Open mi6-577 opened 2 months ago
Do you need this to be on release/package distribution level? That makes sense.
If you release via github in addition to npm, they do validation.
possible implementation
I've managed to get the needed data available within the scope of the web components, but not added to the window object. It seems like that is removed on build.
@GCHQ-Developer-299 I have a suggestion:
Maybe you should add a stencil component named ic-stats
where the customer can import that component to get version number, build time and hash themselves?
If so, I can set up a simple PR that shows you how to access the variables - it's pretty straight forward.
Summary
In order to provide some assurance that downloads of the ICDS are 'untampered', we should provide a hash number at the point of releasing a new build.
💬 Description
A hash number is unique to the build and can be used by customers to verify that their download has been untouched.
Why do we need it?
Further reading on why hashes are important for open source code can be found here; https://proprivacy.com/guides/how-why-and-when-you-should-hash-check