Some platforms only have SHA-1 #368
Comments
|
Could also consider implementing a fallback when Not opposed to shipping SHA1sums as well, at all. Just pondering. |
|
I guess my concern is that, at the moment, I'll have to ship iojs support with zero checksum support whatsoever. SHA-1 may be less secure than SHA-256, but it's more secure than nothing :-) |
|
I'm just not convinced there is a platform that our binaries can support that can't do 256 if they can do shasumming at all. CentOS5 is the lowest we go and it doesn't even come with a |
|
so CentOS6 comes with a |
|
@ljharb ping me on IRC if you want some test machines on these old Linuxes and I can fire up some temporary ones on DigitalOcean for you to test with |
Add `io.js` support. This branch adds support for https://github.com/iojs/io.js / https://iojs.org/ The following features should now work: - `nvm install iojs` will install the latest `io.js` version. `nvm ls iojs` and `nvm use iojs` will function as you'd expect. - `nvm install node` will install the latest stable `node` version. `nvm ls node` and `nvm use node` will function as you'd expect. - In general, a specific `io.js` version can be referenced with the "iojs-" prefix. If `node` were to ever release a `v1.0.0`, `v1.0.0` would refer to `node`, and `iojs-v1.0.0` would refer to `io.js`. In the near future, `node-v1.0.0` will also refer to `node` unambiguously. This applies to all `nvm` commands, including working with aliases and `.nvmrc` files. - `io.js`, unlike `node`, does not have a SunOS binary. Please open an issue on https://github.com/iojs/io.js if this is actually a problem for anyone, as currently it seems like this won't be for anybody. **Note**: checksum support upon installation is currently disabled. Relates to nodejs/node#368. **Note**: installation of `io.js` directly from source (via the `-s` option) is not yet enabled. This will be added soon. Relates to nodejs/node#40 nodejs/node#420 Fixes #590
|
Is this still an extant issue? Should the issue be moved to iojs/build? |
|
Yes, lets close here, I remain unconvinced there is a case for cluttering up our release directories with more files because (a) there hasn't been an enumeration of systems where sha-1 is available but sha-256 is unavailable and (b) even if such systems can be listed, I really don't believe they are targets for nvm, they are more likely to be production machines where nvm doesn't make much sense. I do regret being difficult about this but one of the nice things about io.js is that we can make a break with older conventions that have been built up, including things like sticking to ancient versions of V8 because of toolchain concerns and the fact that we've reorganised the way naked Windows binaries are distributed in the /dist/ directory. I see SHASUMS.txt as one of these because the original reason for shipping it is no longer relevant. i.e. please open an issue on iojs/build if there is still a concern about this but it's going to take some convincing, not just hand-waving and hypotheticals. |
See nvm-sh/nvm#171
Not every system will have the ability to compute sha-256 checksums. Could you also provide SHA-1 checksums alongside the SHA-256 checksums?
This will also allow the code path to remain simple in http://nvm.sh since nodejs.org only provides SHA-1.
The text was updated successfully, but these errors were encountered: