Add Checksums to Index Files #372

Closed
paddor opened this Issue Dec 23, 2011 · 9 comments

Comments

Projects
None yet
4 participants

paddor commented Dec 23, 2011

Another column in the marshalled array in the (gzipped) index files containing the respective checksum (MD5, SHA1, SHA2, whatever) would speed up a check whether all gems have been downloaded correctly. Like this, it would be possible to verify all downloaded gems by downloading the index file only.

I'm currently verifying the downloaded gems and it has to issue one HTTP request per gem.
(I downloaded them and am verifying them with https://gist.github.com/1514454)

I hope this is possible. It seems like the class Indexer would have to be extended and the model Version. I don't know where the gem files live though to calculate their checksums. Maybe it deserves a new column in the database?

Thanks.

Owner

qrush commented Dec 24, 2011

I don't think we can modify the marshalled array without really increasing download times or breaking old RubyGems. Is there some other way we can accomplish this, @drbrain ?

paddor commented Dec 27, 2011

What about an additional, marshalled array? This wouldn't break other software and allows those who want to verify the downloaded gems.

Owner

drbrain commented Dec 28, 2011

Sounds like a duplication of effort against signed gems.

I'd rather see rubygems.org auto-sign gems so everyone can verify correctness, not people who implement the extra API calls.

For a stopgap solution an extra file with signatures seems fine to me.

Owner

drbrain commented Jan 12, 2012

gems packaged with RubyGems 2 will contain a checksum for each file in the gem that can be verified. Gem::Package.new('/path/to/the.gem').verify will check it. You can also unpack the gem by hand and verify with standard tools.

paddor commented Jan 12, 2012

Thanks, this sounds great! :-)

On 12.01.12, at 02:42, Eric Hodel wrote:

gems packaged with RubyGems 2 will contain a checksum for each file in the gem that can be verified. Gem::Package.new('/path/to/the.gem').verify will check it. You can also unpack the gem by hand and verify with standard tools.


Reply to this email directly or view it on GitHub:
#372 (comment)

@qrush qrush added the health label Nov 28, 2014

Owner

qrush commented Nov 28, 2014

This is a more encompassing Rubygems change...I think this should be proposed over in rubygems/rubygems (and it should be, still). Closing this for now.

@qrush qrush closed this Nov 28, 2014

Owner

qrush commented Nov 28, 2014

Wow I had no idea this was a thing. Is this implemented on rubygems.org's
side yet?

On Fri, Nov 28, 2014 at 3:40 PM, David Radcliffe notifications@github.com
wrote:

Also see: https://blog.engineyard.com/2014/new-rubygems-index-format


Reply to this email directly or view it on GitHub
#372 (comment)
.

Owner

dwradcliffe commented Nov 28, 2014

No, not finished yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment