mi6
Generate hash during the build chain to verify content is unchanged
Summary
In order to provide some assurance that downloads of the ICDS are 'untampered', we should provide a hash number at the point of releasing a new build.
💬 Description
A hash number is unique to the build and can be used by customers to verify that their download has been untouched.
Why do we need it?
Further reading on why hashes are important for open source code can be found here; https://proprivacy.com/guides/how-why-and-when-you-should-hash-check
Do you need this to be on release/package distribution level? That makes sense.
If you release via github in addition to npm, they do validation.
- https://github.com/nasa/openmct/blob/de122b91c26900dacb4ffa51b2d264c97be9987a/.webpack/webpack.common.mjs#L24-L29
- https://unix.stackexchange.com/a/460547
- https://stackoverflow.com/a/26853049
- If Stencil provides an api to inject environment variables to the main build and the react+nextjs build targets, we can inject the environment variables to each target.
- If that is impossible, we need to write a script and inject the env variables into each bundle ourselves
I've managed to get the needed data available within the scope of the web components, but not added to the window object. It seems like that is removed on build.
@GCHQ-Developer-299 I have a suggestion:
Maybe you should add a stencil component named ic-stats where the customer can import that component to get version number, build time and hash themselves?
If so, I can set up a simple PR that shows you how to access the variables - it's pretty straight forward.
The team that requested this have found a workaround so we're putting this in Future Release for now.
Thank you for the suggestion and contribution, we have decided not to move forward with this work as it is no longer needed.
