[Rubygems-developers] Roadmap for version 0.8.12

Hugh Sasse hgs at dmu.ac.uk
Tue Jul 19 08:38:00 EDT 2005


On Tue, 19 Jul 2005, Jim Weirich wrote:

>> Yes, agree with this, except that I'd go for a stronger hash. MD5 is
>
> The point of the hash is to detect changes, not protect against malicious

Which is why it needs to be stronger, strength here being the
difficulty of creating a file with the same hash but different
content.

> users (sign your gem if you need that).

I don't want to open the cryptography worm can here....  I'm not
after Military level security, I'm after making abuse sufficiently
diffult.
>
> How much bigger is SHA-256?

It's 256 bits == 32 bytes -- 64 hex digits.
>
>>> This means that gems moved the archive are still available by using
>>> the --source option on the command line.  For example, if rails-0.5 is
>>> in the archive, I can still get it with the command:
>>>
>>>  gem install --version=0.5 rails
>>> --source=http://gems.rubyforge.org/archive
>>
>> If the version is less than that in the current repository, the
>> server should "know" to look in the archive.  After all, all version
>> numbers are comparables, aren't they?
>
> Sure, but for the client software to know to look in the archive, it must get
> the archive index.  The reason we move stuff to the archive is to avoid the

Normally it will get the main index, and versions in the archive won't
show up in that. Any gems in the archive will have their latest
versions in the main index, because we preserve the most recent.
Anything being got from the archive will thus not be a check for
changes, so why bother to transmit the archive index at all?

> need to get the index for everything that is archived.  Automatically falling
> back to the archive kinda defeats the purpose (although it would only happen

No, I'm talking about

   gem install --version=0.5 rails --source=http://gems.rubyforge.org/archive

which is a request for installation of a specific old version, which 
must therefore be in the archive, and for which we don't need the
archive index.  And I'm saying it need only be:

   gem install --version=0.5 rails

because the SERVER knows it is held in the archive, as soon as it
sees the version number is less than the smallest version in the
main index file.

> when a requested version is not found).  Hmmm ... worth thinking about.
>
> Thanks for the feedback.
>
> --

         Thank you,
         Hugh


More information about the Rubygems-developers mailing list