Context
erlef/setup-beam downloads OTP, Elixir, Gleam, and rebar3 via tc.downloadTool without verifying checksums. Flagged during ASF allowlist review for an Apache incubating project:
ASF maintainers agreed to allow the current SHA conditional on raising this issue.
Proposal
Two options:
A. Fetch-at-install. At download time, fetch the checksum upstream publishes (builds.txt for hex.pm, .sha256 sibling for Gleam) and verify. Same-origin, so doesn't beat a fully-compromised mirror, but catches corruption and partial tampering. Covers OTP linux + Elixir + Gleam (3 of 6 paths). Darwin can be covered with sig-store potentially. No ongoing maintenance.
B. Pinned KNOWN_CHECKSUMS (à la astral-sh/setup-uv). Pin hashes in source via a committed map + weekly regeneration workflow. Cross-origin, covers all 6 paths. ~300 entries for supported versions.
Questions
- Which direction fits the project?
- Concerns about maintenance for option B?
Context
erlef/setup-beamdownloads OTP, Elixir, Gleam, and rebar3 viatc.downloadToolwithout verifying checksums. Flagged during ASF allowlist review for an Apache incubating project:ASF maintainers agreed to allow the current SHA conditional on raising this issue.
Proposal
Two options:
A. Fetch-at-install. At download time, fetch the checksum upstream publishes (
builds.txtfor hex.pm,.sha256sibling for Gleam) and verify. Same-origin, so doesn't beat a fully-compromised mirror, but catches corruption and partial tampering. Covers OTP linux + Elixir + Gleam (3 of 6 paths). Darwin can be covered with sig-store potentially. No ongoing maintenance.B. Pinned
KNOWN_CHECKSUMS(à laastral-sh/setup-uv). Pin hashes in source via a committed map + weekly regeneration workflow. Cross-origin, covers all 6 paths. ~300 entries for supported versions.Questions