Index duplicate entries with conflicting checksum

[pinkforest]

Current Behavior

Related to #1593 - here is a specific one

There are duplicate entries for single version with conflicting checksum.

I picked one example:
wright-0.2.2

Looking at the index for the wright crate from:

https://github.com/rust-lang/crates.io-index/blob/master/wr/ig/wright

Version 0.2.2 for some reason has a confilicting checksum

{"name":"wright","vers":"0.2.2","deps":[{"name":"ansi_term","req":"^0.10.2","features":[],"optional":false,"default_features":true,"target":null,"kind":"normal"},{"name":"regex","req":"^0.2","features":[],"optional":false,"default_features":true,"target":null,"kind":"normal"}],"cksum":"8261a34961de4a333d2c8e15309c32d35df864709799112002edcffc1316369f","features":{},"yanked":false}
{"name":"wright","vers":"0.2.2","deps":[{"name":"ansi_term","req":"^0.10.2","features":[],"optional":false,"default_features":true,"target":null,"kind":"normal"},{"name":"regex","req":"^0.2","features":[],"optional":false,"default_features":true,"target":null,"kind":"normal"}],"cksum":"14f813076f3bd61b143e7094808057970f40366ee27b1252b758b407fbc661d2","features":{},"yanked":false}

The checksum that is served by static.crates.io is the second entry
14f813076f3bd61b143e7094808057970f40366ee27b1252b758b407fbc661d2

crates-index crate iterates over both entries and the applications can often use only the first entry - with incorrect checksum

This can cause some applications using crates-io-index to fail when the downloaded actual .crate had checksum from second entry that wasn't picked up first.

Applications that upon iteration would override checksum on second entry would work in this case whilst the ones that pick the first to compare would fail in this case.

Expected Behavior

Functional behavior

• Only one single entry with the correct checksum present at https://github.com/rust-lang/crates.io-index

Index corrected for the below crate-versions

• - zaif-api - 0.1.0 - duplicates 1 conflicts 0
• - yarte_config - 0.3.1 - duplicates 1 conflicts 0
• - wright - 0.2.2 - duplicates 1 conflicts 1
• - tentacle - 0.2.1 - duplicates 1 conflicts 0
• - stitch - 0.1.0 - duplicates 1 conflicts 1
• - stund - 0.1.6 - duplicates 1 conflicts 0
• - sample_planning - 0.0.3 - duplicates 1 conflicts 0
• - replicante_agent_models - 0.1.1 - duplicates 1 conflicts 0
• - rahashmap - 0.2.14 - duplicates 1 conflicts 0
• - prettyprint - 0.6.0 - duplicates 1 conflicts 0
• - miracl_amcl - 3.2.1 - duplicates 1 conflicts 0
• - lelet - 1.2.9 - duplicates 1 conflicts 0
• - g2gen - 0.2.1 - duplicates 1 conflicts 0
• - fluence - 0.0.12 - duplicates 1 conflicts 0
• - ext-php-rs-derive - 0.0.7 - duplicates 1 conflicts 0
• - embly - 0.0.2 - duplicates 1 conflicts 0
• - dynomite - 0.4.1 - duplicates 1 conflicts 0
• - dep_c - 1.0.0 - duplicates 1 conflicts 0
• - dep_d - 3.1.0 - duplicates 1 conflicts 0
• - crossbeam_requests - 0.2.0 - duplicates 1 conflicts 0
• - clickhouse-rs - 0.1.14 - duplicates 1 conflicts 0
• - clipars - 1.1.2 - duplicates 1 conflicts 0
• - canparse - 0.1.4 - duplicates 1 conflicts 0
• - base64-stream - 1.2.2 - duplicates 1 conflicts 0
• - async-stdio - 0.3.0-alpha.1 - duplicates 1 conflicts 0
• - ccl - 0.5.1 - duplicates 1 conflicts 0
• - kit - 0.0.1 - duplicates 1 conflicts 0
• - sml - 0.1.16 - duplicates 1 conflicts 0

Total crates with duplicates: 28, checksum conflicts: 2

Steps To Reproduce

Cargo.toml

[package]
name = "index-test"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
crates-index = "0.18.1"

Typical application behaviour only goes one version.

use crates_index::IndexConfig;

fn main() {

    let index = crates_index::Index::new_cargo_default().unwrap();
    let crate_from_idx = index.crate_("wright").unwrap();
    
    for version in crate_from_idx.versions() {
        println!("----------------------------------\n");
        println!("crate name: {}", version.name());
        println!("crate version: {}", version.version());
        println!("crate checksum: {:x?}", version.checksum());
    }
}

Environment

• Browser:All
• OS:All

Anything else?

I investigated this out of Discord report in crates-io-team from @evanrichter running crate mirror that checks checksums against crates.io index via crates-index crate.
https://discord.com/channels/442252698964721669/448525639469891595/929054813898031104

Some of them ended up being just yanked crates but luckily the first entry (wright) made me write a little thing to find them all

[pinkforest]

Find them all - apologies about no tests, uglyness and lame for's instead of map's - no excuses except massive headache :)
https://github.com/pinkforest/crates.io-duplicates