As we currently download the actual sources as part of saving the
legal-info, we do not check the hashes of those downloads.
That's because, during legal-info, there is not package involved, and
thus there's no path to an actual .hash file.
However, this precludes legal-info from working in off-line mode. A
subsequent patch will make it possible to do so, and actual sources will
be downloaded as another classical package download.
This will have two consequences:
- first, we will be able to add hashes for actual sources, so we can
ensure their integrity,
- second, and as a direct consequence of the above, when a .hash file
is present, it would have to list all the hashes for that package,
or that would be treated as an error.
Currently, the only package that falls in this case is the external-
toolchain, for which we have means to retrieve the sources for some of
the toolchains.
So we just add hashes for those actual external-toolchain sources we may
have to download.
Those hashes are not used for now, but they'll come into play a few
patches down.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
5b96eb6703