Open msgilligan opened 2 years ago
Wouldn't it make more sense to get a checksum on the SDKMAN zip dist instead? The install script is in clear text and is only responsible for unpacking the zip distribution on your machine.
Wouldn't it make more sense to get a checksum on the SDKMAN zip dist instead?
Yes. That sounds right to me. Is this documented somewhere? Did I miss it?
This doesn't exist yet, but given that we use jreleaser and that SDKMAN is now itself an SDK, it makes great sense. Happy for you to change this into a feature request.
This doesn't exist yet, but given that we use jreleaser and that SDKMAN is now itself an SDK, it makes great sense. Happy for you to change this into a feature request.
Will do.
I changed the title (and changed Question to Feature in the initial comment) is there anything else I need to do?
@marc0der currently the checksum resides inside a file named checksums_sha256.txt
. This file collects checksums for all assets. Right now there's just one artifact. Another option is to publish checksums for individual files such that sdkman-cli-5.13.1.zip
gets its checksum published as sdkman-cli-5.13.1.zip.sha256
. JReleaser can do that of course.
Feature (was originally a Question) It would be nice if there were a simple and documented mechanism for verify the Sha256Sum of the install script at https://get.sdkman.io. I searched around a little (see below) and didn't find anything.
Is there a simple mechanism? If so where is it documented?
Something along the lines of:
[Edited: was originally a question]
My homework: