* [ruby-core:90313] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
@ 2018-12-05 14:33 ` v.ondruch
2018-12-05 18:40 ` [ruby-core:90324] " shevegen
` (7 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: v.ondruch @ 2018-12-05 14:33 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been reported by vo.x (Vit Ondruch).
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384
* Author: vo.x (Vit Ondruch)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:90324] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
2018-12-05 14:33 ` [ruby-core:90313] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler v.ondruch
@ 2018-12-05 18:40 ` shevegen
2018-12-06 6:34 ` [ruby-core:90335] [Ruby trunk Bug#15384][Assigned] " hsbt
` (6 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: shevegen @ 2018-12-05 18:40 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by shevegen (Robert A. Heiler).
Agree on the "one rather than two". It is probably redundant after the merge.
I can't answer the second sentence since there may have been (different?)
reasons for adding certificates - but it would make sense to require only
one rather than two either way.
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-75429
* Author: vo.x (Vit Ondruch)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:90335] [Ruby trunk Bug#15384][Assigned] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
2018-12-05 14:33 ` [ruby-core:90313] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler v.ondruch
2018-12-05 18:40 ` [ruby-core:90324] " shevegen
@ 2018-12-06 6:34 ` hsbt
2019-03-14 2:48 ` [ruby-core:91823] [Ruby trunk Bug#15384] " hsbt
` (5 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: hsbt @ 2018-12-06 6:34 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by hsbt (Hiroshi SHIBATA).
Status changed from Open to Assigned
Assignee set to hsbt (Hiroshi SHIBATA)
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-75446
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:91823] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (2 preceding siblings ...)
2018-12-06 6:34 ` [ruby-core:90335] [Ruby trunk Bug#15384][Assigned] " hsbt
@ 2019-03-14 2:48 ` hsbt
2019-03-15 10:03 ` [ruby-core:91846] " v.ondruch
` (4 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: hsbt @ 2019-03-14 2:48 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by hsbt (Hiroshi SHIBATA).
File unify-certification-bundler.patch added
I made a patch that unifies both certificates. I propose it to bundler upstream.
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77094
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:91846] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (3 preceding siblings ...)
2019-03-14 2:48 ` [ruby-core:91823] [Ruby trunk Bug#15384] " hsbt
@ 2019-03-15 10:03 ` v.ondruch
2019-03-15 10:15 ` [ruby-core:91847] " v.ondruch
` (3 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: v.ondruch @ 2019-03-15 10:03 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by vo.x (Vit Ondruch).
Is the patch correct? Will it work when RubyGems are updated via `gem update --system`? I have not tested it, just wondering ...
Moreover, I don't understand why Bundler does not use RubyGems facilities for such functionality (but I understand the patch would be probably more complex :) ).
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77117
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:91847] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (4 preceding siblings ...)
2019-03-15 10:03 ` [ruby-core:91846] " v.ondruch
@ 2019-03-15 10:15 ` v.ondruch
2019-03-15 10:21 ` [ruby-core:91848] " v.ondruch
` (2 subsequent siblings)
8 siblings, 0 replies; 9+ messages in thread
From: v.ondruch @ 2019-03-15 10:15 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by vo.x (Vit Ondruch).
vo.x (Vit Ondruch) wrote:
> Is the patch correct? Will it work when RubyGems are updated via `gem update --system`? I have not tested it, just wondering ...
`Gem::RUBYGEMS_DIR` should be probably used to initialize the `rubygems_certs_dir`
https://github.com/rubygems/rubygems/blob/master/lib/rubygems.rb#L116
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77118
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:91848] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (5 preceding siblings ...)
2019-03-15 10:15 ` [ruby-core:91847] " v.ondruch
@ 2019-03-15 10:21 ` v.ondruch
2019-03-22 10:22 ` [ruby-core:91930] " hsbt
2019-04-21 3:11 ` [ruby-core:92350] " hsbt
8 siblings, 0 replies; 9+ messages in thread
From: v.ondruch @ 2019-03-15 10:21 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by vo.x (Vit Ondruch).
There is even `Gem::Request.get_cert_files`
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77119
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:91930] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (6 preceding siblings ...)
2019-03-15 10:21 ` [ruby-core:91848] " v.ondruch
@ 2019-03-22 10:22 ` hsbt
2019-04-21 3:11 ` [ruby-core:92350] " hsbt
8 siblings, 0 replies; 9+ messages in thread
From: hsbt @ 2019-03-22 10:22 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by hsbt (Hiroshi SHIBATA).
I did update the latest patch: https://github.com/bundler/bundler/pull/7035
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77262
* Author: vo.x (Vit Ondruch)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ruby-core:92350] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
` (7 preceding siblings ...)
2019-03-22 10:22 ` [ruby-core:91930] " hsbt
@ 2019-04-21 3:11 ` hsbt
8 siblings, 0 replies; 9+ messages in thread
From: hsbt @ 2019-04-21 3:11 UTC (permalink / raw)
To: ruby-core
Issue #15384 has been updated by hsbt (Hiroshi SHIBATA).
Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN to 2.4: DONTNEED, 2.5: DONTNEED, 2.6: DONTNEED
Status changed from Assigned to Closed
I fixed it at r67539
----------------------------------------
Bug #15384: ssl_certs are duplicated in RubyGems and Bundler
https://bugs.ruby-lang.org/issues/15384#change-77696
* Author: vo.x (Vit Ondruch)
* Status: Closed
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
* Backport: 2.4: DONTNEED, 2.5: DONTNEED, 2.6: DONTNEED
----------------------------------------
It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).
Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).
---Files--------------------------------
unify-certification-bundler.patch (14.3 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-04-21 3:11 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-15384.20181205143324@ruby-lang.org>
2018-12-05 14:33 ` [ruby-core:90313] [Ruby trunk Bug#15384] ssl_certs are duplicated in RubyGems and Bundler v.ondruch
2018-12-05 18:40 ` [ruby-core:90324] " shevegen
2018-12-06 6:34 ` [ruby-core:90335] [Ruby trunk Bug#15384][Assigned] " hsbt
2019-03-14 2:48 ` [ruby-core:91823] [Ruby trunk Bug#15384] " hsbt
2019-03-15 10:03 ` [ruby-core:91846] " v.ondruch
2019-03-15 10:15 ` [ruby-core:91847] " v.ondruch
2019-03-15 10:21 ` [ruby-core:91848] " v.ondruch
2019-03-22 10:22 ` [ruby-core:91930] " hsbt
2019-04-21 3:11 ` [ruby-core:92350] " hsbt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).