On Tue, Feb 20, 2018 at 04:32:25PM +0100, Cédric Boutillier wrote:
> Hi,
> 
> When trying to package some dependencies for a new version of Nanoc, I
> noticed that some gems start to ship SHA256 digests instead of SHA1 in
> addition to SHA512.
> This happens for example with the ddmetrics gem
> https://rubygems.org/gems/ddmetrics
> 
> As a consequence, gem2deb fails on such gems with the following error.
> 
> ddmetrics doesn't seem to exist. Let's try to download it with 'gem fetch 
> ddmetrics'
> gem fetch ddmetrics
> Fetching: ddmetrics-1.0.0.gem (100%)
> Downloaded ddmetrics-1.0.0
> -- Creating source tarball from ddmetrics-1.0.0.gem ...
> tar xfm /tmp/ddmetrics-1.0.0.gem
> /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:131:in `block (2 levels) in 
> verify_and_strip_checksums': undefined method `[]' for nil:NilClass 
> (NoMethodError)
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:130:in `each'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:130:in `block in 
> verify_and_strip_checksums'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:128:in `each'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:128:in 
> `verify_and_strip_checksums'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:85:in `block in 
> extract_gem_contents'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:83:in `chdir'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:83:in 
> `extract_gem_contents'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:67:in `convert!'
>         from /usr/lib/ruby/vendor_ruby/gem2deb/gem2tgz.rb:33:in `convert!'
>         from /usr/bin/gem2deb:114:in `<main>'
> 
> I am considering adding Digest::SHA256 to the list of digests tested in
> gem2tgz and skip the checksum computation if the digest name is not a
> key of the hash read from the YAML file.
> 
> What do you think?

Looks like this is the way to go.

Attachment: signature.asc
Description: PGP signature

Reply via email to