Description
Since tarball's hashes are supposed to be stable, it would be great if the hashes of these tarballs (or unpacked contents) were published. Either in https://packages.typst.org/preview/index.json or somewhere else.
- To confirm that what we receive is what was published
- To confirm that once downloaded, that the packages remain the same throughout the time there are in the cache directory.
I wouldn't really expect this to be checked every time a typst document is built, but would be nice to be able to verify.
My first thought of getting the hash of the unpacked contents was to recursively hash the contents of the package repo itself. But that is not quite valid as publishing seems to prune files. Which I guess I could replicate, but it seems like publishing integrity hashes for each package itself is a worthwhile feature.
Description
Since tarball's hashes are supposed to be stable, it would be great if the hashes of these tarballs (or unpacked contents) were published. Either in
https://packages.typst.org/preview/index.jsonor somewhere else.I wouldn't really expect this to be checked every time a typst document is built, but would be nice to be able to verify.
My first thought of getting the hash of the unpacked contents was to recursively hash the contents of the package repo itself. But that is not quite valid as publishing seems to prune files. Which I guess I could replicate, but it seems like publishing integrity hashes for each package itself is a worthwhile feature.