Add ignore_hash option in settings.ini
#684
Conversation
This allows aqt to work even when the server download.qt.io is unreachable. Signed-off-by: Alberto Mardegan <mardy@users.sourceforge.net>
|
You could save yourself and a lot of users some trouble by checking the sha1 hash (just pass We started having trouble with #521 when we moved to sha256 for security reasons. The sha256 hash is often unavailable at mirrors, and not available for a few hours after new releases are uploaded. Whatever you call the new option, I think we need to make it extremely clear that this option is insecure and not for production use. Personally, I would include the text Also, this feature is going to need documentation (see |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
|
|
||
| def download_bin(_base_url): | ||
| url = posixpath.join(_base_url, qt_package.archive_path) | ||
| logger.debug("Download URL: {}".format(url)) | ||
| return downloadBinaryFile(url, archive, "sha256", hash, timeout) | ||
| return downloadBinaryFile(url, archive, Settings.hash_algorithm, hash, timeout) |
There was a problem hiding this comment.
reportGeneralTypeIssues: Argument of type "bytes | None" cannot be assigned to parameter "exp" of type "bytes" in function "downloadBinaryFile"
Type "bytes | None" cannot be assigned to type "bytes"
Type "None" cannot be assigned to type "bytes"
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
There was a problem hiding this comment.
As Sonatype pointed out for you @lebarsfa , downloadBinaryFile method only accept argument passed by hash should be bytes variable type.
see def downloadBinaryFile(url: str, out: Path, hash_algo: str, exp: bytes, timeout: Tuple[float, float]) -> None:
You make variable hash able to be None
hash = get_hash(qt_package.archive_path, Settings.hash_algorithm, timeout) if not Settings.ignore_hash else None
Please fix a type inconsistency.
|
Here are some changes:
I am not sure of what to do with sonatype-lift comments, I did not have them on my fork... |
express default value of hash_algorithm Signed-off-by: Hiroshi Miura <miurahr@linux.com>
- Python 3.9 and later introduce a keyword argument ``usedforsecurity`` - Set to False because we use hash to check file integrity not for password hash. Signed-off-by: Hiroshi Miura <miurahr@linux.com>
Based on the work of @mardy and as a quick workaround for some problems described in #521 and #224, here is a proposition to add
ignore_hashoption insettings.ini. When set toTrue,sha256hashes would not be checked.