Skip to content

chore: fix dependency to TPM simulator#32

Merged
zeschg merged 1 commit intomasterfrom
tz/chore_ci_dep
Feb 12, 2026
Merged

chore: fix dependency to TPM simulator#32
zeschg merged 1 commit intomasterfrom
tz/chore_ci_dep

Conversation

@zeschg
Copy link
Collaborator

@zeschg zeschg commented Jan 13, 2026

No description provided.

@zeschg zeschg self-assigned this Jan 13, 2026
@zeschg zeschg requested a review from hseuschek February 12, 2026 11:50
hseuschek
hseuschek approved these changes Feb 12, 2026
View reviewed changes
Copy link
Collaborator

@hseuschek hseuschek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine for me, It's just a change in a download URL for an external dependency.

@zeschg zeschg merged commit 6e1b57d into master Feb 12, 2026
2 checks passed
@zeschg zeschg deleted the tz/chore_ci_dep branch February 12, 2026 11:55
@StefanSchroeder
Copy link

StefanSchroeder commented Feb 12, 2026

I am aware that the downloaded dependency is only run in a sandbox, but as a matter of principle I think it's not a good idea to run code from an untrusted source. I'd suggest to compute a checksum on the downloaded tarball after download and only continue if it's the expected value. Since the tarballs seem to be versioned, I wouldn't expect it to change. Just my 2 cents.

@hseuschek
Copy link
Collaborator

hseuschek commented Feb 13, 2026

I am aware that the downloaded dependency is only run in a sandbox, but as a matter of principle I think it's not a good idea to run code from an untrusted source. I'd suggest to compute a checksum on the downloaded tarball after download and only continue if it's the expected value. Since the tarballs seem to be versioned, I wouldn't expect it to change. Just my 2 cents.

good point ;-). The issue is solved in PR #36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hseuschek hseuschek hseuschek approved these changes

Assignees

@zeschg zeschg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zeschg @StefanSchroeder @hseuschek