Open oliverpool opened 1 year ago
Is there anything that can be done to make some progress on this issue?
Is the current solution good enough? https://github.com/golang/go/issues/60940#issuecomment-2037469632
ETag
anymorego1.22.2/cmd/internal/notsha256[:16]
(until the proper sha256 hash is exposed - reminder: the name is ignored by the http handler) It seems that cmd/internal/codesign
is using notsha256
and inverting the result to produce an actually-sha256 hash.
This is disgusting, but it's precedent. Should we do the same for embedded file hashes? (We'd also need to increase the size of the stored hash, since it's only 128 bits right now.)
Should we do the same for embedded file hashes?
Who can take the responsibility to answer this question?
I would really appreciate if we could move this issue forward.
Friendly ping: should we rely on the fact that notsha256
is an inverted sha256, like cmd/internal/codesign
already does?
Renewal of #43223
Here is a proposal which tries to address the concerns raised in #43223.
Accepted proposal
In io/fs, define
Then, in net/http.serveFile, serveFile calls Stat, and if the result implements HashFileInfo, it calls info.Hash. If that returns >=1 hashes, serveFile uses hash[0] as the Etag header, formatting it using Alg+":"+base64(Sum).
In package embed, the file type would add a Hash method and an assertion that it implements HashFileInfo. It would return a single hash with Algorithm “sha256”.
Original proposal (fs.File)
First, in io/fs, define
Second, in net/http, when serving a File (in
serveFile
, right beforeserveContent
for instance), if it implements ContentHashFile and the ContentHash method succeeds and is alphanumeric (no spaces, no Unicode, no symbols, to avoid any kind of header problems), use that result as the default ETag.Third, add the
ContentHash
method onhttp.ioFile
file (as a proxy to thefs.File
ContentHash
method).Fourth (probably out of scope for this proposal), add the
ContentHash
method onembed.FS
files.This proposal fixes the following objections:
The caller will simply get all available implementations and can filter them out.
The implementers are encouraged to indicate the algorithm used for each hash.
This one does.
This implementation cannot return an error (the implementer choose to panic. Returning
nil
seems better suited).It is currently very cumbersome, since the middleware would need to open the file as well (which means having the exact same logic regarding URL cleanup as the http.FileServer). Here is my attempt: https://git.sr.ht/~oliverpool/exp/tree/main/item/httpetag/fileserver.go (even uglier, since I have use
reflect
to retrieve the underlyingfs.File
from thehttp.File
).Could a "github-collaborator" post a message in #43223 to notify the people who engaged in previous proposal of this updated proposal?