Project

General

Profile

Actions
Copy link

Bug #15384

closed

ssl_certs are duplicated in RubyGems and Bundler

Added by vo.x (Vit Ondruch) almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
hsbt (Hiroshi SHIBATA)
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
Backport:
2.4: DONTNEED, 2.5: DONTNEED, 2.6: DONTNEED
[ruby-core:90313]

Description

It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).

Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).

Files

unify-certification-bundler.patch (14.3 KB) unify-certification-bundler.patch hsbt (Hiroshi SHIBATA), 03/14/2019 02:47 AM
Actions
Copy link
 #1 [ruby-core:90324]

Updated by shevegen (Robert A. Heiler) almost 5 years ago

Agree on the "one rather than two". It is probably redundant after the merge.

I can't answer the second sentence since there may have been (different?)
reasons for adding certificates - but it would make sense to require only
one rather than two either way.

Actions
Copy link
 #2 [ruby-core:90335]

Updated by hsbt (Hiroshi SHIBATA) almost 5 years ago

  • Status changed from Open to Assigned
  • Assignee set to hsbt (Hiroshi SHIBATA)
Actions
Copy link
 #3 [ruby-core:91823]

Updated by hsbt (Hiroshi SHIBATA) over 4 years ago

I made a patch that unifies both certificates. I propose it to bundler upstream.

Actions
Copy link
 #4 [ruby-core:91846]

Updated by vo.x (Vit Ondruch) over 4 years ago

Is the patch correct? Will it work when RubyGems are updated via gem update --system? I have not tested it, just wondering ...

Moreover, I don't understand why Bundler does not use RubyGems facilities for such functionality (but I understand the patch would be probably more complex :) ).

Actions
Copy link
 #5 [ruby-core:91847]

Updated by vo.x (Vit Ondruch) over 4 years ago

vo.x (Vit Ondruch) wrote:

Is the patch correct? Will it work when RubyGems are updated via gem update --system? I have not tested it, just wondering ...

Gem::RUBYGEMS_DIR should be probably used to initialize the rubygems_certs_dir

https://github.com/rubygems/rubygems/blob/master/lib/rubygems.rb#L116

Actions
Copy link
 #6 [ruby-core:91848]

Updated by vo.x (Vit Ondruch) over 4 years ago

There is even Gem::Request.get_cert_files

Actions
Copy link
 #8 [ruby-core:92350]

Updated by hsbt (Hiroshi SHIBATA) over 4 years ago

  • Status changed from Assigned to Closed
  • Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN to 2.4: DONTNEED, 2.5: DONTNEED, 2.6: DONTNEED

I fixed it at r67539

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0