Meaning of new block "git_source(:github)" in Gemfile

Its a workaround for a bug in Bundler which can cause sources from github to be loaded via HTTP and not HTTPS - which makes it vulnerable to man in the middle attacks.

git_source adds a source which you can use so that the gem is downloaded from a git repository instead of a package from rubygems.org.

git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  "https://github.com/#{repo_name}.git"
end

Would make it so that when you declare:

gem 'foo_bar', :github => 'foo/bar'

Bundler would attempt to download the gem from https://github.com/foo/bar.git.

Since fixing this would be a breaking change as it would invalidate any existing Gemfile.lock it is fixed in Bundler 2.x. At that point it should be safe to remove this workaround.

The Bundler :github directive will fetch from git://github.com/#{repo_name}.git (source), which uses the insecure http protocol.

This is due to be fixed in future Bundler versions but this snippet is added to the top of the Gemfile to ensure https is used in Bundler 1.

If you do not want to add this code to your gemfile but still want to securely access a gem from github you can use the following method:

gem 'foo_bar', git: 'https://github.com/foo/bar.git

Meaning of new block "git_source(:github)" in Gemfile

Tags:

Ruby On Rails

Bundler

Gemfile

Related

Recent Posts