You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is very awesome, but this feature is disabled by default.
I think it's difficult to enable this feature by default because to enable this feature in Git projects users need to manage aqua-checksums.json with Git, which means users need to update aqua-checksums.json continuously.
We provide GitHub Actions and CircleCI Orb to automate the update of aqua-checksums.json,
but I don't think most of users set up them.
Unfortunately, I don't think most of users are so interested in the checksum verification.
⚠️ This is just my expectation, so maybe this is wrong.
So I don't think most people verify checksums, this is undesirable and dangerous.
By the way, Homebrew verifies checksums transparently by keeping checksums in formula.
It's so nice.
So I'm thinking that we store checksums in registries and aqua verifies checksums with them.
Users don't need to set up anything but aqua verifies checksums transparently.
This improves the security without harming the user experience.
Workaround
No response
Example Code
No response
Note
No response
The text was updated successfully, but these errors were encountered:
suzuki-shunsuke
changed the title
Store checksums in registries and verify checksums
Verify checksums transparently by storing checksums in registries
Feb 5, 2024
Feature Overview
Store checksums in registries and verify checksums.
Why is the feature needed?
As you know, aqua has the feature for checksum verification.
https://aquaproj.github.io/docs/reference/security/checksum/
This is very awesome, but this feature is disabled by default.
I think it's difficult to enable this feature by default because to enable this feature in Git projects users need to manage aqua-checksums.json with Git, which means users need to update aqua-checksums.json continuously.
We provide GitHub Actions and CircleCI Orb to automate the update of aqua-checksums.json,
but I don't think most of users set up them.
Unfortunately, I don't think most of users are so interested in the checksum verification.
So I don't think most people verify checksums, this is undesirable and dangerous.
By the way, Homebrew verifies checksums transparently by keeping checksums in formula.
It's so nice.
So I'm thinking that we store checksums in registries and aqua verifies checksums with them.
Users don't need to set up anything but aqua verifies checksums transparently.
This improves the security without harming the user experience.
Workaround
No response
Example Code
No response
Note
No response
The text was updated successfully, but these errors were encountered: