Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host pacakge checksums on principal host #921

Open
hrj opened this issue Sep 26, 2020 · 1 comment
Open

Host pacakge checksums on principal host #921

hrj opened this issue Sep 26, 2020 · 1 comment

Comments

@hrj
Copy link

hrj commented Sep 26, 2020

On the downloads page, there are links to download individual packages and their SHA1 checksums.

These links point to piccolo.link and then to sbt-downloads.cdnedge.bluemix.net. The problem is that the checksums are also linked/hosted on those same sites.

While this arrangement might be useful for error checking, it is not useful for verifying the integrity of the packages.

To enable integrity checking of the downloaded packages, please host the checksums on the same host as the website, ideally by expanding the checksum in the html itself.

Alternatively / additionally, you could add a link to the github release page, which has the checksum files (though they get served via Github's CDN).

An assumption in my request is that Github and scala-sbt.org are well known and hence more trusted by most people.
@eed3si9n
Copy link
Member

I addressed the GitHub Releases part here - #922

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eed3si9n @hrj