On 01/05/2024 17:48, Brian Inglis via Cygwin-apps wrote:
On 2024-04-30 23:32, ASSI via Cygwin-apps wrote:
Brian Inglis via Cygwin-apps writes:
Some package upstreams offer only checksums, for example .sha512sum,
.sha256sum,
for verification rather than gpg signatures, for example .asc, .sig,
.sign, etc;
use these checksum files when provided in a similar manner to gpg
signatures;
these files are often provided with fixed names which may be renamed
on download
to unique values using cygport URI fragment support like
#/$NAME-VERSION.sha...sum;
use coreutils cksum as it supports all modern and legacy checksums
and formats.
https://repo.or.cz/cygport/rpm-style.git/commitdiff/c956092ce8d90230b812fb05ad2b4da13df1e36d
Two similar independent implementations mean it would be a good idea to
add the feature!
Mine preferred cksum as being the most general approach, while not
worrying or knowing too much about ancient sums, although your
implementation is better, that is, works properly on those.
Mine also preferred sha*sum file types, while still allowing prefixes
only without sum, not enumerating them all in the unpack() case, and
respecting the cksum crc default.
I guess this makes sense as a part of the fetch operation, in thsose
cases where upstream provides signatures or checksums.
But as briefly discussed in [1], independently of that it would also be
a good idea for cygport to specify it's own checksum file, which is
incorporated into the source package, and verified at build prep time.
(Since this would protect against such screw ups, help with build
reproducibility, and defend against supply chain attacks on upstream)
[1] https://cygwin.com/pipermail/cygwin-apps/2024-March/043540.html
