-
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 2 replies
-
It's unlikely we would ignore the SHA256 check by default or specify that behavior in a manifest. We don't always know which packages have what we're calling a "vanity URL". In some cases, even what appears to be a versioned URL will have a hash mismatch when a publisher updates the binary it's pointing to. We've created a couple of related Issues, but they haven't received much attention in terms of 👍 to raise priority.
We do perform daily scans for all installer URLs to detect and autocorrect where we can. |
Beta Was this translation helpful? Give feedback.
-
Ok, bu what can we do now? |
Beta Was this translation helpful? Give feedback.
-
On the approval end, there is awareness of these. If an action is decided, it can easily be implemented: An example from the current log:
The |
Beta Was this translation helpful? Give feedback.
It's unlikely we would ignore the SHA256 check by default or specify that behavior in a manifest. We don't always know which packages have what we're calling a "vanity URL".
In some cases, even what appears to be a versioned URL will have a hash mismatch when a publisher updates the binary it's pointing to.
We've created a couple of related Issues, but they haven't received much attention in terms of 👍 to raise priority.
We do perform daily scans for all installer URLs to detect and autocorrect where we can.