Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checksum validation fails for faraday_middleware-0.11.0.gem #787

Closed
kdykeman opened this issue Mar 6, 2017 · 9 comments
Closed

Checksum validation fails for faraday_middleware-0.11.0.gem #787

kdykeman opened this issue Mar 6, 2017 · 9 comments
Labels
accepted

Comments

@kdykeman
Copy link

kdykeman commented Mar 6, 2017

Issue

When running bundle install the following disconcerting message comes up:

Bundler cannot continue installing faraday_middleware (0.11.0).
The checksum for the downloaded faraday_middleware-0.11.0.gem does not match
the checksum given by the server. This means the contents of the downloaded gem
is different from what was uploaded to the server, and could be a potential
security issue.

Context

See rubygems/bundler#5332

Steps to Reproduce

Run bundle install

Expected result

Bundler doesn't complain about the checksums not matching.

Current result

Bundler complains about the checksums not matching (see screenshot)

Possible Fix

Update to a newer version of faraday_middleware where the community asserts the checksums match.

name of issue screenshot

screen shot 2017-03-06 at 3 28 17 pm
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141183785

The labels on this github issue will be updated when the story is started.

@mikexuu
Copy link
Contributor

mikexuu commented Mar 7, 2017

Hey @kdykeman ,

Thanks for submitting this issue. It does look like this is a known faraday_middleware / rubygems issue. However, we are only pulling in this gem because of fog-azure-rm, and it feels a bit weird to have this explicitly specified in our Gemfile. I would suggest submitting an issue / PR to fog-azure-rm to get this fix (and sometime in the future we can bump our fog-azure-rm version). For the short term, I would suggest to just downgrade your bundler to a version before they started validating checksums. Closing this issue for now, feel free to reopen if you have any concerns.

Thanks,
CAPI Community, @michaelxupiv

@mikexuu mikexuu closed this as completed Mar 7, 2017
@zrob
Copy link
Contributor

zrob commented Mar 7, 2017

A link for more information: rubygems/bundler#5332

@Gerg
Copy link
Member

Gerg commented Mar 7, 2017

Relevant issues:

@zrob
Copy link
Contributor

zrob commented Mar 8, 2017

The linked issues seem to indicate that azure gem has been updated and we can bump it to get the updated version of faraday_middleware. Reopening until we rule out bumping the dependency.

@zrob zrob reopened this Mar 8, 2017
@kdykeman
Copy link
Author

kdykeman commented Mar 8, 2017

Thanks @zrob, I spotted that today as well when looking upstream.

@Gerg
Copy link
Member

Gerg commented Mar 8, 2017

The chain is:
cloudfoundry/cloud_controller_ng > fog/fog-azure-rm > Azure/azure-storage-ruby > Azure/azure-ruby-asm-core (checksum issue) > lostisland/faraday_middleware (checksum issue)

Gerg added a commit that referenced this issue Mar 8, 2017
@Gerg
Bump faraday_middleware and azure-core
55817c8 
- Checksums were wrong on rubygems which angered new version of bundler

[#141183785][#787]

Signed-off-by: Jonathan Berkhahn <jaberkha@us.ibm.com>
@zrob
Copy link
Contributor

zrob commented Mar 10, 2017

@kdykeman a fix should be available on master now. Would mind verifying that you are able to bundle?

thanks!

@kdykeman
Copy link
Author

@zrob Thanks! I am now able to bundle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Gerg @zrob @kdykeman @cf-gitbot @mikexuu