Comments (4)
ferd
commented on May 28, 2024
If you mean checksums available for the builds created by Rebar3, we do maintain checksums for dependencies's sources in the lock file, and Erlang has an option you can supply to make builds deterministic. We do not compute a checksum for the artifacts created however, only on the elements used to define the final build with the assumption that a repeatable build yields a repeatable result.
If you mean for the rebar3 binaries themselves, then no, we currently do not create these. Do you know if the build is obtained from github or from the s3 bucket? Neither has checksums published but I'm curious either way.
That being said, the artifacts we build both to S3 and github themselves are all automated. I guess a checksum could protect you from a third-party later changing the file in its final storage location, but as far as I can tell doing that without the ability to also update the checksum on similar storage is unlikely. I could imagine making it easier to invalidate cached copies at least.
from rebar3.
ilia-shipitsin
commented on May 28, 2024
thank you!
I've forgotten to mention, we are looking for rebar3 binaries validation. we download them from GitHub releases, but we usually try to download from the location officially proposed by project, we can change to S3 if needed.
I understand that idea to keep checksums together with binaries is not the best one. We are fine to download checksums from whatever location the project suggests. for each tool we track both URL and checksum validation (it maybe some URL or something else)
from rebar3.
ferd
commented on May 28, 2024
We haven't set that up at all, but I assume we could as part of automation. S3 generally contains only the latest main build, so github is likely the better place to do it, given we already automate part of the release process in
rebar3/.github/workflows/publish.yml
Lines 24 to 33 in a16f41a
I'll try and find time to prototype this workflow somewhere for the next builds, chances are I'd have to either do it as an extra attached file (
rebar3/.github/workflows/publish.yml
Lines 35 to 44 in a16f41a
rebar3.checksum.
Do you have any preferences in terms of algorithms?
from rebar3.
ilia-shipitsin
commented on May 28, 2024
SHA256 / SHA512 are approved by our security team
from rebar3.
Related Issues (20)
- Executing rebar3 throwing escript exception HOT 1
- Templates not found on Fedora Linux HOT 4
- `rebar3 tree` formats its output very badly when called together with OTP26 HOT 4
- Question: Sharing modules between multiple applications
- Many [r3_hex_http] ... is deprecated in favour of ... messages during compilation and upgrades HOT 1
- Escript creation failure reason swallowed by post-hook failure. HOT 1
- Possible error in rebar_core HOT 1
- Uncaught error in rebar_core when running rebar3 shell HOT 1
- when use -name, remote_console connect failed HOT 1
- "Did you mean ...?" suggestions for misspelled commands HOT 7
- rebar3 auto: Error loading module enotify HOT 1
- Tag usage in newer rebar3 versions HOT 14
- Hooks env variables documentation HOT 1
- {mode, ...} overrides variables explicitly set in the profile
- rebar3 killed spawned processes after compile HOT 1
- Dependency post_hooks clean override not executed. HOT 3
- `rebar3 version` compiles dependencies before outputting value HOT 5
- cover aggregation bug HOT 6
- `REBAR_SRC_DIRS` not available in hook HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rebar3.