Verify gem checksums against committed file (!98508) · Merge requests · GitLab.org / GitLab

Thong Kuah requested to merge bundler-checksum-verify into master Sep 21, 2022

What does this MR do and why?

Require gems to be match checksum in Gemfile.checksum before it can be installed.

Due to this being experimental, this verification will be be active when an env var is set.

I have set the env var BUNDLER_CHECKSUM_VERIFICATION_OPT_IN in project settings

Related issue: #361737 (closed)

Screenshots or screen recordings

How a checksum failure will look like:

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 21, 2022 by Thong Kuah

Verify gem checksums against committed file

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports