I'm a bit concerned about the heavy use of 'gem install'. It doesn't appear that there is any way to restrict gem install to using https in its dependency resolution/downloads. THis puts users at risk of MITM attacks and is against policy for that very reason.
One way to go is to explicitly download the needed gem files from rubygems.org via https. So
I'm a bit concerned about the heavy use of 'gem install'. It doesn't appear that there is any way to restrict gem install to using https in its dependency resolution/ downloads. THis puts users at risk of MITM attacks and is against policy for that very reason.
One way to go is to explicitly download the needed gem files from rubygems.org via https. So
wget https:/ /rubygems. org/downloads/ bundler- 1.2.1.gem
gem install bundler-1.2.1.gem
But, even better would be if we could just tell 'gem install' to *only* use https.