Skip to content

Fix bundle lock --add-checksums #8272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
deivid-rodriguez merged 3 commits into from
Nov 25, 2024
Merged

Fix bundle lock --add-checksums #8272

deivid-rodriguez merged 3 commits into from
Nov 25, 2024

Conversation

@deivid-rodriguez
Copy link
Contributor

@deivid-rodriguez deivid-rodriguez commented Nov 20, 2024
edited
Loading

What was the end-user or developer problem that led to this PR?

bundle lock --add-checksums does not add checksums if the lockfile is completely in sync with the Gemfile. If Bundler does not need to re-resolve, bundle lock is a noop so Bundler cannot add checksums. Due to a typo in the spec, the issue was not caught initially, because the typo was making Bundler re-resolve.

What is your fix for the problem, implemented in this PR?

We need to make sure to force a re-resolve when --add-checksums flag is given.

Fixes #8270.

Make sure the following tasks are checked

@deivid-rodriguez deivid-rodriguez force-pushed the deivid-rodriguez/fix-add-checksums branch from 0da6796 to 969ea7d Compare November 20, 2024 12:35
@deivid-rodriguez
Copy link
Contributor Author

deivid-rodriguez commented Nov 20, 2024

Requiring re-resolving just to add checksums to the lockfile felt a bit wrong, so I'm trying what I feel is a better approach.

@deivid-rodriguez deivid-rodriguez marked this pull request as draft November 20, 2024 12:37
@deivid-rodriguez deivid-rodriguez force-pushed the deivid-rodriguez/fix-add-checksums branch from 969ea7d to b413118 Compare November 20, 2024 16:22
@deivid-rodriguez deivid-rodriguez marked this pull request as ready for review November 20, 2024 17:32
@deivid-rodriguez deivid-rodriguez mentioned this pull request Nov 20, 2024
Closed
@deivid-rodriguez
Most of the times, eagerly resolving is not necessary
3ceff46 
All we need is to setup remote or local sources appropriately.
@deivid-rodriguez
Make installer code more clear
93d6861 
I always found the `resolve_if_necessary` method pretty confusing
because by reading it, it suggests that resolution always happens, and
the point is whether that needs to be local or remote. This commit tries
to make that more clear.
@deivid-rodriguez
Fix bundle lock --add-checksums
84b6f4e 
Due to a typo in the spec, the issue was not caught initially. If
Bundler does not need to re-resolve, `bundle lock` is a noop so Bundler
does not add checksums.

To fix the issue, we do something similar to what `bundle install` does,
just without actually installation. First set the domain (local or
remote) according to whether a re-resolve is necessary, and then
materialize lazy specifications into real specifications, so that
checksums are actually fetched from each source.
@deivid-rodriguez deivid-rodriguez force-pushed the deivid-rodriguez/fix-add-checksums branch from b413118 to 84b6f4e Compare November 21, 2024 10:37
@deivid-rodriguez deivid-rodriguez merged commit e5bc847 into master Nov 25, 2024
@deivid-rodriguez deivid-rodriguez deleted the deivid-rodriguez/fix-add-checksums branch November 25, 2024 18:14
@joshgoebel
Copy link

joshgoebel commented Mar 10, 2025
edited
Loading

Seeing this exact same behavior (no checksums) with Bundler 2.6.5 when trying --add-checksum. Should I open a new issue?

$ bundler -v
Bundler version 2.6.5
$ bundle lock --add-checksums
Fetching source index from https://gems.covermymeds.com/
Writing lockfile to /app/Gemfile.lock
$ cat Gemfile.lock | grep CHECKSUM -A 5
CHECKSUMS
  actioncable (7.0.8.7)
  actionmailbox (7.0.8.7)
  actionmailer (7.0.8.7)
  actionpack (7.0.8.7)
  actiontext (7.0.8.7)

Does it require specific support on the gemserver itself such that it wouldn't work with onprem gemservers perhaps?

@joshgoebel
Copy link

joshgoebel commented Mar 10, 2025

Switched to official source 'https://rubygems.org' for most gems but now only a precious few have the new checkums:

CHECKSUMS
  actioncable (7.0.8.7)
  actionmailbox (7.0.8.7)
  actionmailer (7.0.8.7)
  actionpack (7.0.8.7)
  actiontext (7.0.8.7)
  actionview (7.0.8.7)
  active_model_serializers (0.8.3) sha256=a30eb1752d1a76fd83aca374f9549014848c4ac24d66ca30748f0ddf2f2e43b6
  activejob (7.0.8.7)
  activemodel (7.0.8.7)
  activerecord (7.0.8.7)
  activerecord-sqlserver-adapter (7.0.7) sha256=d5c3264dd564941db6ef2d5f93afcd552c0e15285813d2c5c534b9c5c13e71e0
  activestorage (7.0.8.7)
  activesupport (7.0.8.7)
  addressable (2.8.7)

@deivid-rodriguez
Copy link
Contributor Author

deivid-rodriguez commented Mar 11, 2025

@joshgoebel The first issue may be due to missing support in gemstash, maybe? It's currently being worked on rubygems/gemstash#392.

As per the second, I'm not sure, if gems are coming from rubygems.org, they should have checksums. Can you share a way to reproduce?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2.6.0-dev: bundle lock --add-checksums doesn't add checksums

3 participants

@deivid-rodriguez @joshgoebel