Open DamnedElric opened 11 months ago
Thanks for the report. I will move the issue to the blueprint repository, so that we may publish the hash as part of the build. For now, that latest directories should contain a latest file including a SHA-512 hash, that is used by the updater, e.g. https://download.eclipse.org/theia/latest/linux/latest-linux.yml
Maybe the theia-ide.org
Blueprint download page should point to the OS-specific download folders [1] instead of the current direct download link? Then it will be "discoverable" that there are checksum provided?
[1]: e.g.: https://download.eclipse.org/theia/latest/windows/ https://download.eclipse.org/theia/latest/linux/ https://download.eclipse.org/theia/latest/macos/
The current links on the Download page are of this form: https://www.eclipse.org/downloads/download.php?file=/theia/latest/windows/TheiaBlueprint.exe&r=1
This makes sure that the download stats are recorded.
See https://github.com/eclipse-theia/theia-blueprint/issues/36#issuecomment-773952876 for more info. This would be lost when linking to the directories
Then maybe we could add, along with the download links, also links for the corresponding files that contain the hashes.
There is now https://download.eclipse.org/theia/ide/latest/windows/latest.yml which contains hashes.
The download page for the blueprint desktop edition does not provide any cryptographic hashes for the downloads. This is particularly problematic because the download redirects to a random local-ish mirror, e.g.
https://ftp.fau.de/eclipse/theia/latest/linux/TheiaBlueprint.AppImage
, which is not a URL I would immediately trust.Please publish, for example, SHA-256 or SHA-512 hashes along with the download links.
Many thanks