ctubbsii commented on a change in pull request #427:
URL: https://github.com/apache/fluo-muchos/pull/427#discussion_r779865502
##########
File path: lib/muchos/config/base.py
##########
@@ -480,12 +505,26 @@ def checksum_ver(self, software, version):
)
key = "{0}:{1}".format(software, version)
+
if key not in self.checksums_d:
- exit(
- "ERROR - Failed to find checksums for {} {} in {}".format(
- software, version, self.checksums_path
+ local_tarball_path = self.get_local_tarball_path(software)
+ if local_tarball_path is None or not exists(local_tarball_path):
+ exit(
+ "ERROR - Failed to find either a valid checksum in {}, "
+ "or a local tarball to upload for {} {}.".format(
+ self.checksums_path, software, version
+ )
)
- )
+ else:
+ # compute and use the checksum for local tarball
+ local_tarball_sha512 = sha512()
+ with open(local_tarball_path, "rb") as tarball_contents:
+ file_buffer = tarball_contents.read(65536)
+ while len(file_buffer) > 0:
+ local_tarball_sha512.update(file_buffer)
+ file_buffer = tarball_contents.read(65536)
+ return f"sha512:{local_tarball_sha512.hexdigest()}"
+
Review comment:
I'm just thinking about how fluo-uno works: if the file is already
downloaded, it won't download it again. However, it does always verify the
local file's checksum before using it.
If we merely verify a checksum we've computed ourselves, we're not doing
anything to ensure the artifacts themselves are legitimate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
