volta-cli/volta

Use checksums for cached distributions

Open

#134 opened on Aug 27, 2018

View on GitHub
 (1 comment) (2 reactions) (0 assignees)Rust (189 forks)batch import
enhancementgood first issue

Repository metrics

Stars
 (8,309 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

NOTE: this issue predates this project's rename to Volta.

We should verify the checksums of the distributions downloaded by Notion, to:

  • verify the downloaded distro is correct, and
  • verify the cached distro is valid

Node

Node distributions have a corresponding sha256sum file at https://nodejs.org/dist/vx.y.z/SHASUMS256.txt (see https://github.com/nodejs/node#verifying-binaries).

We should download that checksum, and can verify it using the sha2 crate.

Yarn

Short-term, we will need to add checksums to https://github.com/notion-cli/yarn-releases, and verify those.

Long-term, we will probably get yarn from github (at https://github.com/yarnpkg/yarn/releases). But they don't include checksums with those releases, or through the API (e.g. https://api.github.com/repos/yarnpkg/yarn/releases/latest) – not sure what we can use for that.

Contributor guide