[rubygems/rubygems] Refactor to checksums stored via source

This gets the specs passing, and handles the fact that we expect checkums to be pinned only to a particular source This also avoids reading in .gem files during lockfile generation, instead allowing us to query the source for each resolved gem to grab the checksum Finally, this opens up a route to having user-stored checksum databases, similar to how other package managers do this! Add checksums to dev lockfiles Handle full name conflicts from different original_platforms when adding checksums to store from compact index Specs passing on Bundler 3 https://github.com/rubygems/rubygems/commit/86c7084e1c
author: Samuel Giddins <segiddins@segiddins.me> 2023-08-09 13:45:56 -0700
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2023-10-23 13:59:01 +0900
commit: c5fd94073ff2e22b6eea29c242c7e4a12ed7c865 (patch)
tree: 327479235e44b16b1dd927b3d6b8b53b36bdc8c8 /spec/bundler/commands/lock_spec.rb
parent: 69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (diff)
1 files changed, 59 insertions, 30 deletions
diff --git a/spec/bundler/commands/lock_spec.rb b/spec/bundler/commands/lock_spec.rb
index 4426c484fb..90138087f6 100644
--- a/spec/bundler/commands/lock_spec.rb
+++ b/spec/bundler/commands/lock_spec.rb
@@ -65,7 +65,9 @@ RSpec.describe "bundle lock" do
   it "prints a lockfile when there is no existing lockfile with --print" do
     bundle "lock --print"
 
-    expect(out).to eq(@lockfile.strip)
+    # No checksums because no way to get them from a file uri source
+    # + no existing lockfile that has them
+    expect(out).to eq(@lockfile.strip.gsub(/ sha256-[a-f0-9]+$/, ""))
   end
 
   it "prints a lockfile when there is an existing lockfile with --print" do
@@ -79,7 +81,9 @@ RSpec.describe "bundle lock" do
   it "writes a lockfile when there is no existing lockfile" do
     bundle "lock"
 
-    expect(read_lockfile).to eq(@lockfile)
+    # No checksums because no way to get them from a file uri source
+    # + no existing lockfile that has them
+    expect(read_lockfile).to eq(@lockfile.gsub(/ sha256-[a-f0-9]+$/, ""))
   end
 
   it "writes a lockfile when there is an outdated lockfile using --update" do
@@ -93,7 +97,8 @@ RSpec.describe "bundle lock" do
 
     bundle "lock --update", :env => { "BUNDLE_FROZEN" => "true" }
 
-    expect(read_lockfile).to eq(@lockfile)
+    # No checksums for the updated gems
+    expect(read_lockfile).to eq(@lockfile.gsub(/( \(2\.3\.2\)) sha256-[a-f0-9]+$/, "\\1"))
   end
 
   it "does not fetch remote specs when using the --local option" do
@@ -120,7 +125,7 @@ RSpec.describe "bundle lock" do
         foo
 
       CHECKSUMS
-        #{checksum_for_repo_gem repo, "foo", "1.0"}
+        #{checksum_for_repo_gem repo, "foo", "1.0", :empty => true}
 
       BUNDLED WITH
          #{Bundler::VERSION}
@@ -136,7 +141,7 @@ RSpec.describe "bundle lock" do
     bundle "lock --lockfile=lock"
 
     expect(out).to match(/Writing lockfile to.+lock/)
-    expect(read_lockfile("lock")).to eq(@lockfile)
+    expect(read_lockfile("lock")).to eq(@lockfile.gsub(/ sha256-[a-f0-9]+$/, ""))
     expect { read_lockfile }.to raise_error(Errno::ENOENT)
   end
 
@@ -156,7 +161,7 @@ RSpec.describe "bundle lock" do
       c.repo_gem repo, "weakling", "0.0.3"
     end
 
-    lockfile = strip_lockfile(<<-L)
+    lockfile = <<~L
       GEM
         remote: #{file_uri_for(repo)}/
         specs:
@@ -203,7 +208,17 @@ RSpec.describe "bundle lock" do
 
     bundle "lock --update rails rake"
 
-    expect(read_lockfile).to eq(@lockfile)
+    expect(read_lockfile).to eq(@lockfile.gsub(/( \((?:2\.3\.2|13\.0\.1)\)) sha256-[a-f0-9]+$/, "\\1"))
+  end
+
+  it "preserves unknown checksum algorithms" do
+    lockfile @lockfile.gsub(/(sha256-[a-f0-9]+)$/, "constant-true,\\1,xyz-123")
+
+    previous_lockfile = read_lockfile
+
+    bundle "lock"
+
+    expect(read_lockfile).to eq(previous_lockfile)
   end
 
   it "does not unlock git sources when only uri shape changes" do
@@ -280,7 +295,7 @@ RSpec.describe "bundle lock" do
     G
     bundle "config set without test"
     bundle "config set path vendor/bundle"
-    bundle "lock"
+    bundle "lock", :verbose => true
     expect(bundled_app("vendor/bundle")).not_to exist
   end
 
@@ -611,10 +626,10 @@ RSpec.describe "bundle lock" do
         mixlib-shellout
 
       CHECKSUMS
-        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32"}
-        #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0"}
-        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32"}
-        #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3"}
+        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3", :empty => true}
 
       BUNDLED WITH
          #{Bundler::VERSION}
@@ -646,12 +661,12 @@ RSpec.describe "bundle lock" do
         mixlib-shellout
 
       CHECKSUMS
-        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14"}
-        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32"}
-        #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0"}
-        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6"}
-        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32"}
-        #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3"}
+        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3", :empty => true}
 
       BUNDLED WITH
          #{Bundler::VERSION}
@@ -732,8 +747,8 @@ RSpec.describe "bundle lock" do
         libv8
 
       CHECKSUMS
-        #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19"}
-        #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20"}
+        #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19", :empty => true}
+        #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20", :empty => true}
 
       BUNDLED WITH
          #{Bundler::VERSION}
@@ -928,13 +943,15 @@ RSpec.describe "bundle lock" do
   end
 
   context "when an update is available" do
-    let(:repo) { gem_repo2 }
-
-    before do
-      lockfile(@lockfile)
+    let(:repo) do
       build_repo2 do
         build_gem "foo", "2.0"
       end
+      gem_repo2
+    end
+
+    before do
+      lockfile(@lockfile)
     end
 
     it "does not implicitly update" do
@@ -952,7 +969,7 @@ RSpec.describe "bundle lock" do
         c.repo_gem repo, "weakling", "0.0.3"
       end
 
-      expected_lockfile = strip_lockfile(<<-L)
+      expected_lockfile = <<~L
         GEM
           remote: #{file_uri_for(repo)}/
           specs:
@@ -1003,13 +1020,15 @@ RSpec.describe "bundle lock" do
         c.repo_gem repo, "activerecord", "2.3.2"
         c.repo_gem repo, "activeresource", "2.3.2"
         c.repo_gem repo, "activesupport", "2.3.2"
-        c.repo_gem repo, "foo", "2.0"
+        # We don't have a checksum for foo 2,
+        # since it is not downloaded by bundle lock, therefore we don't include it
+        # c.repo_gem repo, "foo", "2.0"
         c.repo_gem repo, "rails", "2.3.2"
         c.repo_gem repo, "rake", "13.0.1"
         c.repo_gem repo, "weakling", "0.0.3"
       end
 
-      expected_lockfile = strip_lockfile(<<-L)
+      expected_lockfile = <<~L
         GEM
           remote: #{file_uri_for(repo)}/
           specs:
@@ -1041,7 +1060,7 @@ RSpec.describe "bundle lock" do
           weakling
 
         CHECKSUMS
-          #{expected_checksums}
+        #{expected_checksums.prepend("  ").lines(:chomp => true).append("  foo (2.0)").sort.join("\n")}
 
         BUNDLED WITH
            #{Bundler::VERSION}
@@ -1118,8 +1137,8 @@ RSpec.describe "bundle lock" do
           debug
 
         CHECKSUMS
-          #{checksum_for_repo_gem gem_repo4, "debug", "1.6.3"}
-          #{checksum_for_repo_gem gem_repo4, "irb", "1.5.0"}
+          #{checksum_for_repo_gem gem_repo4, "debug", "1.6.3", :empty => true}
+          #{checksum_for_repo_gem gem_repo4, "irb", "1.5.0", :empty => true}
 
         BUNDLED WITH
            #{Bundler::VERSION}
@@ -1424,6 +1443,10 @@ RSpec.describe "bundle lock" do
         DEPENDENCIES
           foo!
 
+        CHECKSUMS
+          #{checksum_for_repo_gem(gem_repo4, "foo", "1.0", :empty => true)}
+          #{checksum_for_repo_gem(gem_repo4, "nokogiri", "1.14.2", :empty => true)}
+
         BUNDLED WITH
            #{Bundler::VERSION}
       L
@@ -1507,6 +1530,12 @@ RSpec.describe "bundle lock" do
           activesupport (= 7.0.4.3)
           govuk_app_config
 
+        CHECKSUMS
+          #{checksum_for_repo_gem gem_repo4, "actionpack", "7.0.4.3", :empty => true}
+          #{checksum_for_repo_gem gem_repo4, "activesupport", "7.0.4.3", :empty => true}
+          #{checksum_for_repo_gem gem_repo4, "govuk_app_config", "4.13.0", :empty => true}
+          #{checksum_for_repo_gem gem_repo4, "railties", "7.0.4.3", :empty => true}
+
         BUNDLED WITH
            #{Bundler::VERSION}
       L
author	Samuel Giddins <segiddins@segiddins.me>	2023-08-09 13:45:56 -0700
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2023-10-23 13:59:01 +0900
commit	c5fd94073ff2e22b6eea29c242c7e4a12ed7c865 (patch)
tree	327479235e44b16b1dd927b3d6b8b53b36bdc8c8 /spec/bundler/commands/lock_spec.rb
parent	69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (diff)