Skip to content

Missing checksum verification #468

Closed
@dholbach

Description

@dholbach

From Ada Logics

In the source-controller checksums are calculated when fetching artifacts from S3 stores (bucket_reconciler.go) and git repositories (gitrepository_controller.go). Specifically, the checksum is calculated here:

artifact.Checksum = fmt.Sprintf("%x", h.Sum(nil))

This function is called by both the git repository reconciler and the bucket reconciler, but it is never checked in the reconcilers despite comments indicating “check integrity”. -

// archive artifact and check integrity

We assume this integrity check should be matched with data from the source where you download and that is a good idea. However, there is never any check on the checksums calculated.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions