Upgrade xapian to 1.4.31 and add sha256 check to avoid supply chain attack

2026-03-29 23:09:40 +00:00 · 2026-03-29 13:13:57 +02:00
parent fcce34fde5
commit e47b6ba105
3 changed files with 117 additions and 97 deletions
--- a/core/management/commands/install_xapian.sh
+++ b/core/management/commands/install_xapian.sh
@@ -1,7 +1,11 @@
 #!/usr/bin/env bash
 # Originates from https://gist.github.com/jorgecarleitao/ab6246c86c936b9c55fd
 # first argument of the script is Xapian version (e.g. 1.2.19)
+# second argument of the script is core sha256
+# second argument of the script is binding sha256
 VERSION="$1"
+CORE_SHA256="$2"
+BINDINGS_SHA256="$3"

 # Cleanup env vars for auto discovery mechanism
 unset CPATH
@@ -21,9 +25,15 @@ BINDINGS=xapian-bindings-$VERSION

 # download
 echo "Downloading source..."
-curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz"
+curl -O "https://oligarchy.co.uk/xapian/$VERSION/${CORE}.tar.xz" || exit 1
+
+echo "${CORE_SHA256}  ${CORE}.tar.xz" | sha256sum -c - || exit 1
+
 curl -O "https://oligarchy.co.uk/xapian/$VERSION/${BINDINGS}.tar.xz"

+echo "${BINDINGS_SHA256}  ${BINDINGS}.tar.xz" | sha256sum -c - || exit 1
+
+
 # extract
 echo "Extracting source..."
 tar xf "${CORE}.tar.xz"