File checker does not verify if hashes.json exists

[Dhekhanur]

Affected version

2.3.0 RC 5

So creating a new thread for this since this is a "different" bug than the file clean-up also removing the hashes.json what I did was this


I "deleted" the hashes.json by hand and checked with the file health checker how that changed the results no other actions were taken while this was done and this is a fresh install of XF 2.3.0 RC 5 with all the first-party addons (no third-party ones were installed):


Perhaps some sanity check or (external?) back-up location to see if hashes.json exists and what it's values are for a given version for the (first-party) addons installed? (Oh and once I "undeleted" the hashes.json it returned the expected output of 14,396 again)

 

[Chris D]

To be honest this was/is broadly intentional. We do not consider the absence of the hashes files to be an error. Naturally as the software and its add-ons are developed, there are no hashes files, and some third party developers may not even use the XF build tools and may not even create a hashes file.

We'll discuss this internally, but not sure we'll go anywhere with this.

 

[Dhekhanur]

To enhance understanding of my rambles (also while I use more strongly worded language is my opinion and not expectations): the absence of third-party hashes (as in the files modified by third parties (=addons), I am in complete agreement with you. Maybe a note if you detect one missing but shouldn't impact Success/Failure. In the case of first-party addons (anything except XF) I would tend lump them in with the third party addons or possibly generate a warning but in the case of XF I'd expect a failure message. Why? Because either it can not verify the integrity or the integrity has been compromised and this is a false-negative (in my opinion) whether it was even intended as a tampering indicator or simple file integrity verfier is in my opinion irrelevant as at least it should state integrity could not be verified. Yes people would know a filecount of less than ~11k would be suspicious but isn't it the point of the integrity verification that it at least alerts the admin to something funky going on instead of silently continuing and going this is fine

Though I guess if you have a bogus hashes.json you've got bigger issues than clicking on verify file integrity