1.3.0 switches meaning of source :rubygems to https? #2345

LeifWarner opened this Issue Feb 26, 2013 · 6 comments


None yet
3 participants

Same Gemfile we've always been using, w/ source :rubygems.
Been getting that deprecation warning on that for like a week or two now.
This morning things started breaking on jruby-1.6.7
A coworker fixed it by changing :rubygems to http://rubygems.org/.
I fixed it by doing a gem install jruby-openssl beforehand.

Curious that deprecation message still says:
"The source :rubygems is deprecated because HTTP requests are insecure."
and then further down it says:
"Fetching gem metadata from http://rubygems.org/"
after installing jruby-openssl, and still leaving the source as :rubygems.


alup commented Feb 26, 2013

Http is deprecated but still supported. To avoid this warning message just switch to https protocol.
:rubygems points to plain http requests so it is also a bad choice.

Just saying, Gemfiles w/ source :rubygems on jruby-1.6.7 started triggering a stacktrace and failing (see linked gist) when Bundler 1.3.0 came out. (unless jruby-openssl gem is also installed).


alup commented Feb 26, 2013

Cannot reproduce it with jruby-1.7.3.

Yes, this only affects jruby-1.6.x - jruby-1.7.x can do https w/out jruby-openssl gem, apparently.

Not a terrible issue - trivial workaround is to change ":rubygems" to "http://rubygems.org", or just "gem install jruby-openssl" (or even upgrade to jruby 1.7) - just giving a heads-up of the change.

@indirect indirect closed this in 43687fb Feb 27, 2013

Seems to fix it - thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment