Checksums for releases #1858
Comments
|
How would you use them? |
|
As verification for a scoop package: https://github.com/ScoopInstaller/Main/pull/6400/files |
|
I think build systems should hardcode the values of what is fetched the first time because the hash file could maliciously change. Are you saying that it would be useful for this one-time/initial use case situation? |
|
More on scoop package manager. Let's take uv as an example again. It's already been accepted into the scoop bucket: The location of the checksum asset is defined at: A daily Github action in the scoop repo would use the configuration defined in the uv.json file and parse/extract the data from the latest uv release Github page. It would then use the hashes defined in the .sha256 file and update the hashes in in the $.architecture.64bit.hash section of scoop's uv.json. These hashes are therefore hardcoded, but this is automatically done in a Github action for every new release of the package. Also, obviously, it's not a one-time situation. This ensures that if an end-user executes |
|
I'm hesitant to do that because I view it as a suboptimal security practice. Release artifacts are not like Git commits and can be replaced at any time without notice. Therefore, someone could maliciously update the artifact + hash file and the process you describe would put users at risk. This is why I view not using external hashes as the proper approach. Does that make sense? |
Hi,
Just a request to add checksums (sha256?) to the releases on the Github page, e.g. on https://github.com/pypa/hatch/releases/tag/hatch-v1.14.0
Compare to what uv does: https://github.com/astral-sh/uv/releases/tag/0.5.9 in their sha256.sum asset.
thanks
The text was updated successfully, but these errors were encountered: