New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow installing from non https sources #4192
base: master
Are you sure you want to change the base?
Conversation
I think we should definitely add a warning about the insecure source to discourage usage of HTTP. I will add http://insecure.rubygems.org which doesn't redirect to https. |
Thanks @sonalkr132, that makes sense to me. I would propose the following as an alternative to this PR: For rubygems.org sources
For custom sources
|
I agreed with @sonalkr132 's opinion. |
I think this should mention that we redirected to https automatically, if we are transparently redirecting to https.
I am not sure about this. I think we should always error. HTTP source has not been supported for over five years, which goes to show how few users must be affected by this. IMHO, it should remain "officially" unsupported. We can add a guide with detailed consequences, helpful commands to fix their problem (install openssl, links to fix cert guides etc), mention |
@sonalkr132 I agree with your comments, I can move forward with my proposal + your modifications once http://insecure.rubygems.org is in place 👍. |
so, just for update sake.. insecure.rubygems.org was added. only,
I am not sure if we should remove |
Oh, sorry @sonalkr132, just to clarify, I marked this PR as WIP because with the new proposal I won't remove this The alternative proposal was to restore legacy support for http sources. I didn't actually check when this stopped working, but nothing in the codebase indicates that this is unsupported, including the current error message recommending using non-https sources as an alternative. |
thanks for clarifying. I was under the assumption that you just won't redirect to http://insecure.rubygems.org |
The idea is that we will intercept rubygems.org As per the updated proposal: For rubygems.org sources
For custom sources
|
It is possible to install Ruby without OpenSSL. It actually seems tricky to install it with OpenSSL (dunno why); I had troubles with legacy version and |
@marcandre I'm very surprised by what you said, haven't heard of any similar report by anyone since ruby 2.3 I think. I guess we should dig into your issues a bit more before changing anything here. Depending on how many people is affected we can make a decision. I'm also surprised by what you said about installing from source, my experience is completely the opposite. A while ago I tried to install ruby without openssl and it was quite hard to figure out (my shell history says @sonalkr132 I noticed that currently you can visit |
This is expected. I have only disabled the https redirect on dependency API endpoints, otherwise, insecure.rubygems.org is the same as any other domain. We can potentially block everything on this except dependency endpoints, however as you are suggesting probably leaving this broken is the most straightforward option.
This may be relevant rbenv/ruby-build#377 I don't have first hand experience of this but what I can tell from dealing with support tickets is that macos users always had to struggle with openssl being outdated, misconfigured or regression (on OS updates). |
Then maybe we should redirect Regarding OpenSSL issues, yeah, being a MacOS thing explains why I never run into it. Still, things seem good now, at least that ticket you linked to suggests that since ruby 2.3 people seem to no longer have those issues. |
@sonalkr132 I didn't manage to get to this yet, but I wonder about your opinion about my previous message. I still don't like the fact that we serve a url including the "insecure" word over https. |
This should be doable. But only redirect it for non-dependency endpoints, right? |
I would be fine with either completely dropping the |
the resolution would be that you need OpenSSL to use rubygems, so steps to install it? |
Yeah, basically remove the "and |
Got it. I will remove insecure.rubygems.org setup. |
@simi Would you be ok with that? This has apparently been broken for a while now and we've got a single report so far, so I think it should be ok? |
Sure, let's do that. |
Sorry what's the fix again?
|
There's no solution, really. The plan is to try print a better error, so that you can fix your ruby installation so that it can use |
I just tried to install a gem via http and was indeed puzzled by it not working:
I think a quick improvement would be to only change the error message and remove the "use non-HTTPS sources" part (even without doing anything else, like adding steps on how to install). Would it make sense if I made a PR for just that small change? |
Can you try with $ gem install ABO --clear-sources --source 'http://rubygems.org' --verbose |
Thanks for the quick reply!
That's probably the http -> https redirect kicking in, right? |
Yes, there was |
What was the end-user or developer problem that led to this PR?
OpenSSL is not mandatory but installing from non https sources fail.
What is your fix for the problem, implemented in this PR?
My fix is to allow it, since it's not hard.
But I think we should at least print a warning.
Fixes #4191.
Make sure the following tasks are checked