Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some platforms only have SHA-1 #368

Closed
ljharb opened this issue Jan 14, 2015 · 7 comments
Closed

Some platforms only have SHA-1 #368

ljharb opened this issue Jan 14, 2015 · 7 comments
Labels
crypto Issues and PRs related to the crypto subsystem.

Comments

@ljharb
Copy link
Member

ljharb commented Jan 14, 2015

See nvm-sh/nvm#171

Not every system will have the ability to compute sha-256 checksums. Could you also provide SHA-1 checksums alongside the SHA-256 checksums?

This will also allow the code path to remain simple in http://nvm.sh since nodejs.org only provides SHA-1.

@DomT4
Copy link

DomT4 commented Jan 14, 2015

Could also consider implementing a fallback when sha256sum can't be found. Given OpenSSL's prevalence, it'd be relatively safe to fallback onto that. I can't think of a major platform off of the top of my head that doesn't or can't relatively easily support either OpenSSL or the shasum family; OS X is troublesome because the system OpenSSL is ancient, but may be able to dance with CommonCrypto there.

Not opposed to shipping SHA1sums as well, at all. Just pondering.

@ljharb
Copy link
Member Author

ljharb commented Jan 14, 2015

I guess my concern is that, at the moment, I'll have to ship iojs support with zero checksum support whatsoever. SHA-1 may be less secure than SHA-256, but it's more secure than nothing :-)

@rvagg
Copy link
Member

rvagg commented Jan 14, 2015

I'm just not convinced there is a platform that our binaries can support that can't do 256 if they can do shasumming at all. CentOS5 is the lowest we go and it doesn't even come with a shasum in its main repos!

@rvagg
Copy link
Member

rvagg commented Jan 14, 2015

so CentOS6 comes with a shasum by default it seems but there is also a sha256sum installed along with it

@rvagg
Copy link
Member

rvagg commented Jan 14, 2015

@ljharb ping me on IRC if you want some test machines on these old Linuxes and I can fire up some temporary ones on DigitalOcean for you to test with

ljharb added a commit to nvm-sh/nvm that referenced this issue Jan 20, 2015
Add `io.js` support.

This branch adds support for https://github.com/iojs/io.js / https://iojs.org/

The following features should now work:
 - `nvm install iojs` will install the latest `io.js` version. `nvm ls iojs` and `nvm use iojs` will function as you'd expect.
 - `nvm install node` will install the latest stable `node` version. `nvm ls node` and `nvm use node` will function as you'd expect.
 - In general, a specific `io.js` version can be referenced with the "iojs-" prefix. If `node` were to ever release a `v1.0.0`, `v1.0.0` would refer to `node`, and `iojs-v1.0.0` would refer to `io.js`. In the near future, `node-v1.0.0` will also refer to `node` unambiguously. This applies to all `nvm` commands, including working with aliases and `.nvmrc` files.
 - `io.js`, unlike `node`, does not have a SunOS binary. Please open an issue on https://github.com/iojs/io.js if this is actually a problem for anyone, as currently it seems like this won't be for anybody.

**Note**: checksum support upon installation is currently disabled. Relates to nodejs/node#368.
**Note**: installation of `io.js` directly from source (via the `-s` option) is not yet enabled. This will be added soon.

Relates to nodejs/node#40 nodejs/node#420
Fixes #590
@trevnorris trevnorris added the crypto Issues and PRs related to the crypto subsystem. label Jan 22, 2015
@chrisdickinson
Copy link
Contributor

Is this still an extant issue? Should the issue be moved to iojs/build?

@rvagg
Copy link
Member

rvagg commented Feb 4, 2015

Yes, lets close here, I remain unconvinced there is a case for cluttering up our release directories with more files because (a) there hasn't been an enumeration of systems where sha-1 is available but sha-256 is unavailable and (b) even if such systems can be listed, I really don't believe they are targets for nvm, they are more likely to be production machines where nvm doesn't make much sense.

I do regret being difficult about this but one of the nice things about io.js is that we can make a break with older conventions that have been built up, including things like sticking to ancient versions of V8 because of toolchain concerns and the fact that we've reorganised the way naked Windows binaries are distributed in the /dist/ directory. I see SHASUMS.txt as one of these because the original reason for shipping it is no longer relevant.

i.e. please open an issue on iojs/build if there is still a concern about this but it's going to take some convincing, not just hand-waving and hypotheticals.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

No branches or pull requests

5 participants