When using bundler/inline, default source: https://rubygems.org

[ttilberg]

I don't imagine this is a new idea, but I haven't found discussion of it anywhere.

When using bundler/inline, you have to specify a source directive. Are there reasons to not use https://rubygems.org if it's left unspecified? Is it something we can add?

It seems like unnecessary overhead when inlining a gemfile, prone to typos and errors, and otherwise taking up lines of code that seem like it should be handled by the framework above.

Example:

require 'bundler/inline'
gemfile {source 'rubygems.org'; gem 'nokogiri'}
#                ^-- missing protocol, seems like it should be a default value anyway?

[hsbt]

I also prefer to set "https://rubygems.org" as a default. But We have concern to prevent to supply-chain attack by implicitly source of rubygems.

[ttilberg]

Ah… the concern is that this string becomes stored in a well-known location, and therefor becomes ripe for manipulation in a hard-to-discover way. That makes sense. Shucks.

Thanks for the reply, and all your work in Ruby!