Hi Pádraig, > Similar functionality was discussed a long time ago as listed at: > https://www.gnu.org/software/coreutils/rejected_requests.html#checksum > specifically https://bugs.gnu.org/13243
This doesn't seem similar. My proposal is about verifying the checksum, while the rejected proposal from 2012 was about producing the checksum. > Now I do agree checking the stream is more concise with this option > than using existing tools, but I'm not sure it's warranted. > With existing tools you'd have: > > tmpf=$(mktemp) && curl -fs https://example.com/install.sh > "$tmpf" \ > && sha256sum --status --check <(echo deadbeef -) < "$tmpf" && sh "$tmpf"; > rm "$tmpf" Yes, but this is too complicated and ugly. I have never seen this pattern actually used in the wild. > BTW I don't fully understand the use case. I presume it's not for security > as if one could compromise the install.sh, presumably one could > compromise the checksum in the instructions. So I'm presuming it's > for extra resiliency or something? The instructions are often duplicated to third-party documents, blogs, books, etc., and also archived in web.archive.org. So there is a huge chance that the compromise of the checksum can be detected. Also, the --check-stream option should be useful for fetching content from raw.githubusercontent.com in a more trustworthy way. * Before: curl https://raw.githubusercontent.com/ORG/REPO/**COMMIT_HASH**/FILE * After: curl https://raw.githubusercontent.com/ORG/REPO/**TAG_NOT_HASH**/FILE | sha256sum --check-stream=CHECKSUM The point is that `COMMIT_HASH` may not belong to `ORG/REPO` (surprisingly), while `TAG_NOT_HASH` always belongs to `ORG/REPO`. Demo: $ curl https://raw.githubusercontent.com/coreutils/coreutils/3f14424117fe112c3a4688f245cb7749a7a70a4f/DEMO-20241216 Demo file for the discussion in the "[PATCH] cksum: add --check-stream=CHECKSUM flag" thread. (https://lists.gnu.org/archive/html/coreutils/2024-12/msg00005.html) This file will be visible via <https://raw.githubusercontent.com/coreutils/coreutils/.../DEMO-20241216>. However, this file does not really belong to the <https://github.com/coreutils/coreutils> repo. Regards, Akihiro Suda
