[Bug 797177] Require tarball checksum verification for all recipes

[GStreamer (GNOME Bugzilla)]

https://bugzilla.gnome.org/show_bug.cgi?id=797177

Nicolas Dufresne (ndufresne) <nicolas at ndufresne.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #373706|none                        |reviewed
             status|                            |

--- Comment #6 from Nicolas Dufresne (ndufresne) <nicolas at ndufresne.ca> ---
Review of attachment 373706:
 --> (https://bugzilla.gnome.org/review?bug=797177&attachment=373706)

::: cerbero/build/source.py
@@ +128,3 @@
         cached_file = os.path.join(self.config.cached_sources,
                                    self.package_name, self.tarball_name)
+        if not redownload and os.path.isfile(cached_file) and
self.verify(cached_file, fatal=False):

I'm wondering if checking the cache won't be quite an overhead for the safety.
What we could do instead is download to <filename>.unchecked, and if it succeed
validate, move it back to it's real name. And then just trust the cache.

@@ +174,3 @@
+        if checksum != self.tarball_checksum:
+            movedto = fname + '.failed-checksum'
+            os.replace(fname, movedto)

I'm not familiar with replace, does it override if there is already a
.failed-checksum file ? Just asking if we need to remove ancient failed
download first.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.