From: john at keeping.me.uk (John Keeping)
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Date: Sat, 7 Mar 2015 17:02:59 +0000 [thread overview]
Message-ID: <20150307170259.GI1369@serenity.lan> (raw)
In-Reply-To: <20150307155926.6430.47439@typhoon>
On Sat, Mar 07, 2015 at 04:59:26PM +0100, Lukas Fleischer wrote:
> On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote:
> > This requires that we save the downloaded file explicitly rather than
> > piping it straight to tar, but that is advisable anyway since it allows
> > us to check the exit status of curl and make sure that we have
> > downloaded the file successfully.
> >
> > Also add a test to make sure we don't forget to update the file when
> > updating our Git version in the future.
> >
> > Signed-off-by: John Keeping <john at keeping.me.uk>
> > ---
> > Makefile | 8 ++++++--
> > git.sha256sum | 1 +
> > tests/t0001-validate-git-versions.sh | 11 +++++++++++
> > 3 files changed, 18 insertions(+), 2 deletions(-)
> > create mode 100644 git.sha256sum
> > [...]
>
> I like the idea, however, sha256sum is not available on all platforms.
> This breaks `make get-git` under OpenBSD, for example (OpenBSD has a
> utility called sha256 with a different command line interface). Maybe we
> can make the check optional, though?
I'm not sure what benefit it has if it's optional. Will anyone check?
Maybe we could do something like:
if type sha256sum >/dev/null 2>&1
then
sha256sum --check git.sha256sum $(GIT_FILE)
else
echo >&2 'WARNING: sha256sum not found so we cannot verify'
echo >&2 'WARNING: the integrity of the Git archive!'
fi
> On a related note, can we download a signature and use `gpg --verify`
> instead (should probably be optional as well, to avoid a dependency on
> GnuPG)?
I thought about that, but we'd have to embed a key with CGit for it to
work reliably and how do we choose what key to use (given that
individual Git archives are not signed - the list of SHA256 checksums
is)?
next prev parent reply other threads:[~2015-03-07 17:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-07 14:46 john
2015-03-07 15:59 ` cgit
2015-03-07 17:02 ` john [this message]
2015-03-07 17:49 ` cgit
2015-03-07 18:20 ` john
2015-03-07 23:35 ` tmz
2015-03-08 10:45 ` john
2015-03-09 19:39 ` tmz
2015-03-09 20:49 ` john
2015-03-09 22:32 ` Jason
2015-03-09 22:34 ` Jason
2015-03-09 22:30 ` Jason
2015-03-09 22:42 ` tmz
2015-03-11 15:25 ` mricon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150307170259.GI1369@serenity.lan \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).