New Issue: adding checksumming to mason

17182, "mppf", "adding checksumming to mason", "2021-02-18T13:44:05Z"

It would be good for mason to have the ability to verify checksums of projects to make sure that all of the data has been downloaded correctly, has not been corrupted, and has not been tampered with.

This project includes multiple components:

  • add capability to store a checksum for a mason package in its toml file
  • add capability to compute the checksum for a mason package and automatically update the .toml file with it
    • the checksum should include all files included in the package except that the checksum field in the .toml file should be replaced with a placeholder or left out
  • add capability for a dependency to include a checksum
    • note that this shouldn't include verifying its own checksum since we don't know it when we compute the checksum
  • add a way to verify that package contents match their checksums
  • decide when to do the verification automatically (and provide a way to disable it temporarily)

There already is a pure Chapel SHA-256 implementation that can be used for this effort: