Verify gem checksums against committed file
What does this MR do and why?
Require gems to be match checksum in Gemfile.checksum
before it can be installed.
Due to this being experimental, this verification will be be active when an env var is set.
I have set the env var BUNDLER_CHECKSUM_VERIFICATION_OPT_IN
in project settings
Related issue: #361737 (closed)
Screenshots or screen recordings
How a checksum failure will look like:
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Thong Kuah