Update: we decided to remote project_digest field from index.
Discussion extracted from #308:
@andrius-puksta-sensmetry wrote in #308 (comment):
A separate option would be to remove project_digest from versions.json and incur two additional roundtrips to get .project.json/.meta.json. This would avoid having the contract altogether, and clients can calculate their checksums however they see fit.
@consideRatio wrote:
But project_digest aka. checksum has relevance out of scope of the index interactions, right? For example, if you have a lockfile, and then you have some remote .kpar or other kind of project source you download on sysand sync using the lockfile.
@consideRatio wrote:
So lock determines project_digest by inspecting the .json files, which it already does since we expose them in full.
@consideRatio wrote:
While lock can still compute the digest, but we would no longer have a way to verify the downloaded json files were as intended.
If you delegate downloading of files to mirrors etc, you often want to verify that they serve what they should. In the current sysand index server, access of versions.json is from the main webserver, while access of .meta.json and .project.json, and the .kpar, is from object storage.
I trust this object storage as much as I trust the main webserver in this case, but we would by removing project_digest from versions.json lock in a requirement on trusting the backend serving the .meta.json and .project.json files. Maybe that is okay, but its the drawback I think of.
Update: we decided to remote
project_digestfield from index.Discussion extracted from #308:
@andrius-puksta-sensmetry wrote in #308 (comment):
@consideRatio wrote:
@consideRatio wrote:
@consideRatio wrote: