diff options
author | Toon Claes <toon@gitlab.com> | 2022-06-10 11:38:55 +0300 |
---|---|---|
committer | Toon Claes <toon@gitlab.com> | 2022-06-10 14:47:59 +0300 |
commit | 037e033f846274093ed857aec17c2a5b7a310a96 (patch) | |
tree | 6c2645f03c58a27ba2b6dd65888f81384b909592 | |
parent | bdd33f61948e5fa22da595f9b87e7d5032c19c26 (diff) |
Makefile: Run bundle in frozen mode
Recently security concerns popped up about gems that might get
compromised and get replaced with malicious content.
To mitigate this, the Bundler team recommends[1] using bundler in
--frozen or --deployment mode in CI and during deploys.
We address this by exporting BUNDLE_FROZEN=true in the environment of
the Makefile. This applies to all bundle commands ran by make, and will
affect local development and CI.
For omnibus deployments the fix is applied in
omnibus-gitlab@4b18021f9 (Merge branch 'bundle-frozen' into 'master',
2022-05-24). The CNG changes are being made in
https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1053.
[1]: https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79
Issue: https://gitlab.com/gitlab-org/gitaly/-/issues/4225
Changelog: security
-rw-r--r-- | Makefile | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -256,6 +256,9 @@ export PKG_CONFIG_PATH := ${LIBGIT2_INSTALL_DIR}/lib/pkgconfig # Allow the linker flag -D_THREAD_SAFE as libgit2 is compiled with it on FreeBSD export CGO_LDFLAGS_ALLOW = -D_THREAD_SAFE +# Disallow changes to the Gemfile +export BUNDLE_FROZEN = true + # By default, intermediate targets get deleted automatically after a successful # build. We do not want that though: there's some precious intermediate targets # like our `*.version` targets which are required in order to determine whether |