Bundler_from_the_inside_out-1.pdf

Transcript

1. Bundler
   From the inside out
   

   View Slide

2. About me
   ● Thong Kuah
   ● Rails core commits
   ● 1st GitLab employee in NZ
   ^ Ruby logo licensed under the terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement.
   ^ GitLab logo from https://about.gitlab.com/press/press-kit/
   

   View Slide

3. Today…
   1. Hack Bundler
   a. How to monkey-patch ?
   b. How bundler works
   c. How bundler is implemented
   2. ???
   3. Profit !
   

   View Slide

4. What is Bundler ?
   

   View Slide

5. Example Gemfile
   

   View Slide

6. Platforms
   

   View Slide

7. The problem
   
   

   View Slide

8. Given a ruby gem, version and platform,
   ensure that Bundler is installing that,
   and not something else.
   See also a Bundler vulnerability
   

   View Slide

9. Checksums !
   (https://rubygems.org/gems/rails)
   

   View Slide

10. Solution(s)
    

    View Slide

11. bundler-integrity (https://github.com/diffend-io/bundler-integrity)
    Post-install !
    

    View Slide

12. bundler-checksum
    (https://gitlab.com/gitlab-org/gitlab/-/blob/master/vendor/gems/bundler-checksum/README.md)
    
    

    View Slide

13. Gemfile.checksum
    

    View Slide

14. https://github.com/rubygems/rubygems/pull/5808
    

    View Slide

15. New CHECKSUMS section in Gemfile.lock
    

    View Slide

16. - Extracting the checksum,
    how ?
    - Need checksum when
    installing
    - Checksum not available for
    different platform
    Hurdles
    Credit: https://unsplash.com/photos/VYTQNnaboUA
    

    View Slide

17. Extracting the checksum
    (https://github.com/rubygems/rubygems/blob/master/bundler/lib/bundler/rubygems_ext.rb)
    

    View Slide

18. Install-time checksum
    EndpointSpecification
    An EndpointSpecification
    represents a fetched version
    of a gem. It has extra
    information such as the
    checksum from
    RubyGems.org, in addition to
    gem name, version, and
    platform.
    Definition
    All gems are parsed as part of
    the Definition, which results in
    a collection of
    LazySpecification for each
    gem
    LazySpecification
    Each LazySpecification
    represents a specification of
    the gem name, version, and
    platform.
    It gets materialized to either
    a StubSpecification (if
    already installed), or an
    EndpointSpecification.
    

    View Slide

19. https://github.com/rubygems/rubygems/pull/5808/commits/597932a958ee51a2b26af9534d706118e2086c31#diff-18aa0703355522e1391f4c87fb168
    13a9e49fc13b51c68725214b9070751dfc6R111
    

    View Slide

20. grpc-2.0.2-x86_64-darwin
    Checksum committed
    MacOS
    grpc-2.0.2-x86_64-linux
    Checksum not committed ⁉
    Linux
    (CI)
    Same version, different platform
    https://github.com/rubygems/rubygems/pull/5808#issuecomment-1374639074
    

    View Slide

21. https://github.com/rubygems/rubygems/pull/6374
    Credit: https://unsplash.com/photos/vdhNO4mGQ14
    

    View Slide

22. Key classes in Bundler
    (https://github.com/rubygems/rubygems)
    Definition
    LockfileGenerator
    LockfileParser
    Bundler::Source::Rubygems
    LazySpecification
    EndpointSpecification
    StubSpecification
    

    View Slide

23. Thank
    You !
    Credit: https://unsplash.com/photos/IFxjDdqK_0U
    

    View Slide

24. Thong Kuah
    ● https://kuah.net
    ^ Ruby logo licensed under the terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement.
    ^ GitLab logo from https://about.gitlab.com/press/press-kit/
    

    View Slide