[ITP] openh264 (2.3.1)

[Jon Turney]

On 14/02/2023 21:21, Takashi Yano via Cygwin-apps wrote:
> On Tue, 14 Feb 2023 17:41:16 +0100
> ASSI wrote:
>> Takashi Yano via Cygwin-apps writes:
>>> Thanks for the advice. I have revised the cygport file.
>>
>> You are getting the file and the hash from the same unprotected source.
>> I was thinking you should put the hash into the cygport file and hence
>> the postinstall script.
>>
>> Also note that the system doing the postinstall will not necessarily
>> have internet access, so you'll need to cope with errors that will
>> produce.
> 
> Thanks.
> 
> The new cygport file attached downloads md5hash during
> the packaging process and embeds it into postinstall
> script. Does this make sense?

Thanks.

So, this looks like it works, and meets the requirements.

Is md5 the only hash available?  This is not really considered "good 
enough" any more.

As a thought-experiment, consider doing it slightly differently:

package contains:
- the headers
- a data file with the version (or maybe URL) and hash
- a script which can fetch (using above data) or remove the DLL
- postinstall and preremove scripts which invoke that script appropriately

(I think this means the post/pre scripts can be static, and packaged via 
$C, rather than written by the cygport itself)

What do you think of that?