New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Display SHA1 sum for downloadable packages. #182

Closed
Phrohdoh opened this Issue Jan 8, 2015 · 7 comments

Comments

Projects
None yet
5 participants
@Phrohdoh
Member

Phrohdoh commented Jan 8, 2015

Suggested by erlehmann from IRC:

From 619e17898fc73f8293fe08921c9160705681e46f Mon Sep 17 00:00:00 2001
From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Thu, 8 Jan 2015 18:47:44 +0100
Subject: [PATCH] + SHA1 checksums for download page

---
 lib/openra.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/openra.rb b/lib/openra.rb
index 5740892..aaa5717 100644
--- a/lib/openra.rb
+++ b/lib/openra.rb
@@ -44,17 +44,26 @@ def package_name(platform, tag)
     end
 end

+def generate_url_sha1sum(url)
+  require 'digest'
+  require 'net/http'
+  response = Net::HTTP.get(URI.parse(url))
+  Digest::SHA1.hexdigest response
+end
+
 def generate_download_button(platform, github_id, tag, sizes)
   if github_id == "" then
     "<span>No playtest available<br />(release is newer)</span>"
   elsif platform == "source"
     url = DOWNLOAD_GITHUB_BASE_PATH + "archive/#{tag}.tar.gz"
-    sprintf('<a href="%s" title=\"Download %s">Download %s<br />(source package)</a>', url, tag, tag)
+    sha1sum = generate_url_sha1sum url
+    sprintf('<a href="%s" title=\"Download %s">Download %s<br />(source package)<br />SHA1: %s</a>', url, tag, tag, sha1sum)
   else
     package = package_name(platform, tag)
     url = DOWNLOAD_GITHUB_BASE_PATH + "releases/download/" + tag + '/' + package
+    sha1sum = generate_url_sha1sum url
     size = sizes.key?(package) ? sprintf("(%.2f MB)", sizes[package] / 1048576.0) : "(size unknown)"
-    sprintf('<a href="%s" title="Download %s">Download %s<br />%s</a>', url, tag, tag, size)
+    sprintf('<a href="%s" title="Download %s">Download %s<br />%s<br />SHA1: %s</a>', url, tag, tag, size, sha1sum)
   end
 end

--
2.1.3
@Mailaender

This comment has been minimized.

Show comment
Hide comment
@Mailaender

Mailaender Jan 25, 2015

Member

This looks like as if the patch was generated with git. Why not simply send a pull request, @erlehmann?

Member

Mailaender commented Jan 25, 2015

This looks like as if the patch was generated with git. Why not simply send a pull request, @erlehmann?

@erlehmann

This comment has been minimized.

Show comment
Hide comment
@erlehmann

erlehmann Jan 26, 2015

Matthias Mailänder notifications@github.com writes:

This looks like as if the patch was generated with git. Why not simply
send a pull request, @erlehmann?

Because the output of “git request-pull” is a bit longer, but not much
more helpful than a simple patch file.

Nils Dagsson Moskopp // erlehmann
http://dieweltistgarnichtso.net

erlehmann commented Jan 26, 2015

Matthias Mailänder notifications@github.com writes:

This looks like as if the patch was generated with git. Why not simply
send a pull request, @erlehmann?

Because the output of “git request-pull” is a bit longer, but not much
more helpful than a simple patch file.

Nils Dagsson Moskopp // erlehmann
http://dieweltistgarnichtso.net

@Mailaender

This comment has been minimized.

Show comment
Hide comment
@Mailaender

Mailaender Jan 26, 2015

Member

Welcome to the 21st century where we don't exchange patches via mailing lists anymore. =) Seriously, you will also get credited properly in the commit history if you file a pull request yourself so I would advise that. See https://github.com/OpenRA/OpenRAWeb/pulls

Member

Mailaender commented Jan 26, 2015

Welcome to the 21st century where we don't exchange patches via mailing lists anymore. =) Seriously, you will also get credited properly in the commit history if you file a pull request yourself so I would advise that. See https://github.com/OpenRA/OpenRAWeb/pulls

@chrisforbes

This comment has been minimized.

Show comment
Hide comment
@chrisforbes

chrisforbes Jan 26, 2015

Member

On Tue, Jan 27, 2015 at 7:57 AM, Matthias Mailänder <
notifications@github.com> wrote:

Welcome to the 21st century where we don't exchange patches via mailing
lists anymore. =) Seriously, you will also get credited properly in the
commit history if you file a pull request yourself so I would advise that.

Well... about that (pretty much all the critical bits of your system are
still developed that way).


Reply to this email directly or view it on GitHub
#182 (comment).

Member

chrisforbes commented Jan 26, 2015

On Tue, Jan 27, 2015 at 7:57 AM, Matthias Mailänder <
notifications@github.com> wrote:

Welcome to the 21st century where we don't exchange patches via mailing
lists anymore. =) Seriously, you will also get credited properly in the
commit history if you file a pull request yourself so I would advise that.

Well... about that (pretty much all the critical bits of your system are
still developed that way).


Reply to this email directly or view it on GitHub
#182 (comment).

@Mailaender

This comment has been minimized.

Show comment
Hide comment
@Mailaender

Mailaender Jan 26, 2015

Member

I guess git then has a patch import functionality to do that more conveniently?

Member

Mailaender commented Jan 26, 2015

I guess git then has a patch import functionality to do that more conveniently?

@chrisforbes

This comment has been minimized.

Show comment
Hide comment
@chrisforbes

chrisforbes Jan 26, 2015

Member

It does -- you can apply an mbox trivially.

We're getting way off topic now though :)

Let's:

  • Have someone (Taryn?) make a PR for this so our normal workflow can be
    used.
  • Consider the technical merits of the patch.

On the second point, I'm not a huge believer in delivering SHA1sums
alongside packages UNLESS it's all delivered over HTTPS. It doesn't provide
any meaningful assurance of non-tampering otherwise.

I don't think this is actively harmful though, so a tentative +1.

On Tue, Jan 27, 2015 at 9:21 AM, Matthias Mailänder <
notifications@github.com> wrote:

I guess git then has a patch import functionality to do that more
conveniently?


Reply to this email directly or view it on GitHub
#182 (comment).

Member

chrisforbes commented Jan 26, 2015

It does -- you can apply an mbox trivially.

We're getting way off topic now though :)

Let's:

  • Have someone (Taryn?) make a PR for this so our normal workflow can be
    used.
  • Consider the technical merits of the patch.

On the second point, I'm not a huge believer in delivering SHA1sums
alongside packages UNLESS it's all delivered over HTTPS. It doesn't provide
any meaningful assurance of non-tampering otherwise.

I don't think this is actively harmful though, so a tentative +1.

On Tue, Jan 27, 2015 at 9:21 AM, Matthias Mailänder <
notifications@github.com> wrote:

I guess git then has a patch import functionality to do that more
conveniently?


Reply to this email directly or view it on GitHub
#182 (comment).

@pchote

This comment has been minimized.

Show comment
Hide comment
@pchote

pchote Mar 26, 2016

Member

The problem here is finding a place to put it without messing up the size of the buttons.
It can live on the tooltip, but thats not useful enough to justify its existence (terrible discovery and can't copy the sha1). I'm tempted to say WONTFIX unless somebody has a concrete suggestion on how to make this work.

Member

pchote commented Mar 26, 2016

The problem here is finding a place to put it without messing up the size of the buttons.
It can live on the tooltip, but thats not useful enough to justify its existence (terrible discovery and can't copy the sha1). I'm tempted to say WONTFIX unless somebody has a concrete suggestion on how to make this work.

@Mailaender Mailaender closed this Mar 27, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment