python-for-android icon indicating copy to clipboard operation
python-for-android copied to clipboard
verified publisher icon kivy

verify downloads using sha256?

Open obfusk opened this issue 5 years ago • 5 comments

Most recipe downloads use https -- but some use http! -- which should provide reasonable security for most scenarios. But IMHO best practice would be to verify sha256 hashes "just in case". And always for for http downloads!

I'm not sure how to handle the case where the user specifies a different version yet. Might be good to have a mapping of (historical) versions to shasums instead of only the sum for the latest version?

(This would replace the current -- seldomly used -- md5sum.)

obfusk avatar Aug 11 '20 13:08 obfusk

Thank you for bringing it to the discussion. I think we're better of simply moving all the remaining http to https

AndreMiras avatar Aug 11 '20 20:08 AndreMiras

I think we're better of simply moving all the remaining http to https

FYI: the official libxml2 site doesn't have working https. Downloading from gitlab or github should work though.

obfusk avatar Aug 11 '20 20:08 obfusk

Shame on them, yes I'd definitely go for gitlab/github then

AndreMiras avatar Aug 11 '20 20:08 AndreMiras

#2351

fuzzyTew avatar Nov 10 '20 01:11 fuzzyTew

#2351 has been merged; sha256sum may work in recipes now.

fuzzyTew avatar Nov 15 '20 11:11 fuzzyTew