[Rubygems-developers] Roadmap for version 0.8.12

Jim Weirich jim at weirichhouse.org
Tue Jul 19 08:07:04 EDT 2005

On Tuesday 19 July 2005 06:24 am, Hugh Sasse wrote:
> > The main addition is the "quick" directory.  The quick/index file
> > contains a list of gems and a MD5 hash of the corresponding gemspec.
> > Something like this:
> >
> >  builder-0.1.1 68673a832739659790fb02e4227d226f
> Yes, agree with this, except that I'd go for a stronger hash. MD5 is
> regarded as pretty feeble now, and Ruby supports SHA-256. Yes it
> is bulkier, but when gems start to get really popular then we will
> have some scoundrels trying to abuse the system at some point, so
> why make it easier than it needs to be?

The point of the hash is to detect changes, not protect against malicious 
users (sign your gem if you need that).

How much bigger is SHA-256? 

> > This means that gems moved the archive are still available by using
> > the --source option on the command line.  For example, if rails-0.5 is
> > in the archive, I can still get it with the command:
> >
> >  gem install --version=0.5 rails
> > --source=http://gems.rubyforge.org/archive
> If the version is less than that in the current repository, the
> server should "know" to look in the archive.  After all, all version
> numbers are comparables, aren't they?  

Sure, but for the client software to know to look in the archive, it must get 
the archive index.  The reason we move stuff to the archive is to avoid the 
need to get the index for everything that is archived.  Automatically falling 
back to the archive kinda defeats the purpose (although it would only happen 
when a requested version is not found).  Hmmm ... worth thinking about.

Thanks for the feedback.

-- Jim Weirich    jim at weirichhouse.org     http://onestepback.org
"Beware of bugs in the above code; I have only proved it correct, 
not tried it." -- Donald Knuth (in a memo to Peter van Emde Boas)

More information about the Rubygems-developers mailing list