Bug 997179 - RFE: install /etc/gemrc to install gems via https rather than http
RFE: install /etc/gemrc to install gems via https rather than http
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rubygems (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Vít Ondruch
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-14 16:51 EDT by Vincent Danen
Modified: 2013-08-15 16:53 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-15 04:40:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-14 16:51:13 EDT
As noted in Novell's bug report [1], gem will install ruby gems via http:// when it could do so via https://.  I checked and on Fedora 18 at least, with no /etc/gemrc, the install is done via http:

 sudo gem install --verbose haml
[sudo] password for vdanen:
GET http://rubygems.org/latest_specs.4.8.gz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET http://bb-m.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
302 Moved Temporarily
GET http://production.cf.rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET http://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET http://production.cf.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

However, by having an /etc/gemrc installed by default with the following contents:

% cat /etc/gemrc
:sources:
- https://rubygems.org

We can have the gems retrieved via https:

 sudo gem install --verbose haml
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
304 Not Modified
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

This isn't a flaw, precisely, but it would be a good hardening step to ensure we get gems installed via https.

[1] https://bugzilla.novell.com/show_bug.cgi?id=834785
Comment 1 Vít Ondruch 2013-08-15 04:40:47 EDT
This is how it looks on my F19:

$ GEM_HOME=~/https gem install --verbose haml
HEAD https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

I guess this behavior changed with RubyGems 2.0, so F19+ are OK. I don't consider it worth of effort to change the behavior on F18, but I won't object if anyone else wants to do it.
Comment 2 Vincent Danen 2013-08-15 16:53:35 EDT
If F19+ is ok (haven't installed it yet so can't test), then I'm not overly worried about F18.  Thanks for looking.

Note You need to log in before you can comment on or make changes to this bug.