search

hashicorp / go-getter

Package for downloading things from a string URL using a variety of protocols.
Mozilla Public License 2.0
1.64k stars 230 forks source link

Alignment with Subresource Integrity #112

Open geovanisouza92 opened 6 years ago

geovanisouza92 commented 6 years ago

This is a proposal for allowing another separator in checksum: As of Subresource Integrity states:

An integrity value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are sha256, sha384, and sha512), followed by a dash, and ending with the actual base64-encoded hash.

I suggest adding a dash as an alternative separator at checksum detection, along side with another checksum option sha384 (go doc).

The case I have in mind is something similar to what was discussed at ry/deno#200, specifically for FaaS context: import modules (maybe using dynamic import()) with canonical URLs that can be checked by the runtime before execution.

tisba commented 5 years ago

I would also really like this change. Would you accept a PR for this?

mitchellh commented 5 years ago

I'm supportive of this if anyone wants to take a stab.

geovanisouza92 commented 5 years ago

Apparently, to be fully aligned with Subresource Integrity, the checksum would need to be encoded as base64, instead of hexadecimal, but it doesn't seems to be a requirement for the lib right now, right?