[Bug]: Missing checksum verification for released binaries about floorp HOT 15 CLOSED

Is that a feature request or a problem report?

Personally, I think of missing checksum files as a security issue, therefore I think this is a bug.

from floorp.

https://github.com/Floorp-Projects/Floorp/releases/beta

from floorp.

Is that a feature request or a problem report?

from floorp.

I see.
I'm just asking because some people post feature requests on Issues. Sorry if I offended you.

from floorp.

I see. I'm just asking because some people post feature requests on Issues. Sorry if I offended you.

It's okay -- no offense taken :)

from floorp.

Is this mandatory for Floorp that is signing?

from floorp.

Is this mandatory for Floorp that is signing?

Okay, then how do I know nobody has tampered with your builds?

Generating checksum files (with hashes of binaries) is standard practice today.

from floorp.

As you probably know, tampering with signed software will erase the signature.

So I consider it unnecessary.

from floorp.

As you probably know, tampering with signed software will erase the signature.

So I consider it unnecessary.

But I want to install from your tar archive in the latest release page on github... It is not hard to generate a checksum file.

from floorp.

It is tedious to take action many times.

It is burdensome for me to add more work to do to release things.

If you are not comfortable with what is raised in the release, it would be better to download it from the GitHub actions artifact.

However, I will process it as a feature request. If it ends up only modifying the workflow, I'll run it.

from floorp.

It is tedious to take action many times.

It is burdensome for me to add more work to do to release things.

If you are not comfortable with what is raised in the release, it would be better to download it from the GitHub actions artifact.

However, I will process it as a feature request. If it ends up only modifying the workflow, I'll run it.

Sorry, I don't think it is tedious, and you have to do it only one time. You need to add it to the build procedure, and the file will be created automatically on each build. After that, you never need to touch it.

This is common practice. If you don't want to do that people will not be comfortable downloading the tar files without a checksum verification, and your software will not gain traction.

I for one will not install it without a checksum verification. (And that is not signing, I hope you know... anybody can tamper with the binary tar.gz)

from floorp.

I haven't seen many people who feel they don't want to download unless they can check the checksum.

If we can include it in the build process, we add it. If not, we do not.

I am a only developer and it would be burdensome to do this manually many times.

I develop as I please.

As I reseach major browsers, Most of them dont show checksum.

from floorp.

Jesus! I gave you examples of projects that do it already here on github:

https://github.com/yt-dlp/yt-dlp

https://github.com/keepassxreboot/keepassxc

https://github.com/VSCodium/vscodium

Mozilla publishes the checksums of Firefox release here: https://releases.mozilla.org/pub/firefox/releases/123.0/

See in that folder: SHA256* or SHA512* files.

from floorp.

Ok Try ut.

from floorp.

Added to Workflow

from floorp.