Improve SHA* requests for downloader

[tschmidtb51]

Currently, we request also SHA256 even if a SHA512 was present in the ROLIE feed. We need to find a way to improve that.

[tschmidtb51]

An option could be to just test for one file and then use the one that was found (opportunistic). There should be an option to request both explicit, or one version specifically. If the ROLIE feed lists just one, and the value all is not given, we should just use the ones provided...

[bernhardreiter]

Just thinking: an easy mental model would be: download / mirror what is there.

In the past there were operating system where one checksum could be calculated out of the box, but another couldn't. So several checksums were provided, to avoid that people would need to install a special application to calculate the checksum. I don't think that this still is the case for systems expected to deal with CSAF 2.0 documents.

If we'd break with the simple mental model above and would be satisfied to only download SHA512, that would save a connection and some space. Then we should implement one behaviour and avoid options unless we understand the use case for them well.

If we implement a preference to sha512 and it is okay to only provide this one, we should check that we only provide it and in the mirroring case calculate it and throw the other one away.

[tschmidtb51]

I think the situation is a little bit more complex:

1. Firstly, for ROLIE feeds, I agree to just use what is there.
2. The same does not apply for directory-distribution.

So the idea to download what is there solves 1. For 2, we would need to give explicit options, which SHA should be requested (and/) or deterministically compute the right choice.

Just downloading SHA512 won't solve the problem as some only provide SHA256... (and vice versa).