checksums: enforce that all mainline packages use sha256 checksums

- Add a test that verifies checksums on all packages - Also add an attribute to packages that indicates whether they need a manual download or not, and add an exception in the tests for these packages until we can verify them.
2019-10-12 02:04:05 -07:00
parent 8cbd349cb4
commit 64bdc3251f
24 changed files with 71 additions and 2 deletions
--- a/lib/spack/spack/package.py
+++ b/lib/spack/spack/package.py
@@ -465,10 +465,13 @@ class PackageBase(with_metaclass(PackageMeta, PackageViewMixin, object)):
    #: _spack_build_envfile.
    archive_files = []

+    #: Boolean. Set to ``True`` for packages that require a manual download.
+    #: This is currently only used by package sanity tests.
+    manual_download = False
+
    #
    # Set default licensing information
    #
-
    #: Boolean. If set to ``True``, this software requires a license.
    #: If set to ``False``, all of the ``license_*`` attributes will
    #: be ignored. Defaults to ``False``.
--- a/lib/spack/spack/test/package_sanity.py
+++ b/lib/spack/spack/test/package_sanity.py
@@ -8,9 +8,10 @@

 import pytest

+import spack.fetch_strategy
 import spack.paths
 import spack.repo
-import spack.fetch_strategy
+import spack.util.crypto as crypto


 def check_repo():
@@ -94,3 +95,42 @@ def test_docstring():
    for name in spack.repo.all_package_names():
        pkg = spack.repo.get(name)
        assert pkg.__doc__
+
+
+def test_all_packages_use_sha256_checksums():
+    """Make sure that no packages use md5 checksums."""
+
+    errors = []
+    for name in spack.repo.all_package_names():
+        pkg = spack.repo.path.get(name)
+
+        # for now, don't enforce on packages that require manual downloads
+        # TODO: eventually fix these, too.
+        if pkg.manual_download:
+            continue
+
+        def invalid_sha256_digest(fetcher):
+            if getattr(fetcher, "digest", None):
+                h = crypto.hash_algo_for_digest(fetcher.digest)
+                if h != "sha256":
+                    return h
+
+        for v, args in pkg.versions.items():
+            fetcher = spack.fetch_strategy.for_package_version(pkg, v)
+            bad_digest = invalid_sha256_digest(fetcher)
+            if bad_digest:
+                errors.append(
+                    "All packages must use sha256 checksums. %s@%s uses %s." %
+                    (name, v, bad_digest)
+                )
+
+        for _, resources in pkg.resources.items():
+            for resource in resources:
+                bad_digest = invalid_sha256_digest(resource.fetcher)
+                if bad_digest:
+                    errors.append(
+                        "All packages must use sha256 checksums."
+                        "Resource in %s uses %s." % (name, v, bad_digest)
+                    )
+
+    assert [] == errors