You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When downloading a file for the build we should have the expected cryptographic hash (hardcoded) and check that it matches. This goes for the external_deps bundles provided by us as well as the per-dependency source or binary archives used when running external_deps/build.sh. Especially the latter since we can now have various mirrors and want to make sure they are all providing the same thing.
The text was updated successfully, but these errors were encountered:
For the third-party packages downloaded by the build.sh script, the checksums should definitely be part of the Daemon repository. Otherwise it would be too annoying to update a package as someone would have to change it on the server as well. I was thinking to have the checksum as an extra argument to the download function, so that all the changes are in one place.
For the packages released by us, it would be ideal from a security standpoint to hardcode them, but maybe it's too annoying. Having a checksum list on the server would be OK I guess, although it would only protect against accidentally corrupted files, not maliciously changed ones.
When downloading a file for the build we should have the expected cryptographic hash (hardcoded) and check that it matches. This goes for the external_deps bundles provided by us as well as the per-dependency source or binary archives used when running external_deps/build.sh. Especially the latter since we can now have various mirrors and want to make sure they are all providing the same thing.
The text was updated successfully, but these errors were encountered: