We need a v2 Golang Portgroup
Ryan Carsten Schmidt
ryandesign at macports.org
Fri Aug 30 07:02:59 UTC 2024
On Aug 29, 2024, at 21:36, Austin Ziegler wrote:
>
> Go's hash calculations are stable based on the *contents* of the dep zipfile[3], not the zipfile itself. (An approach *similar* to this would likely be advisable for Macports itself as we were affected by the GitHub archive apocalypse[4]. It would require changing every hash calculation, though.)
Computing checksums based on the contents of archives is not advisable. You can find arguments against this elsewhere on the internet. From memory, some reasons include:
You need to extract the archive to verify its checksums. This takes time and disk space. This will slow down operations that only need to check checksums. Our build system's mirroring process might be affected by that for example.
A specially crafted archive could exploit a vulnerability in an extraction tool resulting in remote code execution, or it could consume all available disk space resulting in a denial of service attack.
More information about the macports-dev
mailing list