Michael Chus
a44133aff2
identifier-normalization, no-hardcoded-vendors, vendor-installer-verification, and build-version-display follow the go-database split: rules in contract.md, snippets in README.md. Routed contract reads get cheaper; examples stay available on demand. Lint now also rejects stale kit/patterns references. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
Contract: Vendor Installer Verification
Version: 1.1
Purpose
Rules for downloading and verifying proprietary vendor installers (.run, .exe, .tar.gz)
where the vendor publishes a checksum alongside the binary.
Applies to: NVIDIA drivers, vendor CLI tools, firmware packages.
See README.md for shell snippets.
Rules
- Download the checksum file before the installer — never after. If the download is interrupted, you still have the expected checksum to verify against on retry.
- Verify checksum before extracting or executing.
- On mismatch: delete the file, exit with error. Never proceed with a bad installer.
- Never assume a cached file is valid — a previous download may have been interrupted.
Never check only for file existence: the file must be non-empty (
-s) AND pass checksum. - Cache by
version+ any secondary key (e.g. kernel version for compiled modules). - Before writing build scripts, verify the version URL actually exists (
curl -sIL). A404orcontent-length: 0means the version is absent on that CDN; vendor version numbering may have gaps. - Never commit installer files to git — always download at build time.
- Log the expected hash when downloading so failures are diagnosable.