Creating Automatic Packages with Checksums
To help ease your transition for migrating automatic packages, or for folks that want to get more into the automatic packaging, we've
We spent some time wrangling dtgm's Ketarin checksum approach into something easy to digest and provided instructions that really let you get ramped up fast! We also brought in AU, so you can see that amazing tool!
You can use the template instructions to see how to apply it to your own packages repository. It's likely we will make additional changes to this repository, so keep an eye on the template (click on watch) so you can get updates when that occurs.
The template repository includes complete setup for both AU and Ketarin/ChocolateyPackageUpdater complete with performing checksum calculations. It even has a couple of example packages to help you get your head around how each works. And if you can't pick between one or the other, use both! Check it out now at https://github.com/chocolatey/chocolatey-packages-template
A Special Note On Checksums
When you use sha256 checksums (anything above sha1), some folks are going to mention that the package is failing due to a bad checksum. This is possibly due to them running a Chocolatey version less than 0.9.9.9 (which came out 10/2015). Look closely at their failure message and determine if it says checksumType 'md5' instead of 'sha256'. Older versions of the client only supported 'md5' and 'sha1' and would set it to 'md5' if it wasn't set as 'sha1'. A message you may receive about the failure could look similar to this email. Mention they should upgrade to a newer version by running `choco upgrade chocolatey`.
Holding Trusted Packages on Failures
We mentioned this in the last update. Starting today, we are now holding even trusted packages when the automated review checks fail. This means if you see an email that the trusted check has failed, it means that the package will wait in the moderation queue for a maintainer to fix, respond to the review comments and ask for an exemption and/or next steps.
Packages Downloading Resources Over Non-SSL Without Checksums Will Now Fail Moderation Review
We mentioned we were going to start holding packages without checksums. The first step in that is packages downloading binaries over HTTP/FTP. Starting today, when you submit new packages, those will fail the verifier in the same way we see with 0.10.0 by default. We'll try to give plenty of notice before SSL will also be required.
Trusted Maintainers
With all of the other improvements being added to the moderation review system (especially holding failing trusted packages), we can start to move forward with trusting maintainers. Typically as a community we trust people, not necessarily packages. So it makes sense to move in a direction where packages submitted by someone that is trusted would not necessarily need human review. We are getting close to adding this to the community repository. The biggest things to note are that when a trusted maintainer submits a package that has no prior versions, it will go through as a regular package. From that point on, it will move through the system like a trusted package. We don't have a set criteria for how a maintainer is added to trusted maintainer status, but we will be developing something more documented as we move forward.
We are really looking forward to this change and we know you are as well!
Maintainer Preferences - Reduce Moderation Email
One last thing before we go - another nice change to the moderation system is less email in your inbox! We all get enough email as it is, so we've added preferences to help reduce system email related to moderation queues. Head over to https://chocolatey.org/account/Edit if you want to make changes to remove non-action moderation-related email. This means you will only get moderation review messages when there is something for you to do!
Note: We haven't quite got the settings adjusted for the validator, so for a little while you will see messages from it even after unchecking this box.
|
|
|
|