Improve SHA* requests for downloader about csaf_distribution HOT 3 OPEN

An option could be to just test for one file and then use the one that was found (opportunistic). There should be an option to request both explicit, or one version specifically. If the ROLIE feed lists just one, and the value all is not given, we should just use the ones provided...

from csaf_distribution.

Just thinking: an easy mental model would be: download / mirror what is there.

In the past there were operating system where one checksum could be calculated out of the box, but another couldn't. So several checksums were provided, to avoid that people would need to install a special application to calculate the checksum. I don't think that this still is the case for systems expected to deal with CSAF 2.0 documents.

If we'd break with the simple mental model above and would be satisfied to only download SHA512, that would save a connection and some space. Then we should implement one behaviour and avoid options unless we understand the use case for them well.

If we implement a preference to sha512 and it is okay to only provide this one, we should check that we only provide it and in the mirroring case calculate it and throw the other one away.

from csaf_distribution.

I think the situation is a little bit more complex:

1. Firstly, for ROLIE feeds, I agree to just use what is there.
2. The same does not apply for directory-distribution.

So the idea to download what is there solves 1. For 2, we would need to give explicit options, which SHA should be requested (and/) or deterministically compute the right choice.

Just downloading SHA512 won't solve the problem as some only provide SHA256... (and vice versa).

from csaf_distribution.