Buildpacks Checksum Site for Release Validation


David Jahn
 

Dear Cloud Foundry Users,

To help operators and users of Cloud Foundry establish a "chain of custody" for buildpacks, we have launched the following checksum site:

https://buildpackverify.cloudfoundry.org

This site provides a checksum for all cached buildpack release zip files (except for the java-buildpack). Whenever the buildpacks team generates a new buildpack release, we will immediately compute the SHA256 checksum of that file and upload it to this website.

The site is hosted on a different repository from the main buildpack github repositories. It allows operators to validate that the zip file we produced is the same artifact that has been downloaded and installed.

Additionally, if an operator wishes to further investigate the components of a buildpack, the "manifest.yml" in each buildpack root directory (for
example, https://github.com/cloudfoundry/go-buildpack/blob/master/manifest.yml) provides a catalog of every third party component in the buildpack, a URL of that component's location, and an MD5 checksum of that component.

We hope that this will assist people in auditing the source of their buildpack code!

Cheers,
Buildpacks Team

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.