Versions Compared

Old Version 1

changes.mady.by.user Leena Sunthari D

Saved on

compared with

New Version 2

changes.mady.by.user Leena Sunthari D

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
[
    {
        "packagename": "string",    // Required: Final filename in rootfs
        "srcpathsrcuri": "string",         // Required: Source URL or file path
        "shasha256sum": "string"             // Optional: SHA256 hash for verification
    }
]

...

No Format
[
    {
        "packagename": "refui-5.0.20.bolt",
        "srcpathsrcuri": "https://github.com/rdkcentral/rdke-refui/releases/download/5.0.20/refui-5.0.20.bolt",
        "shasha256sum": "b0f3d00e1deb505a8f95e1ae9e4f88314a68665edccbb1a87ce0867a235e2a6b"
    },
    {
        "packagename": "wpe-webkit-browser.bolt",
        "srcpathsrcuri": "https://artifactory.example.com/wpe-browser/latest.bolt",
        "shasha256sum": "5d6c176b0c95f637da79e125f704aa5d2d8903663761f277e6674a0121cdaec5"
    },
    {
        "packagename": "lightning-ui.bolt",
        "srcpathsrcuri": "file:///home/jenkins/workspace/builds/lightning-ui.bolt",
        "shasha256sum": "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
    },
    {
        "packagename": "experimental-app.bolt",
        "srcpathsrcuri": "https://nightly.example.com/latest/app.bolt",
        "shasha256sum": "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
    }
]

Field Description

FieldTypeRequiredDescription
packagenamestringYesFinal filename when installed in rootfs. Must not contain directory traversal characters (., /, \)
srcpath
srcuristringYesSupports: http://, https://, ftp://, ftps://, file://, or absolute paths
sha
sha256sumstringNoSHA256 hash for integrity verification. If empty, verification is skipped (warning issued)

BitBake Class Implementation

...

  1. Transparent: JSON file shows exactly what's being installed
  2. Verifiable: SHA256 ensures package integrity
  3. Flexible: Easy to swap package sources
  4. Simple Updates: Change JSON without modifying recipes
  5. Testing: Easy to test different package versions

Security Considerations

  1. SHA256 Verification
    •    Mandatory for production: Always provide SHA256 hashes for production builds
    •    Development flexibility: Can omit SHA for development (warning issued)
    •    Tamper detection: Build fails if downloaded file doesn't match hash
  2. Directory Traversal Protection
    •    Package names validated to prevent ../ attacks
    •    Cannot install outside designated directory
  3. File Permissions
    •    Files installed with 0644 permissions (rw-r--r--)
    •    No execute permissions by default