Migrate to SHA-512 #61
Comments
|
That should be fairly easy to change. |
|
Sourceforge show only MD5 and SHA-1 for files https://sourceforge.net/projects/boost/files/boost/1.61.0/ |
|
@Ninetainedo I think because we're still small, we can update everything and avoid the burden of backcompat. @KindDragon Yeah, for Sourceforge this means you (as a maintainer) would ideally download the file once, check the SHA-1 against sourceforge's SHA-1, and then generate a SHA-512 hash locally for the portfile. |
Isn't that what is already done by vcpkg ? |
|
Yep, that's what the |
|
Is there a reason to check the site's provided SHA instead of making it ourselves using the |
|
The original downloader may want to verify the site's SHA (if provided) to ensure their initial download is correct, especially if it's over HTTP instead of HTTPS. Generally, if it's HTTPS, that shouldn't be needed. |
|
@ras0219-msft Can you add a helper command in order to obtain the SHA512 hash for a given file?
|
|
@peters This sounds like it might be a good idea. Could you open a separate issue? I can see that this may be useful in workflows around |
The following PRs are included: * hopefully fix crash in constraints (microsoft#60) * [vcpkg] allow --version to check the version (microsoft#50) * Remove baseline warning (microsoft#27) * [git] always pass autocrlf=false (microsoft#58) * ignore QtCreator CMake project files (microsoft#54) * ignore .DS_store files (microsoft#53) * [vcpkg] x-add-version now also checks if the manifest file is properly formatted (microsoft#43) * hopefully fix ci issue microsoft#16773 (microsoft#34) * Add docs to set VCPKG_ROOT to run tests (microsoft#45) * [vcpkg] x-add-version improve speed by calling get_builtin_baseline only once (microsoft#44) * add clang-format version to format-cxxcode (microsoft#41) * [vcpkg] Introduce experimental workaround X_VCPKG_NUGET_ID_PREFIX (microsoft#40) * [supports] Add `native` identifier expression and x-check-support command (microsoft#29) * [metrics] Split reporting of installs into name:triplet (microsoft#39) * [vcpkg] Improve error when accessing missing feature (microsoft#38) * [vcpkg] Allow shallow git registries (microsoft#37) * Disable git autocrlf when archiving tree (microsoft#36) * Use only named packages from extra registries (microsoft#35) * [registries] add metrics (microsoft#30) * Add vcpkg policy cmake helper port support (microsoft#17) * [osx] add support for rosetta (microsoft#23) * don't build tls12-download unless it's needed (microsoft#33) * Add new telemetry points for versioning (microsoft#21) * add cmake_minimum_required to vcpkg_tags (microsoft#25) * [x-add-versions] Perform atomic replacement of versioning files (microsoft#28) * [tools] support gsutil (microsoft#19) * add CUDA 11.1 and 11.2 to KEEP_ENV_VARS defaults (microsoft#26) * Add finite timeout on CURL metrics endpoint. (microsoft#22) * fix UB in make_error_code(utf8_errc) (microsoft#18)
We currently use MD5 for integrity checking downloads, however this is provably breakable (even if improbable). We should upgrade all hashes to SHA-512 and require it going forward.
The text was updated successfully, but these errors were encountered: