Change the github option or add a protocol option to the github option #4978

Closed
zedtux opened this Issue Sep 13, 2016 · 17 comments

Comments

Projects
None yet
@zedtux

zedtux commented Sep 13, 2016

The git source git://github.com/cubus/jquery-sparkline-rails.git uses the git protocol, which transmits data without encryption. Disable this warning with bundle config git.allow_insecure true, or switch to the https protocol to keep your data secure.

I just got this message today stating that I should use https instead of git, which makes sense.

I have the following line in my Gemfile:

gem 'jquery-sparkline-rails', github: 'cubus/jquery-sparkline-rails'

Which is a really nice way to use a Github repo.

Honestly I do not care the protocol which is used to get that gem, so:

  • Change the protocol of the github to https (recommended)
  • Add a :protocol option which allows us to change it
@segiddins

This comment has been minimized.

Show comment
Hide comment
@segiddins

segiddins Sep 13, 2016

Member

This will be updated in 2.0, or you can see the comment at

# It would be better to use https instead of the git protocol, but this
for alternatives

Member

segiddins commented Sep 13, 2016

This will be updated in 2.0, or you can see the comment at

# It would be better to use https instead of the git protocol, but this
for alternatives

@segiddins segiddins closed this Sep 13, 2016

@zedtux

This comment has been minimized.

Show comment
Hide comment
@zedtux

zedtux Sep 13, 2016

Awesome, thank you @segiddins 👍

zedtux commented Sep 13, 2016

Awesome, thank you @segiddins 👍

@panigrah panigrah referenced this issue in triloch/fat_free_crm Sep 26, 2016

Merged

Chaging the use of gems installation to https #2

@odedniv

This comment has been minimized.

Show comment
Hide comment
@odedniv

odedniv Oct 20, 2016

Anyone coming here should know that the comment there is kind of misleading, best way to clear the warning and use HTTPS before the update to 2.0 is to opt in to the change with:

bundle config github.https true

Also, the code there says that in the warning, but my current bundler version (1.13.5) tells me to suppress the warning instead...

odedniv commented Oct 20, 2016

Anyone coming here should know that the comment there is kind of misleading, best way to clear the warning and use HTTPS before the update to 2.0 is to opt in to the change with:

bundle config github.https true

Also, the code there says that in the warning, but my current bundler version (1.13.5) tells me to suppress the warning instead...

@san

This comment has been minimized.

Show comment
Hide comment
@san

san Oct 21, 2016

@odedniv Where would I add that line if I want to use this option that you mentioned?

san commented Oct 21, 2016

@odedniv Where would I add that line if I want to use this option that you mentioned?

@odedniv

This comment has been minimized.

Show comment
Hide comment
@odedniv

odedniv Oct 21, 2016

@san it's a bash command. Bundler then creates a config file under ~/.bundler/config to remember this.

odedniv commented Oct 21, 2016

@san it's a bash command. Bundler then creates a config file under ~/.bundler/config to remember this.

@strugee strugee referenced this issue in huginn/huginn Oct 27, 2016

Closed

Gemfile uses insecure git:// protocol #1756

@joshuapinter

This comment has been minimized.

Show comment
Hide comment
@joshuapinter

joshuapinter Nov 12, 2016

Adding to @odedniv's comment, you should probably set this globally since it will be the default in Version 2, which you can do with:

$ bundle config --global github.https true

This will then create (or amend) a ~/.bundle/config file (in your home directory), with the following:

---
BUNDLE_GITHUB__HTTPS: "true"

EDIT
As per @indirect, it's better to stick this line at the top of your Gemfile so that not everybody has to run the same command and it will instead be checked into your repo.

git_source(:github) { |name| "https://github.com/#{name}.git" }

joshuapinter commented Nov 12, 2016

Adding to @odedniv's comment, you should probably set this globally since it will be the default in Version 2, which you can do with:

$ bundle config --global github.https true

This will then create (or amend) a ~/.bundle/config file (in your home directory), with the following:

---
BUNDLE_GITHUB__HTTPS: "true"

EDIT
As per @indirect, it's better to stick this line at the top of your Gemfile so that not everybody has to run the same command and it will instead be checked into your repo.

git_source(:github) { |name| "https://github.com/#{name}.git" }
@gkop

This comment has been minimized.

Show comment
Hide comment
@gkop

gkop Nov 23, 2016

Contributor

@joshuapinter thanks for your solution.

Arguably you ought to also run this in your project directory and commit the local .bundle/ directory to source control:

$ bundle config --local github.https true

Edited based on correction that follows below. Somehow make sure that BUNDLE_GITHUB__HTTPS=true is in source control and loaded automatically, for example with dotenv. The reason is that this option goes hand in hand with the changes you have committed to your Gemfile.lock .

Also, I believe it's best practice to use BUNDLE_FROZEN=true when bundling in your deployment build environment. If you use this option, then you must one way or another also ensure that BUNDLE_GITHUB__HTTPS=true is used in your deployment build environment as well.

Contributor

gkop commented Nov 23, 2016

@joshuapinter thanks for your solution.

Arguably you ought to also run this in your project directory and commit the local .bundle/ directory to source control:

$ bundle config --local github.https true

Edited based on correction that follows below. Somehow make sure that BUNDLE_GITHUB__HTTPS=true is in source control and loaded automatically, for example with dotenv. The reason is that this option goes hand in hand with the changes you have committed to your Gemfile.lock .

Also, I believe it's best practice to use BUNDLE_FROZEN=true when bundling in your deployment build environment. If you use this option, then you must one way or another also ensure that BUNDLE_GITHUB__HTTPS=true is used in your deployment build environment as well.

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Nov 23, 2016

Member

Please don't check in your .bundle directory. If you need to apply this setting widely, use the environment variable instead:

$ export BUNDLE_GITHUB__HTTPS=true
Member

indirect commented Nov 23, 2016

Please don't check in your .bundle directory. If you need to apply this setting widely, use the environment variable instead:

$ export BUNDLE_GITHUB__HTTPS=true
@gkop

This comment has been minimized.

Show comment
Hide comment
@gkop

gkop Nov 23, 2016

Contributor

Why not (just curious)? Edit: answer is at Checking Your Code into Version Control

Anyhow we can use environment variables, just be sure to export them; you can't get away with just passing BUNDLE_GITHUB__HTTPS=true to bundle install alone, you need to pass it to any commands that need to call Bundler.require.

Contributor

gkop commented Nov 23, 2016

Why not (just curious)? Edit: answer is at Checking Your Code into Version Control

Anyhow we can use environment variables, just be sure to export them; you can't get away with just passing BUNDLE_GITHUB__HTTPS=true to bundle install alone, you need to pass it to any commands that need to call Bundler.require.

@Dorian

This comment has been minimized.

Show comment
Hide comment
@Dorian

Dorian Jan 12, 2017

A better solution, so not everybody in your team has to run bundle config --global github.https true, add that to your Gemfile

git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  "https://github.com/#{repo_name}.git"
end

From bundler's source code:

bundler/lib/bundler/dsl.rb

Lines 254 to 266 in 3e3f64f

# It would be better to use https instead of the git protocol, but this
# can break deployment of existing locked bundles when switching between
# different versions of Bundler. The change will be made in 2.0, which
# does not guarantee compatibility with the 1.x series.
#
# See https://github.com/bundler/bundler/pull/2569 for discussion
#
# This can be overridden by adding this code to your Gemfiles:
#
# git_source(:github) do |repo_name|
# repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
# "https://github.com/#{repo_name}.git"
# end

Dorian commented Jan 12, 2017

A better solution, so not everybody in your team has to run bundle config --global github.https true, add that to your Gemfile

git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  "https://github.com/#{repo_name}.git"
end

From bundler's source code:

bundler/lib/bundler/dsl.rb

Lines 254 to 266 in 3e3f64f

# It would be better to use https instead of the git protocol, but this
# can break deployment of existing locked bundles when switching between
# different versions of Bundler. The change will be made in 2.0, which
# does not guarantee compatibility with the 1.x series.
#
# See https://github.com/bundler/bundler/pull/2569 for discussion
#
# This can be overridden by adding this code to your Gemfiles:
#
# git_source(:github) do |repo_name|
# repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
# "https://github.com/#{repo_name}.git"
# end

aspiers added a commit to aspiers/MinistersUnderTheInfluence that referenced this issue Jan 21, 2017

@henrik

This comment has been minimized.

Show comment
Hide comment
@henrik

henrik Jan 24, 2017

Contributor

Any recommendations for git:// references pointing to private repos on GitHub?

If I leave them as git://, it auths automagically. If I change to https://, it prompts me for my GitHub details when I bundle. I've seen a suggestion to put an OAuth token in the URL – is that the recommended way to go about it?

Contributor

henrik commented Jan 24, 2017

Any recommendations for git:// references pointing to private repos on GitHub?

If I leave them as git://, it auths automagically. If I change to https://, it prompts me for my GitHub details when I bundle. I've seen a suggestion to put an OAuth token in the URL – is that the recommended way to go about it?

@mroach

This comment has been minimized.

Show comment
Hide comment
@mroach

mroach Jan 27, 2017

@henrik Change line 3 of @Dorian's solution to "git@github.com:#{repo_name}.git" and you'll be all set. This will force the use of SSH instead of HTTPS and then your SSH keys work as expected.

mroach commented Jan 27, 2017

@henrik Change line 3 of @Dorian's solution to "git@github.com:#{repo_name}.git" and you'll be all set. This will force the use of SSH instead of HTTPS and then your SSH keys work as expected.

@henrik

This comment has been minimized.

Show comment
Hide comment
@henrik

henrik Jan 27, 2017

Contributor

@mroach Thank you! That's how I have them now – I guess I assumed I had to change them from that to https://, but now that I think about it again, of course they are SSH and not git://. Great :)

Contributor

henrik commented Jan 27, 2017

@mroach Thank you! That's how I have them now – I guess I assumed I had to change them from that to https://, but now that I think about it again, of course they are SSH and not git://. Great :)

SubOptimal added a commit to SubOptimal/frab-docker that referenced this issue Jan 27, 2017

update RAEDME.md
ensure bundler is using https:// instead of git:// protocol to access github repositories
see: bundler/bundler#4978 (comment)

@islemaster islemaster referenced this issue in code-dot-org/code-dot-org Feb 27, 2017

Merged

Force bundler to use HTTPS for GitHub-sourced gems #13462

@ianks

This comment has been minimized.

Show comment
Hide comment
@ianks

ianks Jun 2, 2017

Contributor

After setting bundle config --global github.https true, running bundle attempts to update the commit ref of the gem. Is there a way to make it not do this?

Contributor

ianks commented Jun 2, 2017

After setting bundle config --global github.https true, running bundle attempts to update the commit ref of the gem. Is there a way to make it not do this?

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Jun 2, 2017

Member

@ianks in retrospect, that option was a bad idea, because it will only apply on one machine—the same gemfile on other machines will try to use http, and it will create an infinite lockfile revert war between the machines with the setting set and the setting not set. I highly recommend that you use this at the top of your gemfile instead:

git_source(:github) { |name| "https://github.com/#{name}.git" }

(Adjust code as needed based on your usage of the github option).

Back to your original question, the only way I know of off the top of my head is to hand-edit your lockfile at the same time, updating the URL to https.

Member

indirect commented Jun 2, 2017

@ianks in retrospect, that option was a bad idea, because it will only apply on one machine—the same gemfile on other machines will try to use http, and it will create an infinite lockfile revert war between the machines with the setting set and the setting not set. I highly recommend that you use this at the top of your gemfile instead:

git_source(:github) { |name| "https://github.com/#{name}.git" }

(Adjust code as needed based on your usage of the github option).

Back to your original question, the only way I know of off the top of my head is to hand-edit your lockfile at the same time, updating the URL to https.

@ianks

This comment has been minimized.

Show comment
Hide comment
@ianks

ianks Jun 2, 2017

Contributor

@indirect Yup, I just ended up doing this: sed -i 's/git:\/\//https:\/\//g' Gemfile.lock

Contributor

ianks commented Jun 2, 2017

@indirect Yup, I just ended up doing this: sed -i 's/git:\/\//https:\/\//g' Gemfile.lock

dokydoky pushed a commit to dokydoky/jackhammer that referenced this issue Aug 15, 2017

youngsung.kim
switch `git` to `https`
ref) bundler/bundler#4978
The git source `git://github.com/rweng/jquery-datatables-rails.git`
uses the `git` protocol, which transmits data without encryption.
Disable this warning with `bundle config git.allow_insecure true`, or
switch to the `https` protocol to keep your data secure.
The git source `git://github.com/sumoheavy/jira-ruby.git` uses the `git`
protocol, which transmits data without encryption. Disable this warning
with `bundle config git.allow_insecure true`, or switch to the `https`
protocol to keep your data secure.

@AlexWayfer AlexWayfer referenced this issue in Paxa/fast_excel Sep 20, 2017

Closed

Could you release a new version? #16

@whatcould

This comment has been minimized.

Show comment
Hide comment
@whatcould

whatcould Jan 26, 2018

I had the same issue and fix as @ianks, all the refs are blown away and suddenly my gems are updated!

On MacOS (with BSD sed) I had to run this: sed -i '' 's/git:\/\//https:\/\//g' Gemfile.lock Hope that saves somebody a little time. (& thanks for the tip!)

whatcould commented Jan 26, 2018

I had the same issue and fix as @ianks, all the refs are blown away and suddenly my gems are updated!

On MacOS (with BSD sed) I had to run this: sed -i '' 's/git:\/\//https:\/\//g' Gemfile.lock Hope that saves somebody a little time. (& thanks for the tip!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment