Open bponomarenko opened 4 years ago
Could you please link to some related documentation on how?
On Wed, 3 Jun 2020, 10:59 pm Borys Ponomarenko, notifications@github.com wrote:
We do have a custom logic to download node-sass binaries with the help of SASS_BINARY_SITE environment variable, however there is not way to validate integrity of the binaries from GitHub releases page.
It would be really useful if you would publish integrity checksums along the binaries.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sass/node-sass/issues/2930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAENSWBLFTV2LLRJDGNDCGDRUZCJ3ANCNFSM4NRUSPVA .
It can be similar to what npm does. Any generated package-lock.json
file includes path to the package's tgz file together with integrity checksum: https://github.com/sass/node-sass-middleware/blob/master/package-lock.json#L10
The exact implementation for the file hash generation will depend on the platform and language, but here is an example on how to do that from command line on linux: https://linux.die.net/man/1/sha512sum
Having a single table with the binary name and binary integrity hash, published in multiple channels (not only GitHub releases) would be helpful.
Here is another example on how Node.js publishes their binaries: https://nodejs.org/download/release/latest-v14.x/
You can see SHASUMS256.txt
file next to the binaries itself with the integrity hashes.
We do have a custom logic to download
node-sass
binaries with the help ofSASS_BINARY_SITE
environment variable, however there is not way to validate integrity of the binaries from GitHub releases page.It would be really useful if you would publish integrity checksums along the binaries.