Clarify documentation around global sources #5062

indirect opened this Issue Oct 6, 2016 · 5 comments


None yet

4 participants

indirect commented Oct 6, 2016 edited

As demonstrated by this blog post, there is still a lot of end-user confusion about how to deal with the source issues originally revealed in our original CVE announcement.

A lot of that confusion is likely our fault as a team—we often weren't sure what was and wasn't possible even as we were trying to fix the problem. As the above-linked blog post mentions, the only way to be 100% safe in Bundler 1.x is to have no global sources.

The cross-source confusion is eliminated in the (as yet unreleased) Bundler 2.x series by a series of backwards-compatibility breaking changes to the format of the Gemfile.lock file and the way that Bundler handles gem sources internally. Once Bundler 2 is out, you'll be able to use one global source and additional non-global sources without worrying about any name conflicts.

As a result of these problems, let's try to make it clearer for users what they need to do:

  • Update the CVE warning post with clearer instructions around the possible problem and ways to avoid it
  • Update the discussion of multiple sources in the Bundler docs to point out that this opens the possibility of name conflicts, and suggest using no global sources in Bundler 1.x Gemfiles.
  • Update the existing warnings as needed to reflect the problems discussed in the new blog post

This is a good chance for anyone to contribute, even if they aren't familiar with the Bundler code, since the explanations and warnings have all already been written down at least once. 👍


Nice clear explanation, thank you 🏌️ I'll aim to jump on some of those doc improvements then 🤓

lynnco commented Oct 10, 2016

This is still available for anyone who wants to address it


If no one claims it by tonight I'll get it done.


Ok then, dibs. I'll get out a short form PR and ask for reviews here in a bit. I'll likely be citing information from the above blog post.

lynnco commented Oct 11, 2016 edited

An incomplete list of places that need changes:




Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment