Skip to content

Commit

Permalink
fix missing question marks
Browse files Browse the repository at this point in the history
Co-authored-by: Olle Jonsson <[email protected]>
  • Loading branch information
martinemde and olleolleolle authored Sep 3, 2023
1 parent e713a07 commit 964ca37
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion text/0011-gem-checksum-verification.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,4 +181,4 @@ Old versions of Bundler should ignore the CHECKSUMS section. We will need to che

### How do we handle confusion about the authority of checksums written to the Gemfile.lock

The source of checksums in the Gemfile.lock becomes a matter of trust once it's written. Did the checksum come from the API or was it calculated from a .gem file on a developers computer. If a checksum error is resolved by one developer in a way that saves an incorrect checksum, how should people know when to approve these changes or not. It may not even be common practice for most teams to look at the Gemfile.lock, and changes can often be hidden in pull request reviews. Without a process for checking that the checksums are trustworthy, it's left to every development team to decide on a process. One solution would be a bundle command that could be run in CI every time the gems are installed that verifies the authenticity of checksums in the Gemfile.lock.
The source of checksums in the Gemfile.lock becomes a matter of trust once it's written. Did the checksum come from the API or was it calculated from a .gem file on a developers computer? If a checksum error is resolved by one developer in a way that saves an incorrect checksum, how should people know when to approve these changes or not? It may not even be common practice for most teams to look at the Gemfile.lock, and changes can often be hidden in pull request reviews. Without a process for checking that the checksums are trustworthy, it's left to every development team to decide on a process. One solution would be a bundle command that could be run in CI every time the gems are installed that verifies the authenticity of checksums in the Gemfile.lock.

0 comments on commit 964ca37

Please sign in to comment.