Bug 997179 - RFE: install /etc/gemrc to install gems via https rather than http
Summary: RFE: install /etc/gemrc to install gems via https rather than http
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: rubygems
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Vít Ondruch
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-14 20:51 UTC by Vincent Danen
Modified: 2013-08-15 20:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-15 08:40:47 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2013-08-14 20:51:13 UTC 
As noted in Novell's bug report [1], gem will install ruby gems via http:// when it could do so via https://.  I checked and on Fedora 18 at least, with no /etc/gemrc, the install is done via http:

 sudo gem install --verbose haml
[sudo] password for vdanen:
GET http://rubygems.org/latest_specs.4.8.gz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET http://bb-m.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
GET http://rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
302 Moved Temporarily
GET http://production.cf.rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET http://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET http://production.cf.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

However, by having an /etc/gemrc installed by default with the following contents:

% cat /etc/gemrc
:sources:
- https://rubygems.org

We can have the gems retrieved via https:

 sudo gem install --verbose haml
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
304 Not Modified
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

This isn't a flaw, precisely, but it would be a good hardening step to ensure we get gems installed via https.

[1] https://bugzilla.novell.com/show_bug.cgi?id=834785
Comment 1 Vít Ondruch 2013-08-15 08:40:47 UTC 
This is how it looks on my F19:

$ GEM_HOME=~/https gem install --verbose haml
HEAD https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
200 OK
GET https://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz
200 OK
Installing gem tilt-1.4.1
Downloading gem tilt-1.4.1.gem
GET https://rubygems.org/gems/tilt-1.4.1.gem
302 Moved Temporarily
GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem
Fetching: tilt-1.4.1.gem (100%)
200 OK

I guess this behavior changed with RubyGems 2.0, so F19+ are OK. I don't consider it worth of effort to change the behavior on F18, but I won't object if anyone else wants to do it.
Comment 2 Vincent Danen 2013-08-15 20:53:35 UTC 
If F19+ is ok (haven't installed it yet so can't test), then I'm not overly worried about F18.  Thanks for looking.
Note You need to log in before you can comment on or make changes to this bug.