Missing checksum verification

[dholbach]

From Ada Logics

In the source-controller checksums are calculated when fetching artifacts from S3 stores (bucket_reconciler.go) and git repositories (gitrepository_controller.go). Specifically, the checksum is calculated here:

source-controller/controllers/storage.go

Line 272 in d7afc35

artifact.Checksum = fmt.Sprintf("%x", h.Sum(nil))

This function is called by both the git repository reconciler and the bucket reconciler, but it is never checked in the reconcilers despite comments indicating “check integrity”. -

source-controller/controllers/gitrepository_controller.go

Line 350 in d7afc35

// archive artifact and check integrity

We assume this integrity check should be matched with data from the source where you download and that is a good idea. However, there is never any check on the checksums calculated.

[stefanprodan]

Implemented in https://github.com/fluxcd/flux2/releases/tag/v0.23.0