Skip to content

Clarify documentation around global sources #3374

Closed
@indirect

Description

@indirect

As demonstrated by this blog post, there is still a lot of end-user confusion about how to deal with the source issues originally revealed in our original CVE announcement.

A lot of that confusion is likely our fault as a team—we often weren't sure what was and wasn't possible even as we were trying to fix the problem. As the above-linked blog post mentions, the only way to be 100% safe in Bundler 1.x is to have no global sources.

The cross-source confusion is eliminated in the (as yet unreleased) Bundler 2.x series by a series of backwards-compatibility breaking changes to the format of the Gemfile.lock file and the way that Bundler handles gem sources internally. Once Bundler 2 is out, you'll be able to use one global source and additional non-global sources without worrying about any name conflicts.

As a result of these problems, let's try to make it clearer for users what they need to do:

  • Update the CVE warning post with clearer instructions around the possible problem and ways to avoid it
  • Update the discussion of multiple sources in the Bundler docs to point out that this opens the possibility of name conflicts, and suggest using no global sources in Bundler 1.x Gemfiles.
  • Update the existing warnings as needed to reflect the problems discussed in the new blog post

This is a good chance for anyone to contribute, even if they aren't familiar with the Bundler code, since the explanations and warnings have all already been written down at least once. 👍

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions