protobuf
protobuf copied to clipboard
Publish checksums with releases
@comius points this out in https://github.com/bazelbuild/rules_proto/pull/205/files#r1524512758
Currently users of protobuf can download releases from https://github.com/protocolbuffers/protobuf/releases - however they have no way to guarantee that the bytes they downloaded are the same that were published. A man-in-the-middle attack could tamper with the binary, for example, injecting a supply-chain-security vulnerability into the generated protobuf stub code.
Like many GitHub-released projects, there ought to be a checksums.txt file included as an additional release asset. This could be in the form of a .sha256
-suffixed file for each release artifact, like https://github.com/astral-sh/ruff/releases or (more convenient IMO) a single checksums.txt
file like https://github.com/google/yamlfmt/releases