Bundler CHECKSUMS

Transcript

1. Bundler CHECKSUMS @tnir - 2025-05-09 - RubyKaigi 2025 A.E. note

   place #after_rubykaigi

2. @tnir Takuya Noguchi X: @tn961ir • https://github.com/tnir • https://gitlab.com/tnir

3. #after_rubykaigi @tn961ir @tnir (Takuya N) • Ruby 25y • Rails

   18y • GitLab (fully made with Ruby)Core Team (2015-) • geminabox / nronn maintainer • Bundler / forem (dev.to) contributor • CTO at B2B SaaS sponsoring RubyKaigi 2023-2024-2025 Kaigi on Rails 2023/2024 Rails Girls Japan 2023-2024 https://github.com/ruby/ruby
4. None

5. #after_rubykaigi @tn961ir Me with RubyKaigis • Nearly first timer ◦

   （事実上）初参加 • Was at the venue ◦ RubyKaigi 2024は那覇に行ったがセッションゾーンに入れず（通常チ ケットなのに。時間的都合で） • On-site: 7 members from our team ◦ 5 members (registered) in this RubyKaigi 2025 AFTER EVENT • Had troubles since Bundler 2.0 (Jan 2019) (= Ruby 2.6) ◦ RubyGems/Bundler (RGB) に興味がある ◦ grep -i “gem” RubyKaigi2025 # → 2 ◦ grep -i “bundler”RubyKaigi2025 # → 0

6. #after_rubykaigi @tn961ir Me with RubyKaigis • Nearly first timer ◦

   （事実上）初参加 • Was at the venue ◦ RubyKaigi 2024は那覇に行ったがセッションゾーンに入れず（通常チ ケットなのに。時間的都合で） • On-site: 7 members from our team ◦ 5 members (registered) in this RubyKaigi 2025 AFTER EVENT

7. #after_rubykaigi @tn961ir Me with RubyKaigis • Nearly first timer ◦

   （事実上）初参加 • Was at the venue ◦ RubyKaigi 2024は那覇に行ったがセッションゾーンに入れず（通常チ ケットなのに。時間的都合で） • On-site: 7 members from our team ◦ 5 members (registered) in this RubyKaigi 2025 AFTER EVENT • Had troubles since Bundler 2.0 (Jan 2019) (= Ruby 2.6) ◦ RubyGems/Bundler (RGB) に興味がある ◦ grep -i “gem” RubyKaigi2025 # → 2 ◦ grep -i “bundler”RubyKaigi2025 # → 0

8. #after_rubykaigi @tn961ir Me with RubyKaigis • Nearly first timer ◦

   （事実上）初参加 • Was at the venue ◦ RubyKaigi 2024は那覇に行ったがセッションゾーンに入れず（通常チ ケットなのに。時間的都合で） • On-site: 7 members from our team ◦ 5 members (registered) in this RubyKaigi 2025 AFTER EVENT • Had troubles since Bundler 2.0 (Jan 2019) (= Ruby 2.6) ◦ RubyGems/Bundler (RGB) に興味がある ◦ grep -i “gem” RubyKaigi2025 # → 2 (Fat Gem + GO Gem) ◦ grep -i “bundler”RubyKaigi2025 # → 0

9. #after_rubykaigi @tn961ir Ruby 3.4 with RubyKaigi 2025 • Ruby 3.4.1

   was shipped with Bundler 2.6.2.

10. #after_rubykaigi @tn961ir Bundler v2.6: lockfile checksums are finally there https://bundler.io/blog/2024/12/19/bundler-v2-6.html

11. #after_rubykaigi @tn961ir You’ll see the following when checksum matched… $

    bundle install Fetching gem metadata from https://rubygems.org/.......... [...] Bundle complete! 1234 Gemfile dependencies, 5678 gems now installed. Use `bundle info [gemname]` to see where a bundled gem is installed. # => done

12. #after_rubykaigi @tn961ir You’ll see the following when checksum mismatched… $

    bundle install Fetching gem metadata from https://rubygems.org/.......... Bundler found mismatched checksums. This is a potential security risk. aws-sdk-core (3.223.0) sha256=d8c309116787cd24fb32095da4fa94d1f76e26baea705eabb66aa4585e8d8c78 from the lockfile CHECKSUMS at Gemfile.lock:1114:26 aws-sdk-core (3.223.0) sha256=d8c309116787cd24fb32095da4fa94d1f76e26baea705eabb66aa4585e8d8c77 from the API at https://rubygems.org/ If you trust the API at https://rubygems.org/, to resolve this issue you can: 1. remove the matching checksum in Gemfile.lock:1114:26 2. run `bundle install` To ignore checksum security warnings, disable checksum validation with `bundle config set --local disable_checksum_validation true`

13. #after_rubykaigi @tn961ir Summary • Ruby 3.4 w/Bundler 2.6 meets supply

    chain management.

14. https://x.com/stmn_eng