gmemstr
commented
3 years ago Typically we recommend people use a relevant or custom Docker image with the tools required pre-installed, as it helps reduce overhead of having to install things on-the-fly. Install steps aren't encouraged but are added to help in the case it might really be necessary (e.g using one of our machine or macos images).
I agree we should checksum stuff we download, and will definitely look at other orbs to see which ones we should incorporate this idea into. However installing things during runtime in our Docker executor is discouraged :)
Is your feature request related to a problem? Please describe. Downloads should be verified against at least their checksums (currently sha256) before execution.
Describe the solution you'd like Compare the downloaded file to the checksum. If verification fails, retry some number of times, then fail the job.
Describe alternatives you've considered chtf, which validates the checksums:
https://github.com/Yleisradio/chtf/blob/c34f6265b47dda812cc1936871ed79d250933ed1/chtf/__chtf_terraform-install.sh#L202-L212
tfenv, which validates checksum and GPG signature:
https://github.com/tfutils/tfenv/blob/6d16fa586a991b94b1dcb6dd7e4597b24b8b2a1e/libexec/tfenv-install#L148-L160
terraform-exec : tfinstall, which also doesn't validate the download.
Additional context Currently, we're using a Docker image for Debian Buster and installing terraform. Addressing this issue would be a step toward allowing us to migrate to this Orb, allowing for a simpler CircleCI customer config.