Problem
91 out of 254 entries in `downloads/tarball_list.json` have no `checksum` field. This means `dbdeployer downloads get` silently skips integrity verification for these tarballs — users have no guarantee the download wasn't corrupted or tampered with.
Affected flavors/versions
- MySQL: all 8.4.x (0, 2–8) and 9.x (0.1, 1.0, 2.0, 3.0, 4.0, 5.0)
- MariaDB: 10.6.9, 10.11.9, 11.4.5, 11.4.9, 11.8.6
- Percona Server: all 5.7.x (41–44), all 8.0.x (33–40), all 8.4.x (0, 2–4)
- TiDB: 3.0.0
Current behavior
```go
// downloads/remote_registry.go:188
func CompareTarballChecksum(tarball TarballDescription, fileName string) error {
if tarball.Checksum == "" {
return nil // <-- silently skips verification
}
...
}
```
When a user runs `dbdeployer downloads get mysql-8.4.8-linux-glibc2.17-x86_64.tar.xz`, the download succeeds with no checksum verification and no warning.
Reproduction
```bash
$ jq -r '[.Tarballs[] | select(.checksum == null or .checksum == "")] | length' downloads/tarball_list.json
91
$ jq -r '.Tarballs[] | select(.checksum == null or .checksum == "") | "(.flavor) (.version)"' downloads/tarball_list.json | sort -u
mariadb 10.11.9
mariadb 10.6.9
...
mysql 8.4.0
mysql 8.4.2
...
```
Proposed fix
- Populate checksums: Oracle publishes MD5 checksums on the MySQL download pages (e.g., https://dev.mysql.com/downloads/mysql/8.4.html contains `MD5: ` per file). MariaDB and Percona publish SHA256/SHA512 similarly. Write a script that scrapes these and updates `tarball_list.json`.
- Warn when checksum is missing: `CompareTarballChecksum` should print a warning (not an error) when called with an empty checksum, so users are aware they're downloading without verification.
- Add CI check: a lint step that fails if any new non-TiDB tarball entry is added without a checksum.
Problem
91 out of 254 entries in `downloads/tarball_list.json` have no `checksum` field. This means `dbdeployer downloads get` silently skips integrity verification for these tarballs — users have no guarantee the download wasn't corrupted or tampered with.
Affected flavors/versions
Current behavior
```go
// downloads/remote_registry.go:188
func CompareTarballChecksum(tarball TarballDescription, fileName string) error {
if tarball.Checksum == "" {
return nil // <-- silently skips verification
}
...
}
```
When a user runs `dbdeployer downloads get mysql-8.4.8-linux-glibc2.17-x86_64.tar.xz`, the download succeeds with no checksum verification and no warning.
Reproduction
```bash
$ jq -r '[.Tarballs[] | select(.checksum == null or .checksum == "")] | length' downloads/tarball_list.json
91
$ jq -r '.Tarballs[] | select(.checksum == null or .checksum == "") | "(.flavor) (.version)"' downloads/tarball_list.json | sort -u
mariadb 10.11.9
mariadb 10.6.9
...
mysql 8.4.0
mysql 8.4.2
...
```
Proposed fix