Provide ways to verify the integrity of the build artifacts #3924
Comments
|
Fwiw, the Imply distro (https://imply.io/download) is served over HTTPS and we publish sha256 hashes over HTTPS as well. This issue for druid-io.github.com is about trying to bring some of that same love to community Druid: druid-io/druid-io.github.io#372. |
|
I'm curious if AWS codebuild can do this easily. |
|
Providing a sha256 hash to the last druid releases should be fairly easy in https://github.com/druid-io/druid/releases. It will take no time for the developers and it should give some relief to whoever wants to trust the binaries downloaded by static.druid.io. |
|
This issue has been marked as stale due to 280 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions. |
|
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time. |
|
Please re-open this task, it shouldn't be closed |
Sorry for the wonky issue title, but there are a few issues all in one. In short, I'm working to package Druid for work. As part of that, I noticed a few things:
First I looked for a signature files (
.asc) to verify the binaries against a published key.This can be fairly tricky to implement and manage, so I then looked around for published file hashes (sha256/512 preferable, md5 isn't sufficient for this any longer) that I could use to assert I received the correct bits. Unfortunately, these don't seem to be published either.
I then visited the GitHub project releases hoping to find the artifacts in a place I could download over HTTPs, but no luck: we'd have to build from source.
I noted both the CDN and the website are served over plain HTTP. With the website on GitHub, it would be possible to verify the hash is correct by checking the source and using the hash to verify the http-served artifact.
In the mean time, I am planning on doing a sort of "Trust On First Use" verification, by hashing the first time, and then expecting the release file's hash to match from then on out.
In summary, a potential to-do list here would be:
.asc) for the artifactsrecommended labels:
Improvement,OperationsThe text was updated successfully, but these errors were encountered: