Replies: 2 comments
-
|
@hsbt also pointed me at https://cache.ruby-lang.org/pub/ruby/index.txt which is a CSV of the data. |
Beta Was this translation helpful? Give feedback.
-
|
The current workflow is to run the Rebuilding the CRuby version numbers checksums from the master |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
It looks like checksum info is pulled from https://github.com/postmodern/ruby-versions. Which looks like it downloads and generates the checksums from the actual files.
I like that it's effectively providing a second source of truth for these values, but it seems to rely on manual intervention for staying current/relevant.
A good source of truth should not be on the same location (i.e. if the binary is coming from cache.ruby-lang.org, then ideally we source the checksum from somewhere other than cache.ruby-lang.org otherwise an attacker could easily modify both). Your repo acts as a safeguard i.e. it would be hard for someone to modify both the tgz archive AND your repo, but only in the event that it's run before an attacker could access and modify the binary.
Another option is to pull from this page on github: https://github.com/ruby/www.ruby-lang.org/blob/master/_data/releases.yml. It's generated from the release process, so it should match the SHA values published on individual releases like https://www.ruby-lang.org/en/news/2025/07/24/ruby-3-3-9-released/. But it's structured to be machine readable, and it's sourced from a different URL (protecting against network shenanigans).
This is 100% an optional suggestion. Mentioning it as I'm looking into how different tools are sourcing their checksums. This is the best option I've come up with so far. Curious to hear your thoughts leaning: 👍 or 👎.
Beta Was this translation helpful? Give feedback.
All reactions