You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks so much for maintaining these distributions!
In the README, various URLs are pointed to. As an example, https://deb.nodesource.com/setup_8.x is the script for downloading. Ideally, it'd be good to be able to do some level of integrity checking on that file itself.
Currently, I've hashed the existing contents of that file using sha256sum, and am comparing that to what gets downloaded. Ideally, I'd like to make it so that the the automation I'm doing won't suddenly start falling over if setup_8.x gets updated.
How likely is setup_8.x to get updated in the future?
Those setup scripts get updated all the time, probably several times a month on average, generally to add more aliases for additional Debian / Ubuntu based distros. I don't know of any good way to verify the integrity of that file itself over time other than making sure you fetch it over HTTPS (which you have to because of GitHub) and using DNSSEC to increase the security around possible DNS spoofing.
If this is a concern to you, I'd recommend just setting up the repo(s) manually. We're not doing anything particularly interesting with those setup scripts, so this isn't very much work to implement yourself.
Thanks so much for maintaining these distributions!
In the README, various URLs are pointed to. As an example, https://deb.nodesource.com/setup_8.x is the script for downloading. Ideally, it'd be good to be able to do some level of integrity checking on that file itself.
Currently, I've hashed the existing contents of that file using sha256sum, and am comparing that to what gets downloaded. Ideally, I'd like to make it so that the the automation I'm doing won't suddenly start falling over if setup_8.x gets updated.
How likely is setup_8.x to get updated in the future?
CC @indygreg
The text was updated successfully, but these errors were encountered: