Meaning of new block "git_source(:github)" in Gemfile
Recently I created a new Rails 5 app, without a git repository. The auto-generated Gemfile contains a new block I had not seen before:
git_source(:github) do |repo_name|
repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
"https://github.com/#{repo_name}.git"
end
What's the meaning of it? Is it mandatory for every new app?
Its a workaround for a bug in Bundler which can cause sources from github to be loaded via HTTP and not HTTPS - which makes it vulnerable to man in the middle attacks.
git_source
adds a source which you can use so that the gem is downloaded from a git repository instead of a package from rubygems.org
.
git_source(:github) do |repo_name|
repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
"https://github.com/#{repo_name}.git"
end
Would make it so that when you declare:
gem 'foo_bar', :github => 'foo/bar'
Bundler would attempt to download the gem from https://github.com/foo/bar.git
.
Since fixing this would be a breaking change as it would invalidate any existing Gemfile.lock it is fixed in Bundler 2.x. At that point it should be safe to remove this workaround.
The Bundler :github directive will fetch from git://github.com/#{repo_name}.git
(source), which uses the insecure http
protocol.
This is due to be fixed in future Bundler versions but this snippet is added to the top of the Gemfile to ensure https
is used in Bundler 1.
If you do not want to add this code to your gemfile but still want to securely access a gem from github you can use the following method:
gem 'foo_bar', git: 'https://github.com/foo/bar.git