Commit Graph

64 Commits

Author SHA1 Message Date
Petr Štetiar
605adb1023 download: handle possibly invalid local tarballs
Currently it's assumed, that already downloaded tarballs are always
fine, so no checksum checking is performed and the tarball is used even
if it might be corrupted.

From now on, we're going to always check the downloaded tarballs before
considering them valid.

Steps to reproduce:

 1. Remove cached tarball

   rm dl/libubox-2020-08-06-9e52171d.tar.xz

 2. Download valid tarball again

   make package/libubox/download

 3. Invalidate the tarball

   sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile

 4. Now compile with corrupt tarball source

   make package/libubox/{clean,compile}

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 4e19cbc553)
2020-12-05 20:50:19 +01:00
David Bauer
39c5635714 scripts: download.pl: retry download using filename
With this commit, the download script will try downloading source files
using the filename instead of the url-filename in case the previous
download attempt using the url-filename failed.

This is required, as the OpenWrt sources mirrors serve files using the
filename files might be renamed to after downloading. If the original
mirror for a file where url-filename and filename do not match goes
down, the download failed prior to this patch.

Further improvement can be done by performing this only for the
OpenWrt sources mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit d369993898)
2020-11-20 11:58:01 +01:00
Jo-Philipp Wich
350883bb90 Revert "scripts/download: add sources CDN as first mirror"
This reverts commit c737a9ee6a.

The source CDN has been discontinued in its current form and will take a
while to be reestablished. Even then it makes little sense to put a CDN
before other CDNs such as kernel.org, apache.org, sourceforge etc.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bf96eb55c8)
2020-08-24 15:56:27 +02:00
Paul Spooren
96d280cc37 scripts/download: add sources CDN as first mirror
OpenWrt now has a CDN for sources at sources.cdn.openwrt.org which
mirrors sources.openwrt.org.

Downloading sources outside Europe or US (mainland) could
result in low throughput, extremely slowing down the first compilation of
the build system.

This patch adds sources.cdn.openwrt.org as the first mirror to offer
worldwide fast download speeds by default. If the CDN goes down for
whatever reason, the script jumps to the next available mirror and
downloads requested files as before (in regional varying speed).

Signed-off-by: Paul Spooren <mail@aparcar.org>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit c737a9ee6a)
2020-05-05 00:05:28 +02:00
Jiri Kastner
0c07224b5a scripts/dowload.pl: add archive.apache.org to apache mirror list
apache mirrors holds only latest releases, to download
older releases, one must use archive.apache.org to get
them.

Signed-off-by: Jiri Kastner <cz172638@gmail.com>
(cherry picked from commit dc34c695c4)
2019-12-23 00:32:01 +01:00
Yousong Zhou
a929c1bad0 download.pl: use https://source.openwrt.org
https://sources.lede-openwrt.org now redirects to there

https://downloads.openwrt.org/sources returns 404, so remove it here

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 0f3667864d)
2019-09-04 13:41:25 +02:00
Rosen Penev
1ce846580a download.pl: Change OpenWrt mirrors to HTTPS.
These have supported HTTPS for quite a while. I have not seen any obvious breakage.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-05-01 11:12:15 +02:00
Rosen Penev
9ea90209f9 download.pl: Change SourceForge address to HTTPS.
SourceForge has supported HTTPS for its downloads for a long time now.

I have not been able to see any failures resulting from this change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-05-01 11:12:15 +02:00
Jo-Philipp Wich
f4b9d9d6f1 base-files: allow skipping of hash verification
When calling a download target, hash verification is now completely
skipped if we set PKG_HASH=skip.

This allows to easily bump package version:

$ make package/<mypackage>/download PKG_HASH=skip V=s
$ make package/<mypackage>/check FIXUP=1 V=s

This will download the new version of the package, and then automatically
update PKG_HASH with the hash of the new version.  Of course, it is still
the responsibility of the packager to ensure that the new tarball is
legitimate, because it is downloaded from a possibly untrusted source.

Fixes: b30ba14e ("scripts/download.pl: fail loudly if provided hash is unsupported")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: John Crispin <john@phrozen.org>
2017-12-14 09:29:31 +01:00
Baptiste Jonglez
b30ba14e2a scripts/download.pl: fail loudly if provided hash is unsupported
Currently, if the provided hash is unsupported (length different from 32
or 64 bytes), we happily download the requested file without any kind of
checksum verification.

This is quite dangerous and may provide a false sense of security, because
a single typo in the hash (e.g. one character deleted by mistake) may skip
checksum verification entirely.

Instead, fail immediately if we don't support the provided hash.
In particular, if an external package repository decides to change the
hash algorithm one day, we will now fail loudly instead of skipping
checksum verification without complaints.

Note: if some users of scripts/download.pl knowingly provide an empty hash
because they don't need checksum verification, this change will break
them.  This does not seem to be the case currently, but if this feature is
ever needed, an option should be added to download.pl instead of relying
on the hash being empty.

Fixes: eaa4eba10a ("scripts/download.pl: add SHA-256 support")

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-09-11 17:13:02 +02:00
Zoltan Gyarmati
0a761fe8ef scripts/dowload.pl: use glob to expand target dir
If CONFIG_DOWNLOAD_FOLDER is set to for example "~/dl", the download
script fails to create the .hash and .dl files with the following
errors:
 Cannot create file ~/dl/dropbear-2017.75.tar.bz2.dl: No such file or directory
 sh: 1: cannot create ~/dl/dropbear-2017.75.tar.bz2.hash: Directory nonexistent

If the tarball already exists in the ~/dl dir, it's properly found and
used, so this issue only affects the download.pl script.
 This patch calls glob() on the target dir parameter, which will expand `~`.

Signed-off-by: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
2017-08-30 18:12:36 +02:00
Daniel Engberg
99c4295126 scripts/download.pl: Adjust URLs
Internet2 isn't considered a trusted issuer meaning that https links to
rit.edu will fail.

The host mirror.csclub.uwaterloo.ca has a trusted SSL cert and peering
is good so it can replace rit.edu without performance issues.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[Jo-Philipp Wich: rewrapped commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-21 08:09:45 +02:00
Felix Fietkau
cbe0a7ecc0 scripts/download.pl: print the command used to download files
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-25 19:01:07 +02:00
Felix Fietkau
2fd1503378 scripts/download.pl: fix error message on hash mismatch
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-04 12:33:37 +02:00
Felix Fietkau
74c09e714e download.pl: fix detecting download errors with curl
Avoid treating error pages as successfully downloaded content

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-31 11:24:19 +01:00
Felix Fietkau
84bd74057f build: use mkhash to replace various quirky md5sum/openssl calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-05 11:09:12 +01:00
Brian J. Murrell
fc6b6f4583 download.pl: use curl in preference to wget
Because wget doesn't know how to do Negotiate authentication with a proxy
and curl does, use curl if it's present. The user is expected to have a
~/.curlrc that sets the options necessary for any proxy authentication.

A ~/.curlrc is completely optional however and curl will work in exactly
the same manner as wget without one.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
[Jo-Philipp Wich: Rework code to detect curl usability by checking --version,
                  Use vararg style open() to bypass the shell when downloading,
                  Use Text::ParseWords to decompose env vars into arguments]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-03 14:26:41 +01:00
Felix Fietkau
651bc94df4 download.pl: check for existing file before the first download attempt
In the build system, flock will prevent multiple concurrent downloads
for the same file. However, if one download request for the same file is
waiting for another one to finish, it will result in downloading the
same file twice consecutively.

Prevent this issue by exiting immediately if the file has already been
downloaded

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 15:16:47 +01:00
Daniel Engberg
8372a7f922 download.pl: Rework URLs
Provide HTTPS URL when possible, try to keep 8 mirrors per entry and spread
over several locations of the world. Since most active contributors are in
US/CA and/or EU prioritize mirrors that are within those regions if possible.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-05-28 09:14:55 +02:00
Petr Štetiar
e0b241bb48 scripts/download.pl: Use CDN for kernel downloads
More info at https://www.kernel.org/introducing-fastly-cdn.html

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2016-05-23 13:39:50 +02:00
Felix Fietkau
111285e742 download.pl: use http://sources.lede-project.org as download mirror
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-05-13 16:32:35 +02:00
Álvaro Fernández Rojas
694f060550 download: add @GITHUB download facility
Define a new alias (@GITHUB) for downloading raw files from github repos.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2016-04-03 22:02:46 +02:00
John Crispin
5c408ede6c download: add @GITHUB download facility
Define a new alias (@GITHUB) for downloading raw github repository files

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>

SVN-Revision: 49138
2016-04-09 10:25:34 +00:00
Felix Fietkau
9a94538272 scripts/download.pl: fix sha256 hash command (#21931)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48809
2016-02-27 16:20:06 +00:00
Felix Fietkau
883b5b8191 build: add @APACHE download facility
The Apache Software Foundation offers diverse download mirros.

For packaging Apache software a new alias @APACHE is defined.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

SVN-Revision: 48270
2016-01-17 10:47:32 +00:00
Felix Fietkau
526f470c5f download.pl: fix openssl sha256 digest output
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48259
2016-01-16 10:24:15 +00:00
Felix Fietkau
eaa4eba10a scripts/download.pl: add SHA-256 support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48253
2016-01-16 00:19:41 +00:00
Felix Fietkau
4eaeee7151 scripts/download.pl: cleanup GNOME source location definitions
Cleanup the @GNOME source download location definitions:
* remove dead and stale mirrors
* adjust to changes at directory structure
* add one new working mirror

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 47825
2015-12-10 12:40:08 +00:00
Felix Fietkau
9b68fe961b build: add support for choosing a different url filename part than the output file
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47591
2015-11-22 19:06:33 +00:00
Hauke Mehrtens
accc5e3693 script: downlaod: change mirror for kernel.org
kernel.org now suggests a different mirror address. this one also
support IPv6 connections and was faster for me.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46875
2015-09-11 17:59:12 +00:00
Felix Fietkau
3d640eccc1 scripts/download.pl: add support for adding mirrors through an environment variable
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43654
2014-12-12 12:35:23 +00:00
John Crispin
b0a1c7dc0d include/download.mk: Add download mirrors for tools from GNU Savannah (bug #15184)
I defined a new download method @SAVANNAH in include/download.mk and scripts/download.pl,
and converted quilt and qemu to use that method.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 42840
2014-10-08 08:01:39 +00:00
Felix Fietkau
27fe688c5f scripts/download.pl: prefer the GNU mirror redirect over the primary site (#14603)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 39045
2013-12-13 16:43:07 +00:00
Mirko Vogt
53d4d18f07 remove broken mirrors for linux kernel
ftp.de.kernel.org / ftp.fr.kernel.org don't resolv anymore,
ftp.all.kernel.org is DNS round robin anyway

Signed-off-by: Mirko Vogt <mirko@openwrt.org>

SVN-Revision: 37323
2013-07-14 21:26:35 +00:00
Felix Fietkau
40b3db713d scripts/download.pl: use HTTP instead of FTP for the default GNU site
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 37213
2013-07-09 12:52:12 +00:00
Luka Perkov
819472b2d0 scripts: update GNU mirrors
SVN-Revision: 35838
2013-02-28 23:49:36 +00:00
Jo-Philipp Wich
12728ea66b download.pl: - cleanup cache handling code - use alternative m// and s/// delimiters to get rid of tedious slash escaping - use multi-argument form of system() where possible to avoid quoting & escaping issues - avoid a temporary variable
SVN-Revision: 31677
2012-05-11 18:17:15 +00:00
John Crispin
0c4bcae7a1 allow arbitary folder layout when using localmirrors
Make the download script follow symlinks and search subfolders when looking for
a file in a local download mirror.

Signed-off-by: Tathagata Das <tathagata@alumnux.com>

SVN-Revision: 31240
2012-04-10 14:11:45 +00:00
Felix Fietkau
548155ab7d Revert "scripts/download.pl: fix sourceforge url"
To use the new url, the project name would need to be appended multiple times,
let's hope the old redirect will continue to work in the future

SVN-Revision: 30730
2012-02-26 09:29:53 +00:00
Felix Fietkau
4dc4ebe0c8 scripts/download.pl: fix sourceforge url
SVN-Revision: 30726
2012-02-25 20:44:02 +00:00
Jo-Philipp Wich
0c3a383974 download.pl: remove ftp.geo.kernel.org mirror, it does not resolve
SVN-Revision: 29947
2012-01-29 19:28:12 +00:00
John Crispin
4d8b9fafcb ignore empty lines in scripts/localmirrors
SVN-Revision: 27416
2011-07-03 19:33:24 +00:00
Jo-Philipp Wich
0649dfdfb6 download.pl: cope with potential two-digit linux versions
SVN-Revision: 27376
2011-07-03 15:00:24 +00:00
Jo-Philipp Wich
a9c7feb0f7 download.pl: adjust kernel download urls for longterm and testing releases
SVN-Revision: 25589
2011-02-19 15:41:00 +00:00
Jo-Philipp Wich
65fad8645d download.pl: pass --no-check-certificate to wget
SVN-Revision: 24686
2010-12-18 20:54:53 +00:00
Travis Kemen
cf7a37f119 add geodns addresses for the kernel, closes #6574
SVN-Revision: 19621
2010-02-13 01:07:44 +00:00
Ralph Hempel
77df307183 add multiple download mirrors
SVN-Revision: 14573
2009-02-20 10:16:47 +00:00
Felix Fietkau
625b692c1f use #!/usr/bin/env perl instead of #!/usr/bin/perl in openwrt scripts (fixes #2998)
SVN-Revision: 12674
2008-09-23 18:29:44 +00:00
Lars-Peter Clausen
2552e9362b Add @GNOME download source.
SVN-Revision: 12469
2008-09-01 21:46:17 +00:00
Matteo Croce
f5e550f438 use the european kernel.org mirror too
SVN-Revision: 11448
2008-06-12 14:48:32 +00:00