Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bundler_from_the_inside_out-1.pdf

Thong Kuah
March 15, 2023
0
63

 Bundler_from_the_inside_out-1.pdf

Thong Kuah

March 15, 2023
Tweet

More Decks by Thong Kuah

See All by Thong Kuah
Chicken Soup for the Yak Shaver
kuahyeow
0
330
Code Review: Pitfalls and Good Practices
kuahyeow
0
200

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
RailsConf 2023
tenderlove
29
900
Building Adaptive Systems
keathley
38
2.3k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k

Transcript

  1. Bundler From the inside out

  2. About me • Thong Kuah • Rails core commits •

    1st GitLab employee in NZ ^ Ruby logo licensed under the terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/

  3. Today… 1. Hack Bundler a. How to monkey-patch ? b.

    How bundler works c. How bundler is implemented 2. ??? 3. Profit !

  4. What is Bundler ?

  5. Example Gemfile

  6. Platforms

  7. The problem

  8. Given a ruby gem, version and platform, ensure that Bundler

    is installing that, and not something else. See also a Bundler vulnerability

  9. Checksums ! (https://rubygems.org/gems/rails)

  10. Solution(s)

  11. bundler-integrity (https://github.com/diffend-io/bundler-integrity) Post-install !

  12. bundler-checksum (https://gitlab.com/gitlab-org/gitlab/-/blob/master/vendor/gems/bundler-checksum/README.md)

  13. Gemfile.checksum

  14. https://github.com/rubygems/rubygems/pull/5808

  15. New CHECKSUMS section in Gemfile.lock

  16. - Extracting the checksum, how ? - Need checksum when

    installing - Checksum not available for different platform Hurdles Credit: https://unsplash.com/photos/VYTQNnaboUA

  17. Extracting the checksum (https://github.com/rubygems/rubygems/blob/master/bundler/lib/bundler/rubygems_ext.rb)

  18. Install-time checksum EndpointSpecification An EndpointSpecification represents a fetched version of

    a gem. It has extra information such as the checksum from RubyGems.org, in addition to gem name, version, and platform. Definition All gems are parsed as part of the Definition, which results in a collection of LazySpecification for each gem LazySpecification Each LazySpecification represents a specification of the gem name, version, and platform. It gets materialized to either a StubSpecification (if already installed), or an EndpointSpecification.

  19. https://github.com/rubygems/rubygems/pull/5808/commits/597932a958ee51a2b26af9534d706118e2086c31#diff-18aa0703355522e1391f4c87fb168 13a9e49fc13b51c68725214b9070751dfc6R111

  20. grpc-2.0.2-x86_64-darwin Checksum committed MacOS grpc-2.0.2-x86_64-linux Checksum not committed ⁉ Linux

    (CI) Same version, different platform https://github.com/rubygems/rubygems/pull/5808#issuecomment-1374639074

  21. https://github.com/rubygems/rubygems/pull/6374 Credit: https://unsplash.com/photos/vdhNO4mGQ14

  22. Key classes in Bundler (https://github.com/rubygems/rubygems) Definition LockfileGenerator LockfileParser Bundler::Source::Rubygems LazySpecification

    EndpointSpecification StubSpecification

  23. Thank You ! Credit: https://unsplash.com/photos/IFxjDdqK_0U

  24. Thong Kuah • https://kuah.net ^ Ruby logo licensed under the

    terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/