The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. It’s a valid approach, but there was a bug, discovered by, in how opkg reads the hash values from the package list. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.
Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. As a result, the package manager can’t rely on HTTPS for secure downloads. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made.
OpenWrt’s target hardware, routers, make for an interesting security challenge. OpenWrt announced a problem in opkg, their super-lightweight package manager.