Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bundler_from_the_inside_out-1.pdf

Thong Kuah
March 15, 2023
54

 Bundler_from_the_inside_out-1.pdf

Thong Kuah

March 15, 2023
Tweet

Transcript

  1. About me • Thong Kuah • Rails core commits •

    1st GitLab employee in NZ ^ Ruby logo licensed under the terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/
  2. Today… 1. Hack Bundler a. How to monkey-patch ? b.

    How bundler works c. How bundler is implemented 2. ??? 3. Profit !
  3. Given a ruby gem, version and platform, ensure that Bundler

    is installing that, and not something else. See also a Bundler vulnerability
  4. - Extracting the checksum, how ? - Need checksum when

    installing - Checksum not available for different platform Hurdles Credit: https://unsplash.com/photos/VYTQNnaboUA
  5. Install-time checksum EndpointSpecification An EndpointSpecification represents a fetched version of

    a gem. It has extra information such as the checksum from RubyGems.org, in addition to gem name, version, and platform. Definition All gems are parsed as part of the Definition, which results in a collection of LazySpecification for each gem LazySpecification Each LazySpecification represents a specification of the gem name, version, and platform. It gets materialized to either a StubSpecification (if already installed), or an EndpointSpecification.
  6. grpc-2.0.2-x86_64-darwin Checksum committed MacOS grpc-2.0.2-x86_64-linux Checksum not committed ⁉ Linux

    (CI) Same version, different platform https://github.com/rubygems/rubygems/pull/5808#issuecomment-1374639074
  7. Thong Kuah • https://kuah.net ^ Ruby logo licensed under the

    terms of the Creative Commons Attribution-ShareAlike 2.5 License agreement. ^ GitLab logo from https://about.gitlab.com/press/press-kit/