volta-cli/volta

Use checksums for cached distributions

Open

#134 opened on Aug 27, 2018

View on GitHub
 (1 comment) (2 reactions) (0 assignees)Rust (8,309 stars) (189 forks)batch import
enhancementgood first issue

Description

NOTE: this issue predates this project's rename to Volta.

We should verify the checksums of the distributions downloaded by Notion, to:

  • verify the downloaded distro is correct, and
  • verify the cached distro is valid

Node

Node distributions have a corresponding sha256sum file at https://nodejs.org/dist/vx.y.z/SHASUMS256.txt (see https://github.com/nodejs/node#verifying-binaries).

We should download that checksum, and can verify it using the sha2 crate.

Yarn

Short-term, we will need to add checksums to https://github.com/notion-cli/yarn-releases, and verify those.

Long-term, we will probably get yarn from github (at https://github.com/yarnpkg/yarn/releases). But they don't include checksums with those releases, or through the API (e.g. https://api.github.com/repos/yarnpkg/yarn/releases/latest) – not sure what we can use for that.

Contributor guide

Tech stack
rust
Domain
clideveloper experience
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Rust programmingSHA256 hashing
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
Implement checksum verification for cached Node distributions by downloading the SHA256SUMS file from nodejs.org and using the sha2 crate to verify. For Yarn, create checksums for the repository at https://github.com/notion cli/yarn releases and verify those. Check the existing codebase for download logic and file caching, likely in src/ directory.