Missing SHA File Hashes in Release Files #153
Comments
|
The sha256 sums are public because they're logged during the build, but there are no "release files" that include them, so to speak. What is published as part of releases for verification purposes are gpg signatures. I could probably include the checksums there as well. I'm not sure it's all that valuable since'd be getting your checksum from the same place you got your binary, but assuming your concern is whatever tooling you're using to download Tini messing up, then that's probably reasonable. |
|
@krallin I ask most because of Elasticsearch Docker containers. They seem to not use the keys to it being to slow, thus causing failures. Hence they produce SHAs and host them in their repo. It would be easier and seamless, if we could pull the hashes down from the release page, thus eliminating the need to store hashes. |
I think in general they probably should consider embedding the public key in their Docker image rather than getting it from a remote server whenever they build (which indeed can be flaky). It's not like the dynamism of getting the key from a keyserver adds much value anyways, since they're looking for a single, very specific key. Getting your binary and your checksum from the same source seems a little unfortunate, but it also doesn't really hurt on the publishing side, so I submitted #156 to start publishing the checksums. |
I saw issue #86 was closed and PR #87, which from my understand would add file hashes to the release files. But looking at the release page, I do not see any hashes listed.
From searching on the issues/PRs, I could not see any issues the reverted this addition. Is there a reason why file hashes are not listed?
The text was updated successfully, but these errors were encountered: