Skip to content

Use the ':git' source when bundling Rails master #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2015
Merged

Use the ':git' source when bundling Rails master #416

merged 1 commit into from
Sep 2, 2015

Conversation

@jashank
Copy link
Contributor

@jashank jashank commented Sep 1, 2015

As per http://bundler.io/git.html:

http:// and git:// URLs are insecure. A man-in-the-middle attacker
could tamper with the code as you check it out, and potentially supply
you with malicious code instead of the code you meant to check
out. Because the :github shortcut uses a git:// URL in Bundler 1.x
versions, we recommend using using HTTPS URLs or overriding the
:github shortcut with your own HTTPS git source.

Also, as Rails master (currently 5.0.0.alpha) has a dependency on Arel
master (currently 7.0.0.alpha), we must pull this in too.

@jashank
Use :git source when bundling Rails master.
1cd8d05 
As per http://bundler.io/git.html:

> `http://` and `git://` URLs are insecure. A man-in-the-middle attacker
> could tamper with the code as you check it out, and potentially supply
> you with malicious code instead of the code you meant to check
> out. Because the `:github` shortcut uses a `git://` URL in Bundler 1.x
> versions, we recommend using using HTTPS URLs or overriding the
> `:github` shortcut with your own HTTPS git source.

Also, as Rails master (currently 5.0.0.alpha) has a dependency on Arel
master (currently 7.0.0.alpha), we must pull this in too.
@dgeb
Copy link
Member

dgeb commented Sep 2, 2015

I would hope no one's pulling from master for anything but development (i.e. probably not a realistic concern for production apps). But regardless, seems like a good precaution. 👍

lgebhardt added a commit that referenced this pull request Sep 2, 2015
@lgebhardt
Merge pull request #416 from jashank/gemfile-rails-github
cd5e947 
Use the ':git' source when bundling Rails master
@lgebhardt lgebhardt merged commit cd5e947 into cerebris:master Sep 2, 2015
@lgebhardt
Copy link
Member

lgebhardt commented Sep 2, 2015

Thanks!

@jashank jashank deleted the gemfile-rails-github branch September 30, 2015 04:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jashank @dgeb @lgebhardt