Some platforms only have SHA-1 #368

Closed
ljharb opened this Issue Jan 14, 2015 · 7 comments

Comments

Projects
None yet
5 participants
@ljharb

ljharb commented Jan 14, 2015

See creationix/nvm#171

Not every system will have the ability to compute sha-256 checksums. Could you also provide SHA-1 checksums alongside the SHA-256 checksums?

This will also allow the code path to remain simple in http://nvm.sh since nodejs.org only provides SHA-1.

@DomT4

This comment has been minimized.

Show comment
Hide comment
@DomT4

DomT4 Jan 14, 2015

Could also consider implementing a fallback when sha256sum can't be found. Given OpenSSL's prevalence, it'd be relatively safe to fallback onto that. I can't think of a major platform off of the top of my head that doesn't or can't relatively easily support either OpenSSL or the shasum family; OS X is troublesome because the system OpenSSL is ancient, but may be able to dance with CommonCrypto there.

Not opposed to shipping SHA1sums as well, at all. Just pondering.

DomT4 commented Jan 14, 2015

Could also consider implementing a fallback when sha256sum can't be found. Given OpenSSL's prevalence, it'd be relatively safe to fallback onto that. I can't think of a major platform off of the top of my head that doesn't or can't relatively easily support either OpenSSL or the shasum family; OS X is troublesome because the system OpenSSL is ancient, but may be able to dance with CommonCrypto there.

Not opposed to shipping SHA1sums as well, at all. Just pondering.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Jan 14, 2015

I guess my concern is that, at the moment, I'll have to ship iojs support with zero checksum support whatsoever. SHA-1 may be less secure than SHA-256, but it's more secure than nothing :-)

ljharb commented Jan 14, 2015

I guess my concern is that, at the moment, I'll have to ship iojs support with zero checksum support whatsoever. SHA-1 may be less secure than SHA-256, but it's more secure than nothing :-)

@rvagg

This comment has been minimized.

Show comment
Hide comment
@rvagg

rvagg Jan 14, 2015

Member

I'm just not convinced there is a platform that our binaries can support that can't do 256 if they can do shasumming at all. CentOS5 is the lowest we go and it doesn't even come with a shasum in its main repos!

Member

rvagg commented Jan 14, 2015

I'm just not convinced there is a platform that our binaries can support that can't do 256 if they can do shasumming at all. CentOS5 is the lowest we go and it doesn't even come with a shasum in its main repos!

@rvagg

This comment has been minimized.

Show comment
Hide comment
@rvagg

rvagg Jan 14, 2015

Member

so CentOS6 comes with a shasum by default it seems but there is also a sha256sum installed along with it

Member

rvagg commented Jan 14, 2015

so CentOS6 comes with a shasum by default it seems but there is also a sha256sum installed along with it

@rvagg

This comment has been minimized.

Show comment
Hide comment
@rvagg

rvagg Jan 14, 2015

Member

@ljharb ping me on IRC if you want some test machines on these old Linuxes and I can fire up some temporary ones on DigitalOcean for you to test with

Member

rvagg commented Jan 14, 2015

@ljharb ping me on IRC if you want some test machines on these old Linuxes and I can fire up some temporary ones on DigitalOcean for you to test with

@ljharb ljharb referenced this issue in creationix/nvm Jan 19, 2015

Merged

`io.js` support #616

ljharb added a commit to creationix/nvm that referenced this issue Jan 20, 2015

Merge pull request #616 from ljharb/iojs
Add `io.js` support.

This branch adds support for https://github.com/iojs/io.js / https://iojs.org/

The following features should now work:
 - `nvm install iojs` will install the latest `io.js` version. `nvm ls iojs` and `nvm use iojs` will function as you'd expect.
 - `nvm install node` will install the latest stable `node` version. `nvm ls node` and `nvm use node` will function as you'd expect.
 - In general, a specific `io.js` version can be referenced with the "iojs-" prefix. If `node` were to ever release a `v1.0.0`, `v1.0.0` would refer to `node`, and `iojs-v1.0.0` would refer to `io.js`. In the near future, `node-v1.0.0` will also refer to `node` unambiguously. This applies to all `nvm` commands, including working with aliases and `.nvmrc` files.
 - `io.js`, unlike `node`, does not have a SunOS binary. Please open an issue on https://github.com/iojs/io.js if this is actually a problem for anyone, as currently it seems like this won't be for anybody.

**Note**: checksum support upon installation is currently disabled. Relates to nodejs/node#368.
**Note**: installation of `io.js` directly from source (via the `-s` option) is not yet enabled. This will be added soon.

Relates to nodejs/node#40 nodejs/node#420
Fixes #590

@trevnorris trevnorris added the crypto label Jan 22, 2015

@chrisdickinson

This comment has been minimized.

Show comment
Hide comment
@chrisdickinson

chrisdickinson Feb 4, 2015

Contributor

Is this still an extant issue? Should the issue be moved to iojs/build?

Contributor

chrisdickinson commented Feb 4, 2015

Is this still an extant issue? Should the issue be moved to iojs/build?

@rvagg

This comment has been minimized.

Show comment
Hide comment
@rvagg

rvagg Feb 4, 2015

Member

Yes, lets close here, I remain unconvinced there is a case for cluttering up our release directories with more files because (a) there hasn't been an enumeration of systems where sha-1 is available but sha-256 is unavailable and (b) even if such systems can be listed, I really don't believe they are targets for nvm, they are more likely to be production machines where nvm doesn't make much sense.

I do regret being difficult about this but one of the nice things about io.js is that we can make a break with older conventions that have been built up, including things like sticking to ancient versions of V8 because of toolchain concerns and the fact that we've reorganised the way naked Windows binaries are distributed in the /dist/ directory. I see SHASUMS.txt as one of these because the original reason for shipping it is no longer relevant.

i.e. please open an issue on iojs/build if there is still a concern about this but it's going to take some convincing, not just hand-waving and hypotheticals.

Member

rvagg commented Feb 4, 2015

Yes, lets close here, I remain unconvinced there is a case for cluttering up our release directories with more files because (a) there hasn't been an enumeration of systems where sha-1 is available but sha-256 is unavailable and (b) even if such systems can be listed, I really don't believe they are targets for nvm, they are more likely to be production machines where nvm doesn't make much sense.

I do regret being difficult about this but one of the nice things about io.js is that we can make a break with older conventions that have been built up, including things like sticking to ancient versions of V8 because of toolchain concerns and the fact that we've reorganised the way naked Windows binaries are distributed in the /dist/ directory. I see SHASUMS.txt as one of these because the original reason for shipping it is no longer relevant.

i.e. please open an issue on iojs/build if there is still a concern about this but it's going to take some convincing, not just hand-waving and hypotheticals.

@rvagg rvagg closed this Feb 4, 2015

@ljharb ljharb referenced this issue in creationix/nvm Mar 7, 2015

Closed

question: checksum currently disabled #687

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment