Don't fail installation on mismatch with size fields of index

[per1234]

Describe the request

Do not error if the downloaded file size doesn't match the size value in the index.

A mismatch should only generate a warning. This warning will serve two purposes:

• Give the user information that can be used in troubleshooting a failed installation due to checksum mismatch
• Communicate to the package developer that they made a mistake (which will have the minor harmful effect of throwing off the download progress indicator)

If there is actually a problem with the downloaded file, the checksum validation will still fail.

🙂 Users will no longer suffer when package developers fail to correctly set a size value.

Describe the current behavior

Arduino CLI performs two operations in order to validate downloaded files

• size
• checksum

If the file size doesn't match the size value in the index, installation fails:

$ ./arduino-cli version

arduino-cli.exe  Version: git-snapshot Commit: dde30647 Date: 2023-09-22T02:26:41Z

$ arduino-cli --additional-urls https://raw.githubusercontent.com/geolink/opentracker-arduino-board/bf6158ebab0402db217bfb02ea61461ddc6f2940/package_opentracker_index.json core update-index

[...]

$ arduino-cli --additional-urls https://raw.githubusercontent.com/geolink/opentracker-arduino-board/bf6158ebab0402db217bfb02ea61461ddc6f2940/package_opentracker_index.json core install opentracker:[email protected]

[...]

Installing opentracker:[email protected]...
Error during install: Cannot install tool opentracker:[email protected]: testing local archive integrity: testing archive size: fetched archive size differs from size specified in index: 218874 != 218849

The installation will also fail if the file's checksum doesn't match the value of the checksum property in the package index. A SHA-256 checksum is entirely sufficient on its own to validate a file, so a size check is completely superfluous for the purpose of validating the file.

The other use Arduino CLI makes of the size value is indicating the progress of the download. Although this is a nice convenience feature, an incorrect size field value will only result in a minor inaccuracy in the progress indicator, which is not sufficient grounds on its own to fail the installation.

Package developers sometimes fumble the creation of package index entries. These include the size fields:

• packages[*].platforms[*].size
• packages[*].tools[*].systems[*].size

Since an incorrect size field value doesn't cause any visible problems when using Arduino IDE 1.x, developers who have not migrated to Arduino CLI or Arduino IDE 2.x won't notice the problem while testing the index. This means the users who are often not able to do anything to fix the problem are the ones punished by Arduino CLI unnecessarily failing the platform installation under these conditions.

Arduino CLI version

dde3064

Operating system

All

Operating system version

Any

Additional context

This proposal might appear similar to #1468. However, that proposal is to make it possible to skip all validation, while this proposal is only about removing a superfluous validation requirement, leaving the entirely sufficient validation via checksum intact.

---

Examples of users suffering from Arduino CLI unnecessarily failing the platform installation due to an incorrect size value:

• Don't fail installation on mismatch with size fields of index #2332 (comment)
• Archive size differs from index ArduCAM/ArduCAM_ESP32S_UNO#22
• Index Erroe ArduCAM/ArduCAM_ESP8266_UNO#53
• https://forum.arduino.cc/t/error-13-arducam-esp8266-uno/1158062
• https://forum.arduino.cc/t/projet-camera-arducamov5642-esp32-nodered/1094620
• https://forum.arduino.cc/t/stop-warning-for-non-upgradable-board/1166106/5
• https://forum.arduino.cc/t/cant-install-m5stack-boards/1125562

Issue checklist

• I searched for previous requests in the issue tracker
• I verified the feature was still missing when using the latest nightly build
• My request contains all necessary details