The new /downloads/ and /releases/ pages added in #122 link directly to release archive URLs (GitHub auto-archive for 8.x, SourceForge for older releases) but don't surface a checksum next to each link. Without a published SHA-256 (or similar) anyone downloading the tarball or zip has no out-of-band way to verify the file they fetched matches what we shipped — particularly relevant for SourceForge mirrors and for any environment where the download path runs over an opportunistic CDN.
A future enhancement: include sha256 (and optionally sha512) for each archive, render alongside the download link, and ideally as a separate *.sha256 text file the user can sha256sum -c.
Implementation notes (for whoever picks this up):
- Modern releases (8.0.0+) — checksums of GitHub auto-archives can be computed in the release-docs workflow on
openemr-tag (download, hash, store in data/releases.json under each entry). Schema would gain an optional archive_checksums object mirroring archive_urls.
- Historical releases — SourceForge does not publish per-file checksums in a stable, scriptable way. Either (a) compute hashes once by hand and commit them to the manifest, or (b) skip historical rows and only show checksums for new releases going forward.
- The
/downloads/ and /releases/ Hugo layouts then render whatever archive_checksums is present.
Out of scope for #122 (which intentionally only ports the wiki content). Filing as follow-up.
The new /downloads/ and /releases/ pages added in #122 link directly to release archive URLs (GitHub auto-archive for 8.x, SourceForge for older releases) but don't surface a checksum next to each link. Without a published SHA-256 (or similar) anyone downloading the tarball or zip has no out-of-band way to verify the file they fetched matches what we shipped — particularly relevant for SourceForge mirrors and for any environment where the download path runs over an opportunistic CDN.
A future enhancement: include
sha256(and optionallysha512) for each archive, render alongside the download link, and ideally as a separate*.sha256text file the user cansha256sum -c.Implementation notes (for whoever picks this up):
openemr-tag(download, hash, store indata/releases.jsonunder each entry). Schema would gain an optionalarchive_checksumsobject mirroringarchive_urls./downloads/and/releases/Hugo layouts then render whateverarchive_checksumsis present.Out of scope for #122 (which intentionally only ports the wiki content). Filing as follow-up.