This repository has been archived by the owner on Apr 14, 2021. It is now read-only.
Outdated version check causes bundle install to fail on FIPS enabled systems #6032
Labels
Comments
|
That seems reasonable, and we should probably have the entire compact index source say that it is not available on FIPS systems |
bundlerbot
added a commit
that referenced
this issue
Jan 2, 2018
[CLI] Skip the outdated bundler check when MD5 is not available ### What was the end-user problem that led to this PR? The problem was Bundler would try to do the outdated version check on FIPS systems, leading to an exception. Closes #6032. ### What was your diagnosis of the problem? My diagnosis was we needed to skip the check when MD5 is unavailable. ### Why did you choose this fix out of the possible options? I chose this fix because using `#available?` would make network requests, which is not acceptable.
bundlerbot
added a commit
that referenced
this issue
Jan 8, 2018
[CLI] Skip the outdated bundler check when MD5 is not available ### What was the end-user problem that led to this PR? The problem was Bundler would try to do the outdated version check on FIPS systems, leading to an exception. Closes #6032. ### What was your diagnosis of the problem? My diagnosis was we needed to skip the check when MD5 is unavailable. ### Why did you choose this fix out of the possible options? I chose this fix because using `#available?` would make network requests, which is not acceptable.
bundlerbot
added a commit
that referenced
this issue
Jan 13, 2018
[CLI] Skip the outdated bundler check when MD5 is not available ### What was the end-user problem that led to this PR? The problem was Bundler would try to do the outdated version check on FIPS systems, leading to an exception. Closes #6032. ### What was your diagnosis of the problem? My diagnosis was we needed to skip the check when MD5 is unavailable. ### Why did you choose this fix out of the possible options? I chose this fix because using `#available?` would make network requests, which is not acceptable.
colby-swandale
pushed a commit
that referenced
this issue
Apr 11, 2018
[CLI] Skip the outdated bundler check when MD5 is not available ### What was the end-user problem that led to this PR? The problem was Bundler would try to do the outdated version check on FIPS systems, leading to an exception. Closes #6032. ### What was your diagnosis of the problem? My diagnosis was we needed to skip the check when MD5 is unavailable. ### Why did you choose this fix out of the possible options? I chose this fix because using `#available?` would make network requests, which is not acceptable. (cherry picked from commit 723608f)
colby-swandale
pushed a commit
that referenced
this issue
Apr 20, 2018
[CLI] Skip the outdated bundler check when MD5 is not available ### What was the end-user problem that led to this PR? The problem was Bundler would try to do the outdated version check on FIPS systems, leading to an exception. Closes #6032. ### What was your diagnosis of the problem? My diagnosis was we needed to skip the check when MD5 is unavailable. ### Why did you choose this fix out of the possible options? I chose this fix because using `#available?` would make network requests, which is not acceptable. (cherry picked from commit 723608f)
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Sep 23, 2018
## 1.16.5 (2018-09-18) Changes: - Add support for TruffleRuby (@eregon) Bugfixes: - Avoid printing git errors when checking the version on incorrectly packaged versions of Bundler ([#6453](rubygems/bundler#6453), @greysteil) - Fix issue where Bundler does not check the given class when comparing equality in DepProxy (@ChrisBr) - Handle `RangeNotSatisfiable` error in Compact Index (@MaxLap) - Check for initialized `search` variable in `LazySpecification` (@voxik) - Fix LoadError occurring in nested bundle exec calls ([#6537](rubygems/bundler#6537), @colby-swandale) - Check that Bundler::Deprecate is not an autoload constant ([#6163](rubygems/bundler#6163), @eregon) - Prefer non-pre-release versions when performing a `bundle update --patch` ([#6684](rubygems/bundler#6684), @segiddins) ## 1.16.4 (2017-08-17) Changes: - Welcome new members to the Bundler core team (@indirect) - Don't mutate original error trees when determining version_conflict_message (@greysteil) - Update vendored Molinillo to 0.6.6 (@segiddins) Bugfixes: - Reword bundle update regression message to be more clear to the user when a gem's version is downgraded ([#6584](rubygems/bundler#6584), @ralphbolo) - Respect --conservative flag when updating a dependency group ([#6560](rubygems/bundler#6560), @greysteil) - Fix issue where a pre-release version was not being selected when it's specified in the Gemfile ([#6449](rubygems/bundler#6449), @akihiro17) - Fix issue where `Etc` was not loaded when getting the user's home dir ([#6640](rubygems/bundler#6640), @colby-swandale) - Use UTF-8 for reading files including Gemfile ([#6660](rubygems/bundler#6660), @eregon) - Remove unnecessary `while` loop in path resolver helper (@ojab) Documentation: - Document that `bundle show [--paths]` sorts results by name (@kemitchell) ## 1.16.3 (2018-07-17) Features: - Support URI::File of Ruby 2.6 (@hsbt) Bugfixes: - Expand symlinks during setup to allow Bundler to load correctly when using symlinks in $GEM_HOME ([#6465](rubygems/bundler#6465), @ojab, @indirect) - Dont let Bundler create temporary folders for gem installs which are owned by root ([#6258](rubygems/bundler#6258), @colby-swandale) - Don't fallback to using temporary directories when needed directories already exist ([#6546](rubygems/bundler#6546), @brodock) - Use SharedHelpers.filesystem_access when reading a Gemfile so friendly error messages can be given to the user ([#6541](rubygems/bundler#6541), @segiddins) - Check if source responds to `#remotes` before printing gem install error message ([#6211](rubygems/bundler#6211), @colby-swandale) - Handle Errno::ENOTSUP in the Bundler Process Lock to prevent exceptions when using NFS mounts ([#6566](rubygems/bundler#6566), @colby-swandale) - Respect encodings when reading gemspecs ([#6598](rubygems/bundler#6598), @deivid-rodriguez) Documentation: - Fix links between manual pages (@BanzaiMan) - Add warning to Gemfile documentation for the use of the `source` option when declaring gems ([#6280](rubygems/bundler#6280), @forestgagnon) ## 1.16.2 (2018-04-20) Changes: - Include the gem's source in the gem install error message when available (@papanikge) - Remove unnecessary executable bit from gem template (@voxik) - Dont add the timestamp comment with gems added to the Gemfile via `bundle add` ([#6193](rubygems/bundler#6193), @cpgo) - Improve yanked gem error message (@alyssais) - Use `Bundler.rubygems.inflate` instead of the Gem::Util method directly (@segiddins) - Remove unused instance variable (@segiddins) Bugfixes: - Only trap INT signal and have Ruby's signal default handler be invoked (@shayonj) - Fix warning about the use of `__FILE__` in RubyGems integration testing (@MSP-Greg) - Skip the outdated bundler check when MD5 is not available ([#6032](rubygems/bundler#6032), @segiddins) - Fallback to the original error if the friendly message raises (@segiddins) - Rename Bundler.frozen? to avoid Object method conflict ([#6252](rubygems/bundler#6252), @segiddins) - Ensure the bindir exists before installing gems (@segiddins) - Handle gzip corruption errors in the compact index client ([#6261](rubygems/bundler#6261), @colby-swandale) - Check if the current directory is writeable when writing files in `bundle gem` ([#6219](rubygems/bundler#6219), @nilsding) - Fix hang when gemspec has incompatible encoding (@deivid-rodriguez) - Gracefully handle when the lockfile is missing spec entries for the current platform ([#6079](rubygems/bundler#6079), @segiddins) - Use Gem::Util.inflate instead of Gem.inflate (@hsbt) - Update binstub generator to use new ERB.new arity in Ruby 2.6 (@koic) - Fix `source_location` call in rubygems integration (@MSP-Greg) - Use `filesystem_access` when copying files in Compact Index Updater ([#6289](rubygems/bundler#6289), @segiddins) - Fail gracefully when resetting git gems to the given revision fails ([#6324](rubygems/bundler#6324), @segiddins) - Handle exceptions that do not have a backtrace ([#6342](rubygems/bundler#6342), @nesaulov) - Check if stderr was closed before writing to it (@shime) - Handle updating a specific gem for a non-local platform ([#6350](rubygems/bundler#6350), @greysteil) - Bump the `bundle_binstub` check-length to 300 characters (@tduffield) - Fix specifying alterntive Lockfile with `bundle lock` when default gemfile is present ([#6460](rubygems/bundler#6460), @agrim123) - Allow installing dependencies when the path is set to `.` ([#6475](rubygems/bundler#6475), @segiddins) - Support Bundler installing on a readonly filesystem without a home directory ([#6461](rubygems/bundler#6461), @grosser) - Filter git uri credentials in source description (@segiddins) Documentation: - Correct typos in `bundle binstubs` man page (@erikj, @samueloph) - Update links in `bundle gem` command documentation to use https (@KrauseFx) - Fix broken links between bundler man pages (@segiddins) - Add man page for the `bundle doctor` command ([#6243](rubygems/bundler#6243), @nholden) - Document `# frozen_string_literal` in `bundle init` Gemfile (@315tky) - Explain the gemspec files attribute in `bundle gem` template and print a link to bundler.io guides when running `bundle gem` ([#6246](rubygems/bundler#6246), @nesaulov) - Small copy tweaks & removed redundant phrasing in the bundler man page (@rubymorillo) - Improve the documentation of the settings load order in Bundler (@rubymorillo) - Added license info to main README (@rubymorillo) - Document parameters and return value of Injector#inject (@tobias-grasse)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm currently trying to get Rails apps installed on a FIPS enabled server, and appreciate the efforts that you've made recently to avoid using MD5 hashes (#4989 and follow-up #5433, along with recent refactor 6e1506f).
However the outdated version check that you introduced in 1.15.0 (1e05d24) is directly using the CompactIndex, and this causes bundle install to fail when FIPS is enabled.
Once I'd figured this out it was easy to fix using the disable_version_check setting (and it makes sense to turn this off anyway in my case).
I wonder though if you'd consider saving others this small pain by skipping the check regardless of the setting on FIPS enabled systems?
Many thanks.
The text was updated successfully, but these errors were encountered: