search

chocolatey-community / chocolatey-au

Chocolatey Automatic Package Updater Module
GNU General Public License v2.0
38 stars 25 forks source link

Remove automatic checksumming #40

Open TheCakeIsNaOH opened 8 months ago

TheCakeIsNaOH commented 8 months ago

One potential improvement to make before releasing a version of chocolatey-au would be to remove automatic checksumming. https://github.com/chocolatey-community/chocolatey-au/blob/c28a2fd28a20153cfc8d378253e6c61ded5e4d48/AU/Public/Update-Package.ps1#L114-L201

The current automatic checksumming implementation uses monkey patching to modify the chocolateyInstall.psm1 module, and then executes the package's chocolateyInstall.ps1 to download the installer. This is a bad idea for a number of reasons:

  1. It relies on Chocolatey CLI not changing the format or method of operation of the chocolateyInstall.psm1 module.
  2. It relies on the chocolateyInstall.ps1 package script not having any other operations beside the call to the powershell helper, or in cases where there is another call (adding desktop shortcuts, etc), then those will happen.
  3. It is non-obvious that this is how the automatic checksumming works.
  4. It does not work on non-Windows systems

The automatic checksumming can be replaced by adding a au_BeforeUpdate function to each update.ps1 (that needs it, embedded packages do not) to explicitly get the checksums. There is an example function below:

function global:au_BeforeUpdate {
    $Latest.Checksum32 = Get-RemoteChecksum $Latest.URL32
    $Latest.Checksum64 = Get-RemoteChecksum $Latest.URL64
}

The downside of this is that it would be a significant breaking change from the way AU currently does things. Additionally, if the download is more complex, it may require a complex au_BeforeUpdate which duplicates code from the chocolateyInstall.ps1, for example the ddu package requires a referrer page to be downloaded first: https://github.com/tunisiano187/Chocolatey-packages/blob/58fe4dcc9d3ededdec31593c6a04a37dde22984a/automatic/ddu/tools/chocolateyInstall.ps1#L8

tunisiano187 commented 6 months ago

Hello, just my opinion, but, that's currently possible to say checksumfor none for local, but the checksum are still relevant for the VERIFICATION.txt file.

I think it's interesting to keep it

TheCakeIsNaOH commented 6 months ago

that's currently possible to say checksumfor none for local, but the checksum are still relevant for the VERIFICATION.txt file.

The checksums are automatically found when using Get-RemoteFiles if I remember correctly, so the automatic checksumming is non-applicable for package that have embedded binaries with a VERIFICATION.txt`

AdmiringWorm commented 3 months ago

I'm coming across this issue now, this wasn't something we added in the initial release of chocolatey-au as we wanted it to be (for the most part) a drop-in replacement for the original au module.

With that said, it makes sense to remove this functionality. There will be a point in the future where this functionality will no longer work due to the monkey patching of the PowerShell scripts and planned changes to Chocolatey CLI.

I recommend anyone currently using the automatic checksum feature, to switch over to use Get-RemoteChecksum for non-embedded packages, and Get-RemoteFiles for embedded packages when possible.

TheCakeIsNaOH commented 3 months ago

Would it make sense to deprecate it with a warning message? Possibly added to the same place as the the message from https://github.com/chocolatey-community/chocolatey-au/issues/57