Implement `--require-sha` flag
vitorgalvao opened this issue · 14 comments
Refs #10380.
When using --require-sha on the command line (or HOMEBREW_CASK_OPTS) during an install, before starting the download HBC must check if the cask in question uses sha256 :no_check. If it does, installation will abort for that specific cask and an explanatory message be given.
Steps for implementation (from the next post):
- Add test for
--require-shatotest/cask/cli/options_test.rb - Add option
--require-shatolib/hbc/cli.rb - Add new error
Hbc::CaskNoShasumErrortolib/hbc/exceptions.rb - Check if
sha256 :no_checkinlib/hbc/cli/install.rb, and abort if--require-shais present - Update documentation (USAGE.md, at a minimum)
- Update man page
Steps for implementation:
- Add test for
--require-shatotest/cask/cli/options_test.rb - Add option
--require-shatolib/hbc/cli.rb - Add new error
Hbc::CaskNoShasumErrortolib/hbc/exceptions.rb - Check if
sha256 :no_checkinlib/hbc/cli/install.rb, and abort if--require-shais present - Update documentation (USAGE.md, at a minimum)
- Update man page
@jawshooah Seem okay?
The man page will also need to be updated. Other than that, I believe that should be sufficient.
Please don’t “+1” this issue (or any other, for that matter), as it only adds noise. We want this implemented, it’s not a vote.
Will remove comments that don’t add to the discussion, to keep the issue focused.
Could we change it to a slight but important difference:
...before starting the download HBC must check if the cask in question uses *contains a sha256 hash and the value is not :no_check. Else, installation will abort for that specific cask and an explanatory message be given.
@fuzzyroddis What’s the difference?
It's a nitpick, but in the original if a cask does not contain any sha256 line rather than sha256 :no_check then the installation would continue even though it's equivalent to :no_check
There’s no such thing as a cask without a sha256. It’s mandatory, and casks don’t pass audit without it.
I understand that an audit would catch such a cask, but it's still possible for a cask to exist without a sha256 eg. if it is merged ignoring results of an audit.
Unless I’m misremembering, a cask that does not pass audit will also refuse to install. audit isn’t just for Travis, it is also a part of HBC.
Wouldn't it be safer to require a sha256 with length 64? Is there a reason you want to only check for :no_check?
We only do that for casks that have unversioned urls and hence would break constantly.
Please search our issues and documentation for further questions on this. Everything has already been explained at length multiple times.
Perhaps you misunderstand me, I'm not talking about the use of :no_check rather this issue which is about --require-sha. I'm saying that if --require-sha is used it should check for the existence of a sha256 hash and if there isn't one then fail. Where OP is asking to check for :no_check instead and fail if it finds it.
| Type | hash | :no_check | no sha256 line |
|---|---|---|---|
| Failing if no hash | ❎ | ✅ | ✅ |
| Failing if :no_check | ❎ | ✅ | 🔴 |
This isn't an issue of what :no_check does nor how audit works, its about ensuring the behaviour of --require-sha never pulls a url without a hash.
Sure it might double up, that audit checks for a hash and then --require-sha checks again, but I'd say that's the safer way.
Again, there are no casks with no sha256. :no_check exists precisely because of that.
Try it. Make a cask with no sha256 and try to install it. HBC will blow up in your face and will not proceed. In the very unlikely and never before heard of case of a cask slipping through with no sha256, HBC will refuse to install it anyway. This is not an issue. You’re arguing for a case that will never happen.