Recently I created a new Rails 5 app, without a git repository. The auto-generated Gemfile contains a new block I had not seen before:
git_source(:github) do |repo_name| repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/") "https://github.com/#{repo_name}.git" end
What's the meaning of it? Is it mandatory for every new app?
A Gemfile describes the gem dependencies required to execute associated Ruby code. Place the Gemfile in the root of the directory containing the associated code. For instance, in a Rails application, place the Gemfile in the same directory as the Rakefile .
You should always include your Gemfile. lock if you are writing an application. The community seems to (largely) agree that you should include it in any Gems you create as well.
Its a workaround for a bug in Bundler which can cause sources from github to be loaded via HTTP and not HTTPS - which makes it vulnerable to man in the middle attacks.
git_source
adds a source which you can use so that the gem is downloaded from a git repository instead of a package from rubygems.org
.
git_source(:github) do |repo_name| repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/") "https://github.com/#{repo_name}.git" end
Would make it so that when you declare:
gem 'foo_bar', :github => 'foo/bar'
Bundler would attempt to download the gem from https://github.com/foo/bar.git
.
Since fixing this would be a breaking change as it would invalidate any existing Gemfile.lock it is fixed in Bundler 2.x. At that point it should be safe to remove this workaround.
The Bundler :github directive will fetch from git://github.com/#{repo_name}.git
(source), which uses the insecure http
protocol.
This is due to be fixed in future Bundler versions but this snippet is added to the top of the Gemfile to ensure https
is used in Bundler 1.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With