source not checked with sha256
Bug #1618591 reported by
Curtis Hovey
This bug report is a duplicate of:
Bug #1585913: Snapcraft should allow the user to verify downloaded files with a checksum.
Edit
Remove
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Snapcraft |
New
|
Undecided
|
Unassigned | ||
Bug Description
The "source" option is not as repeatable or secure as implied in http://
Specifying a versioned tar file is not truly repeatable if someone tampers with it. Git tags can and are redefined. In the case of git, I believe I can pass a commit hash to be clear about the requirement. I cannot do so for archive files like tar files.
This issue is similar to Homebrew's need to ensure repeatable and safe formulas. That distro added sha256 sums for all downloaded data.
It would be reassuring if we could specify something like "source-sha256"
To post a comment you must log in.
