diff options
Diffstat (limited to 'doc/development/gemfile.md')
-rw-r--r-- | doc/development/gemfile.md | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/doc/development/gemfile.md b/doc/development/gemfile.md index dd687763356..7d3531afb49 100644 --- a/doc/development/gemfile.md +++ b/doc/development/gemfile.md @@ -6,9 +6,43 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Gemfile guidelines -When adding a new entry to `Gemfile` or upgrading an existing dependency pay +When adding a new entry to `Gemfile`, or upgrading an existing dependency pay attention to the following rules. +## Bundler checksum verification + +In [GitLab 15.5 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/98508), gem +checksums are checked before installation. This verification is still +experimental so it is only active for CI. + +If the downloaded gem's checksum does not match the checksum record in +`Gemfile.checksum`, you will see an error saying that Bundler cannot continue +installing a gem because there is a potential security issue. + +You will see this error as well if you updated, or added a new gem without +updating `Gemfile.checksum`. To fix this error, +[update the Gemfile.checksum](#updating-the-checksum-file). + +You can opt-in to this verification locally by setting the +`BUNDLER_CHECKSUM_VERIFICATION_OPT_IN` environment variable: + +```shell +export BUNDLER_CHECKSUM_VERIFICATION_OPT_IN=1 +bundle install +``` + +### Updating the checksum file + +This needs to be done for any new, or updated gems. + +1. When updating `Gemfile.lock`, make sure to also update `Gemfile.checksum` with: + + ```shell + bundle exec bundler-checksum init + ``` + +1. Check and commit the changes for `Gemfile.checksum`. + ## No gems fetched from Git repositories We do not allow gems that are fetched from Git repositories. All gems have |