Closed heathd closed 11 years ago
Good catch!
Can you check my work here:
https://github.com/rubygems/rubygems-verification/blob/master/redis_verify.rb#L87
All the results above except scene-0.0.0.gemkeep.gem (a prerelease) have three SHA checksums with only one entry in the checksum set, which makes me think that my test on line 87 is for four matching SHA checksums (S3, source A, source B, source C), not three (S3, source A, source B)
I'm afraid I'm not familiar with redis, so it's hard for me to verify the behaviour of the code. I'll try to write some pseudo code to explain my understanding:
class GemChecksumStore
def initialize
@gem_checksums = {}
end
def add(gemname, checksum)
@gem_checksums[gemname] ||= []
@gem_checksums[gemname] << checksum
end
def fetch(gemname)
@gem_checksums[gemname] || []
end
def set_cardinality(gemname)
fetch(gemname).uniq.size
end
def count(gemname)
fetch(gemname).size
end
def set_size(gemname, desired_checksum)
fetch(gemname).select {|checksum| checksum == desired_checksum}.count
end
end
given the above class, I think that you are effectively doing:
class GemChecksumStore
def verified?(gemname)
case count(gemname)
when 0, 1, 2
false
else
count(gemname) - set_cardinality(gemname) > 2
end
end
end
wheras I think you need to actually check the size of the set for the particular checksum in the rubygems-sha512.S3.txt
file, in other words:
class GemChecksumStore
def verified?(gemname, s3_sha)
set_size(gemname, s3_sha) > 2
end
end
Your above code matches the redis operations.
You're right, I'll update the redis code later today or tomorrow.
I was assuming that, since I separately verified the checksums against at least one mirror, I could assume multiple matches, but this is probably unsafe.
I updated redis_verify per your suggestions and the list of unverified got smaller, but four prereleases were added as unverified.
Per your command the list still contains only prerelease gems.
See the commit message above for full details, I'll reopen if you have further questions.
Hi,
I think you have a bug in this command:
the problem is that \w matches numbers as well as letters. The correct command would be:
This finds 444 gems which are full versions.