As demonstrated by this blog post, there is still a lot of end-user confusion about how to deal with the source issues originally revealed in our original CVE announcement.
A lot of that confusion is likely our fault as a team—we often weren't sure what was and wasn't possible even as we were trying to fix the problem. As the above-linked blog post mentions, the only way to be 100% safe in Bundler 1.x is to have no global sources.
The cross-source confusion is eliminated in the (as yet unreleased) Bundler 2.x series by a series of backwards-compatibility breaking changes to the format of the Gemfile.lock file and the way that Bundler handles gem sources internally. Once Bundler 2 is out, you'll be able to use one global source and additional non-global sources without worrying about any name conflicts.
As a result of these problems, let's try to make it clearer for users what they need to do:
This is a good chance for anyone to contribute, even if they aren't familiar with the Bundler code, since the explanations and warnings have all already been written down at least once. 👍
Nice clear explanation, thank you 🏌️ I'll aim to jump on some of those doc improvements then 🤓
This is still available for anyone who wants to address it
If no one claims it by tonight I'll get it done.
Ok then, dibs. I'll get out a short form PR and ask for reviews here in a bit. I'll likely be citing information from the above blog post.
An incomplete list of places that need changes: