New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify documentation around global sources #5062

Open
indirect opened this Issue Oct 6, 2016 · 5 comments

Comments

Projects
None yet
4 participants
@indirect
Member

indirect commented Oct 6, 2016

As demonstrated by this blog post, there is still a lot of end-user confusion about how to deal with the source issues originally revealed in our original CVE announcement.

A lot of that confusion is likely our fault as a team—we often weren't sure what was and wasn't possible even as we were trying to fix the problem. As the above-linked blog post mentions, the only way to be 100% safe in Bundler 1.x is to have no global sources.

The cross-source confusion is eliminated in the (as yet unreleased) Bundler 2.x series by a series of backwards-compatibility breaking changes to the format of the Gemfile.lock file and the way that Bundler handles gem sources internally. Once Bundler 2 is out, you'll be able to use one global source and additional non-global sources without worrying about any name conflicts.

As a result of these problems, let's try to make it clearer for users what they need to do:

  • Update the CVE warning post with clearer instructions around the possible problem and ways to avoid it
  • Update the discussion of multiple sources in the Bundler docs to point out that this opens the possibility of name conflicts, and suggest using no global sources in Bundler 1.x Gemfiles.
  • Update the existing warnings as needed to reflect the problems discussed in the new blog post

This is a good chance for anyone to contribute, even if they aren't familiar with the Bundler code, since the explanations and warnings have all already been written down at least once. 👍

@sfcgeorge

This comment has been minimized.

Show comment
Hide comment
@sfcgeorge

sfcgeorge Oct 7, 2016

Nice clear explanation, thank you 🏌️ I'll aim to jump on some of those doc improvements then 🤓

sfcgeorge commented Oct 7, 2016

Nice clear explanation, thank you 🏌️ I'll aim to jump on some of those doc improvements then 🤓

@lynncyrin

This comment has been minimized.

Show comment
Hide comment
@lynncyrin

lynncyrin Oct 10, 2016

Member

This is still available for anyone who wants to address it

Member

lynncyrin commented Oct 10, 2016

This is still available for anyone who wants to address it

@baweaver

This comment has been minimized.

Show comment
Hide comment
@baweaver

baweaver Oct 10, 2016

If no one claims it by tonight I'll get it done.

baweaver commented Oct 10, 2016

If no one claims it by tonight I'll get it done.

@baweaver

This comment has been minimized.

Show comment
Hide comment
@baweaver

baweaver Oct 11, 2016

Ok then, dibs. I'll get out a short form PR and ask for reviews here in a bit. I'll likely be citing information from the above blog post.

baweaver commented Oct 11, 2016

Ok then, dibs. I'll get out a short form PR and ask for reviews here in a bit. I'll likely be citing information from the above blog post.

@lynncyrin

This comment has been minimized.

Show comment
Hide comment
@lynncyrin

lynncyrin Oct 11, 2016

Member

An incomplete list of places that need changes:

website

docs

code

Member

lynncyrin commented Oct 11, 2016

An incomplete list of places that need changes:

website

docs

code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment