OpenNoteBlockStudio icon indicating copy to clipboard operation
OpenNoteBlockStudio copied to clipboard

Published 20 hours ago verified publisher icon OpenNBS

Require source link and version when binary files are committed

Open Marcono1234 opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe. This project consists of some binary executables and #84 added another one. For these binary files neither the source of them nor version information is provided. This makes it difficult to verify that the files are not malicious. I am not acusing anyone of including malicious files, but I would feel safer if there was a way to easily verify it.

Describe the enhancement you'd like When a binary file is newly added or replaced the commit message or even better an additional file with meta information should describe:

  • Where the file came from, i.e. where it was downloaded from
  • The version of the file

This would allow others to verify that the file is legit by comparing the checksums.

Marcono1234 avatar Oct 16 '19 15:10 Marcono1234

I understand the problem with malicious files, apologies for not having provided a link to the source file. Could you be a bit clearer about "additional file with meta information"? Should this just be a plain text file containing a link to the file and its version?

Bentroen avatar Oct 16 '19 23:10 Bentroen

After all this issue is only a suggestion (even though it did not sound like it). It is your project and you decide how it should be :)

Could you be a bit clearer about "additional file with meta information"?

I don't really know how GameMaker Studio works, though I saw that your datapack export changes added a 7za.exe.yy file. If that allows storing custom information which is not interpreted by GameMaker Studio, like version and download URL. Then that could be the solution. Otherwise for example if the binary file is named 7za.exe you could add a 7za.exe.meta file (or similar) which could then contain the information, assuming GameMaker Studio ignores the file.

Choose whatever works best for you. If you think it is enough this information in commit messages, then I won't have a problem with that either. It makes it slightly harder to get this information, but it is definitely possible. Though with a separate file it is also easy to forget to update it when replacing / removing the corresponding binary file.

Marcono1234 avatar Oct 20 '19 12:10 Marcono1234