added more checksum types

[cocoa-xu]

Added more checksum types to the list so libraries can make use of Mix.Utils.read_path/2 at compile-time to download resources and verify the integrity (without having to calculate SHA512 if the original source only gives SHA256 or some other hash values.)

For example, currently in torchx we rely on external tools (curl, wget) to download the lib torch archive in its mix.exs while we could have used this helper function and verify the checksum.

[josevalim]

Thank you for the PR but this whole module is private, so libraries should not be relying on it for anything. :)

[cocoa-xu]

Hmmm, I wonder if we could make it a public API...? Maybe it can reside under a new module? Sometimes I feel like it's just way too many boilerplate code to setup httpc, ssl, public_key in project's mix.exs and it would be really nice if we can have some utilities for this.

[josevalim]

The problem is that I am not sure there is a place in Elixir/Mix for this... it would be very easy for this to grow in complexity as everyone tries to use it.

[jonatanklosko]

For example, currently in torchx we rely on external tools (curl, wget) to download the lib torch archive

FWIW this most likely replicates what we were doing for :xla in the past. We migrated :xla to use :httpc since then.

[cocoa-xu]

it would be very easy for this to grow in complexity as everyone tries to use it.

I agree that this can get quite complicated, but even just providing a somewhat basic API it can already reduce quite a lot of boilerplate code and should be good enough for most cases --

• http and https proxies are supported
• fallback from inet6 to inet (or the other way around)
• hostname checks for HTTPS
• override system cacerts using HEX_CACERTS_PATH
• and checksum verify

[josevalim]

System certificates have been added to OTP. What if we also add convenience functions for the proxy and fallback IP to OTP as well? Then most of this is not needed and widely available everywhere?

[cocoa-xu]

What if we also add convenience functions for the proxy and fallback IP to OTP as well

That would be nice if they add more convenience functions!

With that said, I still think it's not necessary a bad idea to have this utility function in Mix:

From my perspective, most of the time when I want to fetch something at compile-time/when building the library, I have to choose between doing boilerplate code for httpc, or rely on external tools like curl or wget to download the file (and one more external tool if I want to verify the checksum).

Another reason I'd like this utility function in Mix is that, Mix is like the build tool for Elixir, and to fetch files from URLs with checksum verification is something that most build tools have and most importantly, this is probably a quite common scenario when we're doing NIF libraries.

And just fyi, in other build tools, there're

• file() in CMake
• load() in Bazel
• and build.zig.zon in Zig