Automatic hash generation

[bojidar-bg]

Currently, as done in 25809e0109222b821617451a66d008c2d5948e17, the asset's hash would be set manually by the moderator on asset accept, which isn't too good in the long run. We should either proxy asset zips and construct the hash while resending it, or downloading the zip and having mods ensure that they've downloaded the same zip.

[Marqin]

Why not use just simple hash (even md5 if you don't like long) for asset URL and internaly check everything by demanding developers to sign their packages with GPG?

[akien-mga]

Most Godot users that would like to submit assets likely don't know how to use git, so when it comes to asking them to sign their packages with GPG...

Hashing the URL is not enough as the asset can change while the URL would stay the same (e.g. if users give the URL of their GitHub repo's master zip archive). So having the sha256sum of the archive itself is necessary not only for security, but also to keep track of changing versions (e.g. if the new state of the master branch of an approved asset breaks compatibility with Godot 2.x, we'd want to make sure this is reflected in the asset's properties).

[Marqin]

I never said to hash the URL.

[akien-mga]

Why not use just simple hash (even md5 if you don't like long) for asset URL

Maybe I misunderstood.

[Marqin]

for

is not

of

...

for

Means that asset download URL is like http://example.com/assetstore/asset/d41d8cd98f00b204e9800998ecf8427e.zip

[akien-mga]

Sorry, I'm obviously not a native English speaker.

[bojidar-bg]

@Marqin You could have just said

simple hash (even md5 if you don't like long) [of the] asset

..And it would have been all good. But anyway, lets go on with the discusson.

[akien-mga]

Not blocking for beta, though would be really nice to have ;)

[Calinou]

• Superseded by https://github.com/godotengine/godot-asset-library/pull/209.