Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify documentation around global sources #3374

Open
indirect opened this issue Oct 6, 2016 · 8 comments
Open

Clarify documentation around global sources #3374

indirect opened this issue Oct 6, 2016 · 8 comments

Comments

@indirect
Copy link
Member

@indirect indirect commented Oct 6, 2016

As demonstrated by this blog post, there is still a lot of end-user confusion about how to deal with the source issues originally revealed in our original CVE announcement.

A lot of that confusion is likely our fault as a team—we often weren't sure what was and wasn't possible even as we were trying to fix the problem. As the above-linked blog post mentions, the only way to be 100% safe in Bundler 1.x is to have no global sources.

The cross-source confusion is eliminated in the (as yet unreleased) Bundler 2.x series by a series of backwards-compatibility breaking changes to the format of the Gemfile.lock file and the way that Bundler handles gem sources internally. Once Bundler 2 is out, you'll be able to use one global source and additional non-global sources without worrying about any name conflicts.

As a result of these problems, let's try to make it clearer for users what they need to do:

  • Update the CVE warning post with clearer instructions around the possible problem and ways to avoid it
  • Update the discussion of multiple sources in the Bundler docs to point out that this opens the possibility of name conflicts, and suggest using no global sources in Bundler 1.x Gemfiles.
  • Update the existing warnings as needed to reflect the problems discussed in the new blog post

This is a good chance for anyone to contribute, even if they aren't familiar with the Bundler code, since the explanations and warnings have all already been written down at least once. 👍

@sfcgeorge
Copy link

@sfcgeorge sfcgeorge commented Oct 7, 2016

Nice clear explanation, thank you 🏌️ I'll aim to jump on some of those doc improvements then 🤓

@lynncyrin
Copy link
Member

@lynncyrin lynncyrin commented Oct 10, 2016

This is still available for anyone who wants to address it

@baweaver
Copy link

@baweaver baweaver commented Oct 10, 2016

If no one claims it by tonight I'll get it done.

@baweaver
Copy link

@baweaver baweaver commented Oct 11, 2016

Ok then, dibs. I'll get out a short form PR and ask for reviews here in a bit. I'll likely be citing information from the above blog post.

@lynncyrin
Copy link
Member

@lynncyrin lynncyrin commented Oct 11, 2016

An incomplete list of places that need changes:

website

docs

code

@esasse
Copy link

@esasse esasse commented Jun 6, 2019

Hey @baweaver, do you still intend to work on this?

@hsbt hsbt transferred this issue from rubygems/bundler Mar 14, 2020
@bronzdoc
Copy link
Member

@bronzdoc bronzdoc commented Mar 22, 2020

@indirect is this still relevant?

@indirect
Copy link
Member Author

@indirect indirect commented Mar 23, 2020

I think this still needs to be done? I'm not 100% sure but I don't remember us ever resolving it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.