[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

List for cgit developers and users
 help / color / mirror / Atom feed

From: cgit at cryptocrack.de (Lukas Fleischer)
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Date: Sat, 07 Mar 2015 16:59:26 +0100	[thread overview]
Message-ID: <20150307155926.6430.47439@typhoon> (raw)
In-Reply-To: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk>

On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote:
> This requires that we save the downloaded file explicitly rather than
> piping it straight to tar, but that is advisable anyway since it allows
> us to check the exit status of curl and make sure that we have
> downloaded the file successfully.
> 
> Also add a test to make sure we don't forget to update the file when
> updating our Git version in the future.
> 
> Signed-off-by: John Keeping <john at keeping.me.uk>
> ---
>  Makefile                             |  8 ++++++--
>  git.sha256sum                        |  1 +
>  tests/t0001-validate-git-versions.sh | 11 +++++++++++
>  3 files changed, 18 insertions(+), 2 deletions(-)
>  create mode 100644 git.sha256sum
> [...]

I like the idea, however, sha256sum is not available on all platforms.
This breaks `make get-git` under OpenBSD, for example (OpenBSD has a
utility called sha256 with a different command line interface). Maybe we
can make the check optional, though?

On a related note, can we download a signature and use `gpg --verify`
instead (should probably be optional as well, to avoid a dependency on
GnuPG)?

next prev parent reply	other threads:[~2015-03-07 15:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-07 14:46 john
2015-03-07 15:59 ` cgit [this message]
2015-03-07 17:02   ` john
2015-03-07 17:49     ` cgit
2015-03-07 18:20       ` john
2015-03-07 23:35         ` tmz
2015-03-08 10:45           ` john
2015-03-09 19:39             ` tmz
2015-03-09 20:49               ` john
2015-03-09 22:32                 ` Jason
2015-03-09 22:34                   ` Jason
2015-03-09 22:30           ` Jason
2015-03-09 22:42             ` tmz
2015-03-11 15:25         ` mricon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150307155926.6430.47439@typhoon \
    --to=cgit@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).