video: Update instructions about updating OpenH264

video/external/src/decoder/README.md

@@ -1,10 +1,20 @@
 To update to a new OpenH264 release:
 
- - Open the new release on https://github.com/cisco/openh264/releases
+1. Open the new release on https://github.com/cisco/openh264/releases
- - Update the binary file names and MD5 hashes
+2. Update the binary file names and SHA256 hashes (see below)
- - Add/remove supported architectures and platforms if added/dropped
+3. Add/remove supported architectures and platforms if added/dropped
- - Update the base URL and license if changed
+4. Update the base URL and license if changed
- - Download the OpenH264 sources (at least `codec_api.h`)
+5. Download the OpenH264 sources (at least `codec_api.h`)
- - Regenerate the bindings using the command in `decoder.rs`
+6. Regenerate the bindings using the command in `decoder.rs`
- - Follow the API changes if necessary
+7. Follow the API changes if necessary
- - Update the version number sanity check
+8. Update the version number sanity check
+
+Cisco provides only binaries and MD5 hashes over HTTP which is far from being secure.
+We want to use SHA256 in order to protect users from downloading malicious binaries.
+Currently, we have to calculate hashes ourselves from the downloaded binaries:
+
+1. Make sure you're using a secure network
+2. Download necessary libraries and unpack them
+3. Verify their MD5 checksums
+4. Calculate their SHA256 checksums
+5. If you're unsure, repeat this over a different network