BenBE
commented
1 month ago Security note: MD5 is broken and should not be used for new projects. Please replace by something modern like SHA2 (e.g. SHA2-256 or SHA2-512) or SHA3 (AKA Keccak). See also: CWE-328.
Second: For reasons explained over at https://github.com/cmsis-svd/cmsis-svd/issues/191 I'd recommend the indexer also creating per-directory archives (preferably as both .tar.gz and .tar.zstd). While GZip support is built-in for Python, you'll need additional dependencies for ZStandard; but ZStandard will likely be a lot smaller than plain GZip, thus support for it is warranted.
The current implementation only ensures integrity, but not authenticity. We could use something like ecdsasign for signing index.json to also ensure authenticity.
This is a proposal to index the CMSIS SVD data in the cmsis-svd-data repository for downloader, in response to the cmsis-svd issue #191.
(@BenBE , @brainstorm)