supported HTTPS for its downloads for a long time now. I have not been able to see any failures resulting from this change. Signed-off-by: Rosen Penev <rosenp@gmail.com> 2017-12-14T08:29:31Z Jo-Philipp Wich 2017-12-12T13:55:11Z urn:sha1:f4b9d9d6f13c898d473ce678234339e4a9dba5b2 When calling a download target, hash verification is now completely skipped if we set PKG_HASH=skip. This allows to easily bump package version: $ make package/<mypackage>/download PKG_HASH=skip V=s $ make package/<mypackage>/check FIXUP=1 V=s This will download the new version of the package, and then automatically update PKG_HASH with the hash of the new version. Of course, it is still the responsibility of the packager to ensure that the new tarball is legitimate, because it is downloaded from a possibly untrusted source. Fixes: b30ba14e ("scripts/download.pl: fail loudly if provided hash is unsupported") Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: John Crispin <john@phrozen.org>