Bug 997179

Summary: RFE: install /etc/gemrc to install gems via https rather than http
Product: [Fedora] Fedora Reporter: Vincent Danen <vdanen>
Component: rubygemsAssignee: Vít Ondruch <vondruch>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: mastahnke, mtasaka, vanmeeuwen+fedora, vondruch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-15 08:40:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2013-08-14 20:51:13 UTC 
As noted in Novell's bug report [1], gem will install ruby gems via http:// when it could do so via https://.  I checked and on Fedora 18 at least, with no /etc/gemrc, the install is done via http:

 sudo gem install --verbose haml
[sudo] password for vdanen:
GET http://rubygems.org/latest_specs.4.8.gz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET http://bb-m.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
302 Moved Temporarily
GET http://production.cf.rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET http://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET http://production.cf.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

However, by having an /etc/gemrc installed by default with the following contents:

% cat /etc/gemrc
:sources:
- https://rubygems.org

We can have the gems retrieved via https:

 sudo gem install --verbose haml
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
304 Not Modified
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

This isn't a flaw, precisely, but it would be a good hardening step to ensure we get gems installed via https.

[1] https://bugzilla.novell.com/show_bug.cgi?id=834785
Comment 1 Vít Ondruch 2013-08-15 08:40:47 UTC 
This is how it looks on my F19:

$ GEM_HOME=~/https gem install --verbose haml
HEAD https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

I guess this behavior changed with RubyGems 2.0, so F19+ are OK. I don't consider it worth of effort to change the behavior on F18, but I won't object if anyone else wants to do it.
Comment 2 Vincent Danen 2013-08-15 20:53:35 UTC 
If F19+ is ok (haven't installed it yet so can't test), then I'm not overly worried about F18.  Thanks for looking.