ctubbsii commented on a change in pull request #427:
URL: https://github.com/apache/fluo-muchos/pull/427#discussion_r779362079
##########
File path: lib/muchos/config/base.py
##########
@@ -480,12 +505,26 @@ def checksum_ver(self, software, version):
)
key = "{0}:{1}".format(software, version)
+
if key not in self.checksums_d:
- exit(
- "ERROR - Failed to find checksums for {} {} in {}".format(
- software, version, self.checksums_path
+ local_tarball_path = self.get_local_tarball_path(software)
+ if local_tarball_path is None or not exists(local_tarball_path):
+ exit(
+ "ERROR - Failed to find either a valid checksum in {}, "
+ "or a local tarball to upload for {} {}.".format(
+ self.checksums_path, software, version
+ )
)
- )
+ else:
+ # compute and use the checksum for local tarball
+ local_tarball_sha512 = sha512()
+ with open(local_tarball_path, "rb") as tarball_contents:
+ file_buffer = tarball_contents.read(65536)
+ while len(file_buffer) > 0:
+ local_tarball_sha512.update(file_buffer)
+ file_buffer = tarball_contents.read(65536)
+ return f"sha512:{local_tarball_sha512.hexdigest()}"
+
Review comment:
I like the idea of a local tarball that is uploaded, but we still want
to verify the local tarball isn't corrupt or malicious, so we shouldn't just
recompute the checksum, but validate it locally before shipping it off to the
cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
