123456789101112131415161718192021222324252627282930(** The entire asset is downloaded when ["get-asset MODVER -p PATH -m MEMBER"].
However, the presence of ["-m MEMBER"] should not be a regular
BuildTaskAsset but a task specific to the member ["MEMBER"]. Then ... if
there is an asset index ... the retrieval can be efficient.
The common usecase of downloading a valueid member of a ["valuestore.zip"]
of a distribution is separate and already implemented. *)letindividual_asset_member_tasks()=()(** An asset index has its own checksum
({!Assumptions.asset_index_has_blake_checksum}) and zip entries each have a
CRC-32 checksum. But that is not enough to ensure secure data integrity for
a partial bytes Range download of a zip entry. It is easy to not touch the
zip entry CRC-32 checksum (which is protected by the asset index checksum)
while changing the data in the Range; you can place any bytes you want into
the Range as long as you leave 4 bytes at the end so that the CRC-32
checksum is unchanged.
Instead we need something like FWKCS MD5 Extra Fields
({:https://libzip.org/specifications/extrafld.txthttps://datatracker.ietf.org/doc/html/rfc5693})
that places an extra checksum in the zip entry itself. SHA-256 or better yet
BLAKE2B-256 should be used instead of MD5.
Once the extra fields are implemented, you can remove the [`None] from
[ThunkIo.checksum_file].
Issue: {:https://github.com/diskuv/dk/issues/80} *)letasset_range_download_of_zip_entry_from_zip_index_needs_a_secure_checksum(range:Fmlib_parse.Position.range)=`DeadbadChecksumForZipEntryButNeedBetterrange