Michael Chus
a44133aff2
identifier-normalization, no-hardcoded-vendors, vendor-installer-verification, and build-version-display follow the go-database split: rules in contract.md, snippets in README.md. Routed contract reads get cheaper; examples stay available on demand. Lint now also rejects stale kit/patterns references. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
27 lines
1.2 KiB
Markdown
27 lines
1.2 KiB
Markdown
# Contract: Vendor Installer Verification
|
|
|
|
Version: 1.1
|
|
|
|
## Purpose
|
|
|
|
Rules for downloading and verifying proprietary vendor installers (`.run`, `.exe`, `.tar.gz`)
|
|
where the vendor publishes a checksum alongside the binary.
|
|
Applies to: NVIDIA drivers, vendor CLI tools, firmware packages.
|
|
|
|
See `README.md` for shell snippets.
|
|
|
|
## Rules
|
|
|
|
- Download the checksum file **before** the installer — never after. If the download is
|
|
interrupted, you still have the expected checksum to verify against on retry.
|
|
- Verify checksum before extracting or executing.
|
|
- On mismatch: delete the file, exit with error. Never proceed with a bad installer.
|
|
- Never assume a cached file is valid — a previous download may have been interrupted.
|
|
**Never check only for file existence**: the file must be non-empty (`-s`) AND pass checksum.
|
|
- Cache by `version` + any secondary key (e.g. kernel version for compiled modules).
|
|
- Before writing build scripts, verify the version URL actually exists (`curl -sIL`).
|
|
A `404` or `content-length: 0` means the version is absent on that CDN; vendor version
|
|
numbering may have gaps.
|
|
- Never commit installer files to git — always download at build time.
|
|
- Log the expected hash when downloading so failures are diagnosable.
|