search

OpenNBS / OpenNoteBlockStudio

An open-source Minecraft music maker.
https://opennbs.org/
MIT License
744 stars 51 forks source link

Require source link and version when binary files are committed #91

Open Marcono1234 opened 4 years ago

Marcono1234 commented 4 years ago

Is your feature request related to a problem? Please describe. This project consists of some binary executables and #84 added another one. For these binary files neither the source of them nor version information is provided. This makes it difficult to verify that the files are not malicious. I am not acusing anyone of including malicious files, but I would feel safer if there was a way to easily verify it.

Describe the enhancement you'd like When a binary file is newly added or replaced the commit message or even better an additional file with meta information should describe:

This would allow others to verify that the file is legit by comparing the checksums.

Bentroen commented 4 years ago

I understand the problem with malicious files, apologies for not having provided a link to the source file. Could you be a bit clearer about "additional file with meta information"? Should this just be a plain text file containing a link to the file and its version?

Marcono1234 commented 4 years ago

After all this issue is only a suggestion (even though it did not sound like it). It is your project and you decide how it should be :)

Could you be a bit clearer about "additional file with meta information"?

I don't really know how GameMaker Studio works, though I saw that your datapack export changes added a 7za.exe.yy file. If that allows storing custom information which is not interpreted by GameMaker Studio, like version and download URL. Then that could be the solution. Otherwise for example if the binary file is named 7za.exe you could add a 7za.exe.meta file (or similar) which could then contain the information, assuming GameMaker Studio ignores the file.

Choose whatever works best for you. If you think it is enough this information in commit messages, then I won't have a problem with that either. It makes it slightly harder to get this information, but it is definitely possible. Though with a separate file it is also easy to forget to update it when replacing / removing the corresponding binary file.