Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added more checksum types #14008

Closed
wants to merge 1 commit into from
Closed

added more checksum types #14008

wants to merge 1 commit into from
+11 −2

Conversation

cocoa-xu
Copy link
Contributor

Added more checksum types to the list so libraries can make use of Mix.Utils.read_path/2 at compile-time to download resources and verify the integrity (without having to calculate SHA512 if the original source only gives SHA256 or some other hash values.)

For example, currently in torchx we rely on external tools (curl, wget) to download the lib torch archive in its mix.exs while we could have used this helper function and verify the checksum.

@josevalim
Copy link
Member

Thank you for the PR but this whole module is private, so libraries should not be relying on it for anything. :)

@cocoa-xu
Copy link
Contributor Author

cocoa-xu commented Nov 21, 2024
edited
Loading

Hmmm, I wonder if we could make it a public API...? Maybe it can reside under a new module? Sometimes I feel like it's just way too many boilerplate code to setup httpc, ssl, public_key in project's mix.exs and it would be really nice if we can have some utilities for this.

@josevalim
Copy link
Member

The problem is that I am not sure there is a place in Elixir/Mix for this... it would be very easy for this to grow in complexity as everyone tries to use it.

@jonatanklosko
Copy link
Member

For example, currently in torchx we rely on external tools (curl, wget) to download the lib torch archive

FWIW this most likely replicates what we were doing for :xla in the past. We migrated :xla to use :httpc since then.

@cocoa-xu
Copy link
Contributor Author

it would be very easy for this to grow in complexity as everyone tries to use it.

I agree that this can get quite complicated, but even just providing a somewhat basic API it can already reduce quite a lot of boilerplate code and should be good enough for most cases --

  • http and https proxies are supported
  • fallback from inet6 to inet (or the other way around)
  • hostname checks for HTTPS
  • override system cacerts using HEX_CACERTS_PATH
  • and checksum verify

@josevalim
Copy link
Member

System certificates have been added to OTP. What if we also add convenience functions for the proxy and fallback IP to OTP as well? Then most of this is not needed and widely available everywhere?

@cocoa-xu
Copy link
Contributor Author

What if we also add convenience functions for the proxy and fallback IP to OTP as well

That would be nice if they add more convenience functions!

With that said, I still think it's not necessary a bad idea to have this utility function in Mix:

From my perspective, most of the time when I want to fetch something at compile-time/when building the library, I have to choose between doing boilerplate code for httpc, or rely on external tools like curl or wget to download the file (and one more external tool if I want to verify the checksum).

Another reason I'd like this utility function in Mix is that, Mix is like the build tool for Elixir, and to fetch files from URLs with checksum verification is something that most build tools have and most importantly, this is probably a quite common scenario when we're doing NIF libraries.

And just fyi, in other build tools, there're

@cocoa-xu cocoa-xu closed this Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cocoa-xu @josevalim @jonatanklosko