Support Package Hashes

[rsbeckerca]

The package phase will capture the hash output and insert it into the FILES table. We would need a new column, PACKAGE_HASH as VARCHAR(256), which would need to be reported in the table of packages.

[xidbhonaker]

Correction, the hash goes in the FILES table... there is one of these for each file in the OSS directory:

PACKAGE (e.g. 'openssl')
-+ VERSION (e.g. '3.0.10')
-+ FILES (e.g. 'TNS-X')
Contains key to DIRECTORIES table and filename, concatenate both to get full path for download.
1: Add the Hash value as a column to FILES in Deploy
2: Modify the Open source website page to display.

1 and 2 can be done separately. Website will only display if value present.

[rsbeckerca]

I am proposing the following new columns in FILES:

HASH_VALUE VARCHAR(128) which can be NULL, but probably will not be eventually. This will contains the standard output from one of the CoreUtils sha*sum programs.

HASH_TYPE VARCHAR(10) which can be NULL if HASH_VALUE is NULL. The possible values are sha1, sha256, sha384, or sha256. This depends on what is available on the destination box. Initially, sha256 will be used.

Instructions for using sha*sum should be added to the ITUGLIB website so customers can understand how to check the values.

The FileSet.groovy and Repackager.groovy will be modified to run sha256sum and store the values in FILES once the table is modified. This change can be independent of the website modifications as part of the Deploy Jenkins process.

A script to compute and store the hashes can be run manually.