-
-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ignore_hash
option in settings.ini
#684
Conversation
This allows aqt to work even when the server download.qt.io is unreachable. Signed-off-by: Alberto Mardegan <mardy@users.sourceforge.net>
You could save yourself and a lot of users some trouble by checking the sha1 hash (just pass We started having trouble with #521 when we moved to sha256 for security reasons. The sha256 hash is often unavailable at mirrors, and not available for a few hours after new releases are uploaded. Whatever you call the new option, I think we need to make it extremely clear that this option is insecure and not for production use. Personally, I would include the text Also, this feature is going to need documentation (see |
|
||
def download_bin(_base_url): | ||
url = posixpath.join(_base_url, qt_package.archive_path) | ||
logger.debug("Download URL: {}".format(url)) | ||
return downloadBinaryFile(url, archive, "sha256", hash, timeout) | ||
return downloadBinaryFile(url, archive, Settings.hash_algorithm, hash, timeout) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reportGeneralTypeIssues: Argument of type "bytes | None" cannot be assigned to parameter "exp" of type "bytes" in function "downloadBinaryFile"
Type "bytes | None" cannot be assigned to type "bytes"
Type "None" cannot be assigned to type "bytes"
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
Command | Usage |
---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As Sonatype pointed out for you @lebarsfa , downloadBinaryFile
method only accept argument passed by hash
should be bytes
variable type.
see def downloadBinaryFile(url: str, out: Path, hash_algo: str, exp: bytes, timeout: Tuple[float, float]) -> None:
You make variable hash
able to be None
hash = get_hash(qt_package.archive_path, Settings.hash_algorithm, timeout) if not Settings.ignore_hash else None
Please fix a type inconsistency.
Here are some changes:
I am not sure of what to do with sonatype-lift comments, I did not have them on my fork... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the review comments that Sonatype bot give you
express default value of hash_algorithm Signed-off-by: Hiroshi Miura <miurahr@linux.com>
- Python 3.9 and later introduce a keyword argument ``usedforsecurity`` - Set to False because we use hash to check file integrity not for password hash. Signed-off-by: Hiroshi Miura <miurahr@linux.com>
Based on the work of @mardy and as a quick workaround for some problems described in #521 and #224, here is a proposition to add
ignore_hash
option insettings.ini
. When set toTrue
,sha256
hashes would not be checked.