Hey David. On January 31, 2025 6:04:21 PM GMT+01:00, David Weinehall <[email protected]> wrote: >This conceptually sounds like a good idea, but I'm not sure how to implement >it. The downloaded tarballs are not kept after extracting the files, > >and obviously we cannot calculate the checksum of the upstream file until it's >been downloaded.
IMO the following should work: - Every time a tarball is downloaded and successfully verified, store its hashsum (which you don't need to calculate freshly, but simply take it from the hardcoded value) to some /var/lib/... location. - Before a download would take place, check whether the local hashsum exists already, and if so match it against the hardcoded one of the package. If the differ, the expected upstream tarball changed with the new version and needs re-download (and verification). If not, the same upstream tarball would anyway be expected by the package's hardcoded hashsum. Since the installation anyway fails if the hashsum doesn't match the hardcoded one, downloading is not necessarily to see wheter it matches. Cheers, Chris.
