cormullion
commented
2 years ago Interesting. A checksum for each file?
Closed xaltsc closed 2 years ago
cormullion
commented
2 years ago Interesting. A checksum for each file?
xaltsc
commented
2 years ago Yup, or at least the tar.gz files as they're most used on Linux and I doubt Windows users have a use for it. Homebrew (if that still exists) may use tar.gz files as well.
See the PR I'm trying to get merged https://github.com/void-linux/void-packages/pull/34515
cormullion
commented
2 years ago Ok, thanks! The tar files are created automatically by the github CI workflow, so it’s a pity if a checksum can’t be added automatically in github. I’ll try to find out more.
cormullion
commented
2 years ago @simeonschaub Hi! - you kindly added the CI release workflow here, but can you see any way to add checksums? I wondered whether the commit SHA would be useful...
cormullion
commented
2 years ago
Hey,
Not really an issue, rather a suggestion, but in order to package the font font some package managers, it is often required to provide a checksum to match against in order to ascertain that the file dowloaded is indeed the right one.
While this isn't very hard to compute from the packager side, it's evidently better if the creator itself could provide it, for security purposes.
GitHub itself sadly doesn't seem to provide an automatic way to do this, but a simple
sha256sumshould sufice, this is used by both arch and void.