g10k warns about checksum mismatch, but installs module anyway on concurrent runs #231
Description
I've run into a behavior of g10k that's quite unfortunate: if I have in my Puppetfile a forge module with a mismatched hash, like the following:
mod 'puppetlabs/apt', '7.6.0',
:sha256sum => '5b181deb4dc4c8ebddd78a13976f46cf847d478897978fbc27d852cc821b2dd4'
then if I install modules, the first time I get a warning about the mismatch and g10k bails at that point. the apt module is not present in the destination directory -- all is good so far:
$ g10k -puppetfile -moduledir modules/
Resolving Forge modules (33/34) 0s [=================================================================>--] 97%
Resolving Git modules (12/12) 1s [====================================================================] 100%
WARNING: calculated sha256sum 5b181deb4dc4c8ebddd78a13975f46cf847d478897978fbc27d852cc821b2dd4 for /home/tor/.cache/g10k/forge/puppetlabs-apt-7.6.0.tar.gz does not match expected sha256sum 5b181deb4dc4c8eResolving Forge modules (33/34) 0s [=================================================================>--] 97%
Resolving Git modules (12/12) 1s [====================================================================] 100%
WARNING: calculated sha256sum 5b181deb4dc4c8ebddd78a13975f46cf847d478897978fbc27d852cc821b2dd4 for /home/tor/.cache/g10k/forge/puppetlabs-apt-7.6.0.tar.gz does not match expected sha256sum 5b181deb4dc4c8ebddd78a13976f46cf847d478897978fbc27d852cc821b2dd4
downloadForgeModule(): giving up for Puppet module puppetlabs-apt version: 7.6.0
however, if I run the same command again, g10k finds the module in its cache directory and it just installs the module without any complaints, even though the hash mismatch is still present:
$ g10k -puppetfile -checksum -moduledir modules/
Resolving Forge modules (34/34) 0s [====================================================================] 100%
Resolving Git modules (12/12) 0s [====================================================================] 100%
Synced ./Puppetfile with 12 git repositories and 34 Forge modules in 5.5s with git (5.5s sync, I/O 0.0s) and Forge (0.0s query+download, I/O 0.0s) using 50 resolve and 20 extract workers
this can lead to operational security problems if we install modules that did not match hashes correctly! g10k should continue to bail on subsequent runs by checking the hash against the local cached copy.
fyi I purposefully introduced a mismatch in the above hash in the Puppetfile like this:
mod 'puppetlabs/apt', '7.6.0',
- :sha256sum => '5b181deb4dc4c8ebddd78a13975f46cf847d478897978fbc27d852cc821b2dd4'
+ :sha256sum => '5b181deb4dc4c8ebddd78a13976f46cf847d478897978fbc27d852cc821b2dd4'