[2.0] Remove RubyGems Aggregate & support transitive source pinning

[segiddins]

What was the end-user problem that led to this PR?

The problem was that the resolver could resolve specs from any of the sources specified in the Gemfile, even if that source had nothing to do with the spec in question. This was such a large security vulnerability that, when discovered, it warranted a CVE and its own minor release of Bundler.

Closes #3671.
Closes #3696.
Closes #4059.

Was was your diagnosis of the problem?

My diagnosis was that we needed to get rid of the notion of a rubygems aggregate and enforce that specs could only come either from the source they were declared to come from (the top-level source if declared at the top-level of the Gemfile, else a scoped source), or a source that it transitively "inherited" from the gems that required it.

What is your fix for the problem, implemented in this PR?

My fix is to disable multiple top-level sources in the Gemfile, remove the RubyGems aggregate, and filter the sources gems could come from as described above.

Why did you choose this fix out of the possible options?

I chose this fix because it allows doing the filtering in a reasonably performant manner, and refactors the way we handle sources to abstract some of the grossness in such a way that the machinations to make sure that all of the necessary gem info is downloaded is encapsulated into a single method, driven from the definition, rather than being specific to rubygems sources.

See #4714 and #4930 for the prior implementation.

[attritionorg]

@segiddins "it warranted a CVE and its own minor release of Bundler" I know the CVE, but don't think I ever saw the versions impacted and the first fixing version. Can you provide that info? Thanks!

[segiddins]

but don't think I ever saw the versions impacted and the first fixing version

https://bundler.io/v1.7/whats_new.html

[indirect]

@bundlerbot r+

[bundlerbot]

📌 Commit 9181c06 has been approved by indirect

[segiddins]

@bundlerbot r-
I'd like to get the specs running on 2.0 mode first, if that's ok with you? Since I have a hunch this change in particular might break tests

[indirect]

👍

[segiddins]

There's an off-chance this will pass now, so please review :)

[indirect]

This is looking good, and I'm super happy with the metadata source 🙌🏻

[indirect]

please append inside the branches rather than indenting the whole conditional 👍🏻

[segiddins]

Passing for Bundler 1, down to 5 failures for Bundler 2 (I don't know how I keep on missing them locally, I'm sorry)

[colby-swandale]

nothing to be sorry about 😄

[TimMoore]

Phew! Nice work!

[segiddins]

Have two 👍, so going to merge this.

@bundlerbot r+

[bundlerbot]

📌 Commit 4dcd333 has been approved by segiddins

[bundlerbot]

⌛ Testing commit 4dcd333 with merge 87352ed...

[bundlerbot]

☀️ Test successful - status-travis
Approved by: segiddins
Pushing 87352ed to master...

[Benjamin-Dobell]

EDIT: My apologies, I'm running into issues with bundler 1.16.1, so I've removed the specifics of my issue (although related to transitive dependency source resolution). Knowing that I'll be moving to 2.0 once released, then I'd be happy to know the correct syntax to utilise for transitive dependency sources once 2.0 is released.

How would specify the preferred source for transitive dependencies?

e.g.

We have a dependency on some-gem, but some-gem has a dependency on private-gem. How do I ensure that Bundler correctly gets private-gem from my private Gem repository and not Rubygems?

Would something like the following work...?

source 'https://rubygems.org'

source 'https://myprivaterepository' do
  gem 'some-gem', git: 'https://myforkongithub'
end