-
-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mismatched checksums on a couple gems #1551
Comments
hash_kit 0.4.8 is also affected: The expected SHA256 checksum was |
I tried pushing I am afraid it is going to be difficult to solve unless we can reproduce the issue. |
Can someone please send me the original cc: @iMacTia |
Hi @sonalkr132 we have an automated process in Faraday and FaradayMiddleware that bundle and push the gem automatically from Travis. That's because I'm not the main maintainer of the gems and I don't have writing permissions on rubygems. I think @mislav will be able to help in this case. |
I'm not sure that will help, but the bugged checksum was generated from this tag https://github.com/lostisland/faraday_middleware/tree/v0.11.0 |
Yeah, I already tried that. It generates a completely different checksum. |
@navidemad I think that's not needed anymore as I released v0.11.0.1 yesterday |
For the problem with the checksum of azure-core (and similar gems), should we release a new version? Is that the only solution? Also, how could we be sure that re-releasing the gem will generate the correct checksum? |
Unrelated to Faraday or azure-core, https://rubygems.org/gems/csvlint/versions/0.1.2 is failing validation. RubyGems: |
I pushed some 15 versions to our staging site and all of them generated correct checksum. |
I think most of these are older versions, probably from before we saved the checksums on gem push. I'm guessing there were a few that didn't get backfilled properly. Unless someone has an example of a recent (and repeatable) missmatch I don't think we have an ongoing problem here. For these old ones, I think it's probably best to release new versions than go back and mess with the old versions. |
I agree... we can correct the checksums in the database, but it's much safer to do them all at once. Then we also only have to expire the versions list and force everyone to download the whole thing again one time. For the time being, please release new versions to force correct checksums, and we'll go back and fix the checksums on old versions all at once. |
funny thing tho. I, THINK(not 100% sure), that when I ran the jobs the generate the checksums, I had something to double check them. |
Fixing the checksums wont expire the versions list, only the respective info files |
mailgun-ruby-1.1.3 also seems to be affected. |
Just bumped into this issue when downloading faraday 0.12.0 (using latest rubygems version: 2.6.11). I've tried the following approach: For faraday 0.12.0:
For Faraday 0.11.0:
|
Thanks for reporting this @tiagoamaro, I released version 0.12.0 this morning and it had the same issue we had with |
I believe we know why this is happening. You are using Travis to push gems. Travis ends pushing the gem from all the jobs. One of them pass and rest fail. Because of the race condition in For the time being, you can use |
Restrict gem publishing to the Ruby 2.4.0 + SSL matrix job. Per rubygems/rubygems.org#1551 (comment)
Restrict gem publishing to the Ruby 2.4.0 + SSL matrix job. Per rubygems/rubygems.org#1551 (comment)
Thanks for your input @sonalkr132. |
Earlier, all our Travis build jobs (one for each ruby version) used to attempt to push a tagged version to Rubygems. The idea here was that one of these would succeed and all the other would fail saying 'repushing versions isn't allowed'. Turns out, there's a race condition in Rubygems in the controller we're hitting. Details: rubygems/rubygems.org#1551 This commits instructs Travis to deploy only on a single build, so that we're very unlikely to trigger said race condition.
Persist records before uploading to s3 When same gem version is pushed in parallel, upload to s3 is run for both the process. Process which commits transaction in Rubygems#update_attributes_from_gem_specification! first gets to set version.sha256, while process which uploads to s3 last gets to write gem file. These two processes need not be same and hence lead of sha mismatch. If we persist version record before uploading to s3, other processes will get record not unique violation and not overwrite gem file in s3. [Failing test on master](https://travis-ci.org/sonalkr132/rubygems.org/jobs/376936366#L1309). Fixes #1564 Fixes #1551
From rubygems/bundler#5332
Since Bundler 1.14 started validating checksums, a couple of people have had failed builds caused by seemingly invalid checksums in the RubyGems DB.
shasum
says@chrismo ran a check on the 700 most popular gems and didn't find any other instances, but that doesn't mean they aren't out there! It would be nice to know how these SHAs ended up this way.
The text was updated successfully, but these errors were encountered: