Bundler_from_the_inside_out-1.pdf

Transcript

1. Bundler From the inside out

2. About me • Thong Kuah • Rails core commits •

   1st GitLab employee in NZ ^ Ruby logo licensed under the terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/

3. Today… 1. Hack Bundler a. How to monkey-patch ? b.

   How bundler works c. How bundler is implemented 2. ??? 3. Profit !

4. What is Bundler ?

5. Example Gemfile

6. Platforms

7. The problem

8. Given a ruby gem, version and platform, ensure that Bundler

   is installing that, and not something else. See also a Bundler vulnerability

9. Checksums ! (https://rubygems.org/gems/rails)

10. Solution(s)

11. bundler-integrity (https://github.com/diffend-io/bundler-integrity) Post-install !

12. bundler-checksum (https://gitlab.com/gitlab-org/gitlab/-/blob/master/vendor/gems/bundler-checksum/README.md)

13. Gemfile.checksum

14. https://github.com/rubygems/rubygems/pull/5808

15. New CHECKSUMS section in Gemfile.lock

16. - Extracting the checksum, how ? - Need checksum when

    installing - Checksum not available for different platform Hurdles Credit: https://unsplash.com/photos/VYTQNnaboUA

17. Extracting the checksum (https://github.com/rubygems/rubygems/blob/master/bundler/lib/bundler/rubygems_ext.rb)

18. Install-time checksum EndpointSpecification An EndpointSpecification represents a fetched version of

    a gem. It has extra information such as the checksum from RubyGems.org, in addition to gem name, version, and platform. Definition All gems are parsed as part of the Definition, which results in a collection of LazySpecification for each gem LazySpecification Each LazySpecification represents a specification of the gem name, version, and platform. It gets materialized to either a StubSpecification (if already installed), or an EndpointSpecification.

19. https://github.com/rubygems/rubygems/pull/5808/commits/597932a958ee51a2b26af9534d706118e2086c31#diff-18aa0703355522e1391f4c87fb168 13a9e49fc13b51c68725214b9070751dfc6R111

20. grpc-2.0.2-x86_64-darwin Checksum committed MacOS grpc-2.0.2-x86_64-linux Checksum not committed ⁉ Linux

    (CI) Same version, different platform https://github.com/rubygems/rubygems/pull/5808#issuecomment-1374639074

21. https://github.com/rubygems/rubygems/pull/6374 Credit: https://unsplash.com/photos/vdhNO4mGQ14

22. Key classes in Bundler (https://github.com/rubygems/rubygems) Definition LockfileGenerator LockfileParser Bundler::Source::Rubygems LazySpecification

    EndpointSpecification StubSpecification

23. Thank You ! Credit: https://unsplash.com/photos/IFxjDdqK_0U

24. Thong Kuah • https://kuah.net ^ Ruby logo licensed under the

    terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/