On Nov 21, 2006, at 5:42 PM, Gerhard Killesreiter wrote:
Do you plan to check if a module has been altered after download, too?
no, i wasn't planning to do that. the md5 hashes we have are on the whole tarball, not per file. so an easy, obvious way to detect this doesn't immediately spring to mind, short of doing a bunch more work to calculate, store, and advertise the per-file md5 hashes at d.o. [1] i was just planning to go with the version listed in the .info file and comparing that to what "home" thinks the latest version of that module is and reporting (in various places) if they disagree. in the first (and probably only) implementation, "home" would be drupal.org. if someone else wants to make what i'm doing work to phone home to other sites where other modules are hosted, they should feel free to do so. again, i'm happy to discuss/coordinate/share, but i'm not going to worry about it until people who really want this functionality a) exist, b) step forward, and c) do some of their own work to make it happen. cheers, -derek [1] i guess the packaging script could compute the md5 hashes for all the files in a tarball, and write a big section of those filename => md5 hash mappings into the .info file itself. then, check_updates.module could compare the values advertised in the .info file with the real values as installed on the file system. i'm not sure that's worth doing, but it'd probably work. ;)