Re: [PR] Support additional checksum algorithms [accumulo-classloaders]

Fri, 23 Jan 2026 10:58:34 -0800 


ctubbsii commented on code in PR #53:
URL: 
https://github.com/apache/accumulo-classloaders/pull/53#discussion_r2722458739


##########
modules/local-caching-classloader/src/main/java/org/apache/accumulo/classloader/lcc/definition/ContextDefinition.java:
##########
@@ -67,13 +111,13 @@ static class Opts extends Help {
 
   @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD",
       justification = "user-supplied URL is the intended functionality")
-  public static ContextDefinition create(int monitorIntervalSecs, URL... 
sources)
+  public static ContextDefinition create(int monitorIntervalSecs, String 
algorithm, URL... sources)
       throws IOException {
     LinkedHashSet<Resource> resources = new LinkedHashSet<>();
     for (URL u : sources) {
-      try (InputStream is = u.openStream()) {
-        String checksum = DIGESTER.digestAsHex(is);
-        resources.add(new Resource(u, checksum));
+      try (InputStream is = new BufferedInputStream(u.openStream())) {
+        String checksum = getDigester(algorithm).digestAsHex(is);
+        resources.add(new Resource(u, algorithm, checksum));

Review Comment:
   It's not the same for all resources, or it doesn't have to be. If I move it 
to force it to be the same for all, then that limits the user, and also makes 
the code a bit more complex, as I have to carry the ContextDefinition's global 
algorithm to each of the methods that currently just gets a Resource parameter, 
if they need to verify. Also, sometimes, for testing, we have a Resource 
without a ContextDefinition. I think it makes more sense to keep the algorithm 
with the resource.
   
   An additional reason to keep the algorithm with the resource is because one 
dependency may publish a SHA-1 checksum, and another dependency may publish a 
SHA-256 checksum. A user could re-compute a checksum after downloading to keep 
the same algorithm for all resources, or it may make more sense and be just 
easier to simply use the one published by the artifact publishers.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to