-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document rake build:checksum #325
base: main
Are you sure you want to change the base?
Conversation
c1d04ac
to
dcc43c6
Compare
security.md
Outdated
rake build:checksum | ||
|
||
The checksums will be placed in the `checksums/` directory. It is recommended to commit checksums so others can verify | ||
the authenticity of a release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would migrate the previous instructions to use the builtin task and that's it. Officially recommending it should be a different discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. I'll update soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the "recommendation" implication. Also improved the script to what I am currently using as I'm not sure when I'll get back around to the rake task, since in its current form it isn't useful to me at all, and I have a deep todo list. I'll remove the script portion if preferred.
acc0500
to
f9be437
Compare
f9be437
to
5bb4abd
Compare
Very strangely |
security.md
Outdated
|
||
require "digest/sha2" | ||
|
||
VERSION_REGEX = /\d+\.\d+\.\d+([-.].+)*/.freeze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is incorrect when applied to a filename since it will include .gem
in the version number, making everything a pre-release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oooh, that's why it fails... interesting. I will see if I can find what rubygems uses for parsing gem names.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I knew it included the .gem, but it hadn't ever mattered until I had to deal with prereleases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinemde Fixed!
5bb4abd
to
2125037
Compare
A good regex is hard to find. 🤣 |
@@ -72,61 +72,137 @@ Building Gems | |||
### Sign with: `gem cert` | |||
|
|||
1) Create self-signed gem cert | |||
|
|||
```shell |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The enumerated list was not proper markdown, and after a few syntax changes, which should also allow language-specific code highlighting, it is now proper markdown.
@@ -141,7 +217,7 @@ Reporting Security vulnerabilities | |||
|
|||
### Reporting a security vulnerability with someone else's gem | |||
|
|||
If you spot a security vulnerability in someone else's gem, then you | |||
If you spot a security vulnerability in someone else's gem, then your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a typo you
=> your
# See: https://learnbyexample.github.io/Ruby_Regexp/lookarounds.html#positive-lookarounds | ||
# Used to pattern match against a gem package name, which always ends with .gem. | ||
# The positive lookahead ensures it is present, and prevents it from being captured. | ||
VERSION_REGEX = /((\d+\.\d+\.\d+)([-.][0-9A-Za-z-]+)*)(?=\.gem)/.freeze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This regex works perfectly.
Unfortunate discovery. The process of running a checksum script or task outside of the rake release results in checksums that do not match the actual released gem.
It seems that the only solution would be to run the checksums after release, but not running a new build of the gem package. The checksum commits would thus be after the release, and not in the git tag for the release. 😿 |
Are you including the checksums files in the gem? Just a guess? (You would want to not do that.) Is having the checksum in the tag even correct? How can a commit contain its own digest? Inception? |
Nope, I wondered the same thing, because if there were file changes between the gem builds, then they should have different checksums. Alas, no such luck.
I thought so, because the checksums are checksums of the built gem package. They have nothing to do with git.
LOL, yeah it is a mind F8cker. It's really just that the gem package is wholly unrelated to the tracking of the project in git. So the thing I don't understand is this - if the files are not changing, why does the checksum change everytime the gem is built? Either that's what is happening, or the packaged gem that results from I think I've found a bug. Because I assume that |
To state as simply as possible: Here's the repo I've been doing this evaluation in. Somehow IMO, both tools are useful, but they must build identical packages... |
They do build identical packages, but with different timestamps unless you're setting the same |
Hero shit. ❤️ @segiddins. Thanks! I'll update to reflect that. 🔥 |
I think this should be prominently documented for both tasks, as for me, this is quite a violation of POLS. I'll work on PRs for that too. 🍔 UpdateI haven't looked recently, so it if already is prominent, then I'm a victim of POLS assumptions. I may have never looked at the documentation for the tasks beyond the rake It seemed self-evident that both tasks should build an identical package, and I never considered timestamps, because that has never been on my radar... But this did cause me quite a problem, as I now have hundreds? of gems published with bad checksums, and bad release instructions. Since updated docs likely wouldn't have even helped me, I need to think about what a better solution might be. |
Related to rubygems/rubygems#5942 and rubygems/rubygems#6022
Script uses a good regex,
/((\d+\.\d+\.\d+)([-.][0-9A-Za-z-]+)*)(?=\.gem)/
, for pulling out a version match:https://rubular.com/r/9QuDiGVjvlHOrt