Skip to content

Publish download checksums on /downloads/ and /releases/ #123

Description

@kojiromike

The new /downloads/ and /releases/ pages added in #122 link directly to release archive URLs (GitHub auto-archive for 8.x, SourceForge for older releases) but don't surface a checksum next to each link. Without a published SHA-256 (or similar) anyone downloading the tarball or zip has no out-of-band way to verify the file they fetched matches what we shipped — particularly relevant for SourceForge mirrors and for any environment where the download path runs over an opportunistic CDN.

A future enhancement: include sha256 (and optionally sha512) for each archive, render alongside the download link, and ideally as a separate *.sha256 text file the user can sha256sum -c.

Implementation notes (for whoever picks this up):

  • Modern releases (8.0.0+) — checksums of GitHub auto-archives can be computed in the release-docs workflow on openemr-tag (download, hash, store in data/releases.json under each entry). Schema would gain an optional archive_checksums object mirroring archive_urls.
  • Historical releases — SourceForge does not publish per-file checksums in a stable, scriptable way. Either (a) compute hashes once by hand and commit them to the manifest, or (b) skip historical rows and only show checksums for new releases going forward.
  • The /downloads/ and /releases/ Hugo layouts then render whatever archive_checksums is present.

Out of scope for #122 (which intentionally only ports the wiki content). Filing as follow-up.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions