Display SHA1 sum for downloadable packages.

[phrohdoh]

Suggested by erlehmann from IRC:

From 619e17898fc73f8293fe08921c9160705681e46f Mon Sep 17 00:00:00 2001
From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Thu, 8 Jan 2015 18:47:44 +0100
Subject: [PATCH] + SHA1 checksums for download page

---
 lib/openra.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/openra.rb b/lib/openra.rb
index 5740892..aaa5717 100644
--- a/lib/openra.rb
+++ b/lib/openra.rb
@@ -44,17 +44,26 @@ def package_name(platform, tag)
     end
 end

+def generate_url_sha1sum(url)
+  require 'digest'
+  require 'net/http'
+  response = Net::HTTP.get(URI.parse(url))
+  Digest::SHA1.hexdigest response
+end
+
 def generate_download_button(platform, github_id, tag, sizes)
   if github_id == "" then
     "<span>No playtest available<br />(release is newer)</span>"
   elsif platform == "source"
     url = DOWNLOAD_GITHUB_BASE_PATH + "archive/#{tag}.tar.gz"
-    sprintf('<a href="%s" title=\"Download %s">Download %s<br />(source package)</a>', url, tag, tag)
+    sha1sum = generate_url_sha1sum url
+    sprintf('<a href="%s" title=\"Download %s">Download %s<br />(source package)<br />SHA1: %s</a>', url, tag, tag, sha1sum)
   else
     package = package_name(platform, tag)
     url = DOWNLOAD_GITHUB_BASE_PATH + "releases/download/" + tag + '/' + package
+    sha1sum = generate_url_sha1sum url
     size = sizes.key?(package) ? sprintf("(%.2f MB)", sizes[package] / 1048576.0) : "(size unknown)"
-    sprintf('<a href="%s" title="Download %s">Download %s<br />%s</a>', url, tag, tag, size)
+    sprintf('<a href="%s" title="Download %s">Download %s<br />%s<br />SHA1: %s</a>', url, tag, tag, size, sha1sum)
   end
 end

--
2.1.3

[Mailaender]

This looks like as if the patch was generated with git. Why not simply send a pull request, @erlehmann?

[erlehmann]

Matthias Mailänder notifications@github.com writes:

This looks like as if the patch was generated with git. Why not simply
send a pull request, @erlehmann?

Because the output of “git request-pull” is a bit longer, but not much
more helpful than a simple patch file.

Nils Dagsson Moskopp // erlehmann
http://dieweltistgarnichtso.net

[Mailaender]

Welcome to the 21st century where we don't exchange patches via mailing lists anymore. =) Seriously, you will also get credited properly in the commit history if you file a pull request yourself so I would advise that. See https://github.com/OpenRA/OpenRAWeb/pulls

[chrisforbes]

On Tue, Jan 27, 2015 at 7:57 AM, Matthias Mailänder <
notifications@github.com> wrote:

Welcome to the 21st century where we don't exchange patches via mailing
lists anymore. =) Seriously, you will also get credited properly in the
commit history if you file a pull request yourself so I would advise that.

Well... about that (pretty much all the critical bits of your system are
still developed that way).

—
Reply to this email directly or view it on GitHub
#182 (comment).

[Mailaender]

I guess git then has a patch import functionality to do that more conveniently?

[chrisforbes]

It does -- you can apply an mbox trivially.

We're getting way off topic now though :)

Let's:

• Have someone (Taryn?) make a PR for this so our normal workflow can be
  used.
• Consider the technical merits of the patch.

On the second point, I'm not a huge believer in delivering SHA1sums
alongside packages UNLESS it's all delivered over HTTPS. It doesn't provide
any meaningful assurance of non-tampering otherwise.

I don't think this is actively harmful though, so a tentative +1.

On Tue, Jan 27, 2015 at 9:21 AM, Matthias Mailänder <
notifications@github.com> wrote:

I guess git then has a patch import functionality to do that more
conveniently?

—
Reply to this email directly or view it on GitHub
#182 (comment).

[pchote]

The problem here is finding a place to put it without messing up the size of the buttons.
It can live on the tooltip, but thats not useful enough to justify its existence (terrible discovery and can't copy the sha1). I'm tempted to say WONTFIX unless somebody has a concrete suggestion on how to make this work.