Verify Artifacts.toml

[maleadt]

Some packages seem to have invalid tree hashes in their Artifacts.toml. @KristofferC suggested it might be a good thing to validate on package registration.

For example: https://github.com/JuliaSmoothOptimizers/BundleAdjustmentModels.jl/blob/b2bc124578784e7107a63c9cb0a704eeac35faeb/Artifacts.toml#L273-L279

["ladybug/problem-49-7776-pre.txt.bz2"]
git-tree-sha1 = "dd2da5f94014b5f9086a2b38a87f8c1bc171b9c2"
lazy = true

    [["ladybug/problem-49-7776-pre.txt.bz2".download]]
    sha256 = "1ccb15701a92a8ad909d30860a0108cd3f2d7916c1ecf2851e59a6198b9de6b0"
    url = "https://grail.cs.washington.edu/projects/bal/data/ladybug/problem-49-7776-pre.txt.bz2"

The checksum seems to match:

❯ mkdir artifact && cd artifact

❯ wget -q https://grail.cs.washington.edu/projects/bal/data/ladybug/problem-49-7776-pre.txt.bz2

❯ sha256sum problem-49-7776-pre.txt.bz2
1ccb15701a92a8ad909d30860a0108cd3f2d7916c1ecf2851e59a6198b9de6b0  problem-49-7776-pre.txt.bz2

Note that the file isn't an archive that's recognized by Pkg, so I keep the .bz2 and put it in a folder. Let's generate the tree hash:

❯ julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.8.1 (2022-09-06)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

julia> using Pkg

julia> Base.SHA1(Pkg.GitTools.tree_hash("/tmp/artifact"))
SHA1("95a7106e3af85ad6e027e7e581eb5e7554c328ad")

i.e. different from the dd2da5f94014b5f9086a2b38a87f8c1bc171b9c2 as noted in the toml.