From c1e7b2ff560b4e07eaa04a44d8a839d5d6fb33de Mon Sep 17 00:00:00 2001
From: Martin Fouilleul <martinfouilleul@gmail.com>
Date: Fri, 4 Oct 2024 18:12:17 +0200
Subject: [PATCH] It seems now we're using these checksums in two situations:
 1. In CI, when we build angle, we generate checksum from the new build. The
 next step of the gh workflow downloads this build, verifies the checksum, and
 uses the build to link the runtime / package the final artifact. 2. If a
 contributor need the angle binary locally, but don't want to build it
 themselves, they can trigger a CI run, and download the artifact. The
 checksum get verified later when building the runtime.

It seems pointless to verify checksum of something we just built (or pulled from a gh action cache)  in 1. I'm not sure it's really useful to verify them in case 2 either, because if the artifact can be compromised, so can be the checksums (note the checksums are bundled with the build, not pulled from somewhere else), and anyway the artifacts users will get are those built in CI, not the ones we build locally while developing.

We can certainly devise a scheme later to help users verify that the artifacts they downloaded from GH are correct, but I don't think our current use of checksums does anything in this regard. The proper way would probably be to _sign_ the artifacts and verify the signature.

This commit removes said checksums until we figure out such a scheme.
---
 scripts/dev.py | 56 +++++++++++++-------------------------------------
 1 file changed, 14 insertions(+), 42 deletions(-)

diff --git a/scripts/dev.py b/scripts/dev.py
index ec3211d2..8723b1b6 100644
--- a/scripts/dev.py
+++ b/scripts/dev.py
@@ -123,29 +123,18 @@ def check_dawn():
 
 
     if os.path.exists("build/dawn.out/dawn.json"):
-        with pushd("build/dawn.out"):
-            with open("dawn.json", "r") as f:
-                sums = json.loads(f.read())
+        with open("build/dawn.out/dawn.json", "r") as f:
+            sums = json.loads(f.read())
 
-                up_to_date = True
-
-                for artifact in artifacts:
-                    if artifact in sums:
-                        if os.path.isfile(artifact):
-                            s = checksum.filesum(artifact)
-                            if sums[artifact]['commit'] != DAWN_COMMIT:
-                                messages.append(f"build/dawn.out/{artifact} doesn't match dawn commit.\n  note: expected {DAWN_COMMIT}, got {sums[artifact]['commit']}")
-                                up_to_date = False
-                            elif s != sums[artifact]['sum']:
-                                messages.append(f"build/dawn.out/{artifact} doesn't match checksum.\n  note: expected {sums[artifact]['sum']}, got {s}")
-                                up_to_date = False
-                        else:
-                            messages.append(f"build/dawn.out/{artifact} not found")
-                            up_to_date = False
-                            break
-                    else:
-                        messages.append(f"build/dawn.out/{artifact} is not listed in checksum file")
-                        up_to_date = False
+            up_to_date = True
+
+            if 'commit' not in sums:
+                messages.append(f"build/dawn.out/dawn.json doesn't contain dawn commit.")
+                up_to_date = False
+
+            elif sums['commit'] != DAWN_COMMIT:
+                messages.append(f"build/dawn.out/dawn.json doesn't match dawn commit.\n  note: expected {DAWN_COMMIT}, got {sums['commit']}")
+                up_to_date = False
     else:
         messages = ["build/dawn.out/dawn.json not found"]
 
@@ -279,38 +268,21 @@ def build_dawn_internal(release, jobs, force):
 
         # package result
         print("  * copying build artifacts...")
-        sums = dict()
+        sums = {
+            "commit": DAWN_COMMIT
+        }
 
         os.makedirs("dawn.out/include", exist_ok=True)
         os.makedirs("dawn.out/bin", exist_ok=True)
 
         shutil.copy("dawn.build/gen/include/dawn/webgpu.h", "dawn.out/include/")
 
-        sums['include/webgpu.h'] = {
-            "commit": DAWN_COMMIT,
-            "sum": checksum.filesum('dawn.out/include/webgpu.h')
-        }
-
         if platform.system() == "Windows":
             shutil.copy(f"dawn.build/{mode}/webgpu.dll", "dawn.out/bin/")
             shutil.copy(f"dawn.build/src/dawn/native/{mode}/webgpu.lib", "dawn.out/bin/")
-
-            sums['bin/webgpu.dll'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/webgpu.dll')
-            }
-            sums['bin/webgpu.lib'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/webgpu.lib')
-            }
         else:
             shutil.copy("dawn.build/src/dawn/native/libwebgpu.dylib", "dawn.out/bin/")
 
-            sums['bin/libwebgpu.dylib'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/libwebgpu.dylib')
-            }
-
     # save artifacts checksums
     with open('build/dawn.out/dawn.json', 'w') as f:
         json.dump(sums, f)