Comments (3)
An option could be to just test for one file and then use the one that was found (opportunistic
). There should be an option to request both explicit, or one version specifically. If the ROLIE feed lists just one, and the value all
is not given, we should just use the ones provided...
from csaf_distribution.
Just thinking: an easy mental model would be: download / mirror what is there.
In the past there were operating system where one checksum could be calculated out of the box, but another couldn't. So several checksums were provided, to avoid that people would need to install a special application to calculate the checksum. I don't think that this still is the case for systems expected to deal with CSAF 2.0 documents.
If we'd break with the simple mental model above and would be satisfied to only download SHA512, that would save a connection and some space. Then we should implement one behaviour and avoid options unless we understand the use case for them well.
If we implement a preference to sha512 and it is okay to only provide this one, we should check that we only provide it and in the mirroring case calculate it and throw the other one away.
from csaf_distribution.
I think the situation is a little bit more complex:
- Firstly, for ROLIE feeds, I agree to just use what is there.
- The same does not apply for directory-distribution.
So the idea to download what is there solves 1. For 2, we would need to give explicit options, which SHA should be requested (and/) or deterministically compute the right choice.
Just downloading SHA512 won't solve the problem as some only provide SHA256... (and vice versa).
from csaf_distribution.
Related Issues (20)
- Consuming CSAF model from go v1.20 projects HOT 8
- `csaf_downloader` subfolder option not correct HOT 1
- Release 3.0.0 or 3.0.0-rc.2 HOT 1
- Time filtered advisory downloads should use the update instead of the publish date. HOT 2
- Print provider-metadata.json files per domain HOT 3
- CSAF checker: mixing domains, failing validations HOT 12
- Increase coverage to 75% HOT 6
- Make reuse conform
- Clarify if old sigs with expired keys can be okay
- changes.csv: check quoting HOT 2
- Change License to Apache 2.0 HOT 4
- Proposal: Extracting code from `main` packages into `server` and `client` packages
- Licensing of generated files HOT 3
- Improve logging for `csaf_aggregator` when no config file is present HOT 1
- Complete transition to structured logging for aggregator
- Some error messages from loading `provider-metadata.json` are dropped HOT 2
- Race condition on csaf_downloader HOT 1
- Release next minor version (3.1.0)
- Release first pre-release version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csaf_distribution.