fix: extend digest verification to sha512 and set sandbox paths#850
Open
ericcurtin wants to merge 1 commit intomainfrom
Open
fix: extend digest verification to sha512 and set sandbox paths#850ericcurtin wants to merge 1 commit intomainfrom
ericcurtin wants to merge 1 commit intomainfrom
Conversation
Extend blob digest verification to cover sha512 in addition to sha256, closing a bypass where sha512-addressed blobs were stored without any integrity check. Set correct SandboxPath for Python backends (diffusers, mlx, vllm-metal) so the Darwin sandbox profile resolves UPDATEDLIBPATH to the sibling lib/ directory of the Python bin/ directory.
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In
WriteBlobWithResume, whendiffID.Algorithmis neithersha256norsha512the blob is now written without any integrity check; consider explicitly rejecting unsupported algorithms (or at least logging) instead of silently skipping verification.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `WriteBlobWithResume`, when `diffID.Algorithm` is neither `sha256` nor `sha512` the blob is now written without any integrity check; consider explicitly rejecting unsupported algorithms (or at least logging) instead of silently skipping verification.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces support for SHA-512 hashing in the blob store and updates the sandbox path configuration for several inference backends (Diffusers, MLX, and vLLM Metal) to ensure correct directory scoping. I have no feedback to provide.
ilopezluna
previously approved these changes
Apr 8, 2026
Contributor
I get this error in vllm-metal |
ilopezluna
dismissed
their stale review
I have realized it fails when using vllm-metal
sathiraumesh
reviewed
Apr 9, 2026
| var hasher hash.Hash | ||
| switch diffID.Algorithm { | ||
| case "sha256": | ||
| hasher = sha256.New() |
Contributor
There was a problem hiding this comment.
Just a suggestion, It may be better to move this to a separate function like
hasher(string algo) (has.Hash){
...
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extend blob digest verification to cover sha512 in addition to sha256, closing a bypass where sha512-addressed blobs were stored without any integrity check. Set correct SandboxPath for Python backends (diffusers, mlx, vllm-metal) so the Darwin sandbox profile resolves UPDATEDLIBPATH to the sibling lib/ directory of the Python bin/ directory.