search

google / codeworld

Educational computer programming environment using Haskell
http://code.world
Apache License 2.0
1.24k stars 197 forks source link

Getting a validation warning for markdeep script #1448

Open cdsmith opened 4 years ago

cdsmith commented 4 years ago 
./casual-effects.com/markdeep/latest/markdeep.min.js: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
DANGER: Validation failed for downloaded third-party code; tampered with?

It looks like this pulls the latest version, and validates against a checksum, so it will start failing any time a new markdeep is released. We should either pin the version, or stop validating the checksum. Pinning the version is the safer choice, but I suddenly realize this is volunteering me for a pretty tedious job constantly trying to stay up to date with security bugs and such in downstream libraries. That sucks.

cdsmith commented 4 years ago

FYI @jbash ; can you remind me how to fix this checksum?

jbash commented 4 years ago

To reset the checksums for all mirrored files to match whatever the Web is providing at the moment:

  1. Erase the existing saved checksums: "rm build/mirrored/sums.txt; touch build/mirrored/sums.txt". You must empty the file; if you delete it, then it'll get just get recreated with the old checksums.
  2. Run "mirror/get_mirrored"
  3. Copy the newly updated build/mirrored/sums.txt to mirror/sums.txt.frozen
  4. Commit mirror/sums.txt.frozen

To update the checksum for just one file, you can to the same procedure, except to edit the line for that file out of build/mirrored/sums.txt, instead of completely emptying the file.

You can also manually edit mirror/sums.txt.frozen, delete build/mirrored/sums.txt, and rerun the download.

If you completely remove mirror/sums.txt.frozen from the repository, I believe that each new tree checked out from Git will just quietly download the current version of every file and record its present checksum in build/mirrored/sums.txt, so it's possible to make each tree do everything on a trust-on-first-use basis. I'm pretty sure I tested that.

NB: mirror/get_mirrored will always download whatever's on the Web even if the checksums don't match; you may or may not see that as the right behavior.

jbash commented 4 years ago

Oh, and I think some of the CodeWorld content files still pin the checksums for some of the mirrored objects. They did before and I don't think I removed that. So even if the mirroring code accepts an update, the user's Web browser may still reject it.