From 964ca3755cb180de94d0349f33ff954cbfda2d62 Mon Sep 17 00:00:00 2001 From: Martin Emde Date: Sun, 3 Sep 2023 14:03:44 -0700 Subject: [PATCH] fix missing question marks Co-authored-by: Olle Jonsson --- text/0011-gem-checksum-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/text/0011-gem-checksum-verification.md b/text/0011-gem-checksum-verification.md index 45c0726..54ed67c 100755 --- a/text/0011-gem-checksum-verification.md +++ b/text/0011-gem-checksum-verification.md @@ -181,4 +181,4 @@ Old versions of Bundler should ignore the CHECKSUMS section. We will need to che ### How do we handle confusion about the authority of checksums written to the Gemfile.lock -The source of checksums in the Gemfile.lock becomes a matter of trust once it's written. Did the checksum come from the API or was it calculated from a .gem file on a developers computer. If a checksum error is resolved by one developer in a way that saves an incorrect checksum, how should people know when to approve these changes or not. It may not even be common practice for most teams to look at the Gemfile.lock, and changes can often be hidden in pull request reviews. Without a process for checking that the checksums are trustworthy, it's left to every development team to decide on a process. One solution would be a bundle command that could be run in CI every time the gems are installed that verifies the authenticity of checksums in the Gemfile.lock. +The source of checksums in the Gemfile.lock becomes a matter of trust once it's written. Did the checksum come from the API or was it calculated from a .gem file on a developers computer? If a checksum error is resolved by one developer in a way that saves an incorrect checksum, how should people know when to approve these changes or not? It may not even be common practice for most teams to look at the Gemfile.lock, and changes can often be hidden in pull request reviews. Without a process for checking that the checksums are trustworthy, it's left to every development team to decide on a process. One solution would be a bundle command that could be run in CI every time the gems are installed that verifies the authenticity of checksums in the Gemfile.lock.