Validate checksum before using a download file

[cbandy]

Consider caching and --unless-exists argument as well.

$ shasum -a 256 oracle-xe-11.2.0-1.0.x86_64.rpm.zip
b5039fad2e4f92c68778dcabbd0b4622a6cb025f25f7d6222f9e9de53ebab531  oracle-xe-11.2.0-1.0.x86_64.rpm.zip

[jmarton]

@cbandy where do you want to get the cecksum from?
The current OTN XE download page does not have it.

What is the aim of checksum validation: to always have the newest file (XE changes very rarely), or to recognize cache corruption?

[cbandy]

Cache corruption. Any pull request (from anyone) can write anything it wants to the cache.

[jmarton]

According to the Travis caching docs, a pull request does not seem to threaten the cache:

Only modifications made to the cached directories from normal pushes are stored.

Do you have other experiences?

[cbandy]

According to the Travis caching docs, a pull request does not seem to threaten the cache

Oh, excellent! I agree.

Do you have other experiences?

I do not. You've convinced me that this issue should not block anything about caching.

---

where do you want to get the cecksum from? The current OTN XE download page does not have it.

This is one of the drawbacks to requiring a checksum. I'm not opposed to keeping/maintaining checksums alongside filenames in the wiki.

[jmarton]

Instead of putting it to the wiki, what about putting checksums in the repository, e.g. under data/shasums.txt? It should be easier to use for validation. e.g.:

# SHA256 sums for Oracle install packages
# Generate entries from the directory containing the install package by running
# shasum -a 256 FILE >>/path/to/data/shasums.txt
b5039fad2e4f92c68778dcabbd0b4622a6cb025f25f7d6222f9e9de53ebab531  oracle-xe-11.2.0-1.0.x86_64.rpm.zip

If you agree to this, I'll assembe a PR to do the validation.