[Bundler] A new config file for storing credentials

[lfv89]

Problem:

At the moment the ~/.bundle/config stores both credentials and global configuration as well.

This is not ideal for versioning purposes. It does makes sense to version the file because global configurations like BUNDLE_PATH are useful across multiple setups, but it's not safe to do it right now because credentials for accessing private gems (like BUNDLE_GEMS__CONTRIBSYS__COM for Sidekiq) would also be versioned, which is not desirable.

Proposal:

These credentials should go to their own ~/.bundle/credentials file which would greatly help to avoid them getting leaked from public repositories, since there would be no point to version this specifically file.

---

I'd gladly jump into this if the core team finds it worthy.

Let me know what you think.

[indirect]

Thanks for the suggestion! We generally do not recommend checking in the Bundler configuration file, but it might make sense to change our recommendation for the user-level config.

For now, you can work around this issue by setting credentials as env vars: export BUNDLE_GEMS__CONTRIBSYS__COM=secrets will produce the same results as if it were in your user level Bundler config file.

[lfv89]

@indirect

but it might make sense to change our recommendation for the user-level config.

Interesting, would you solve this problem by creating a separated credentials file too? I'd love like to jump into this if we could achieve a minimal viable solution in this thread :thought_balloon:

[indirect]

Personally, I use env vars set by my shell configuration (which I keep checked in) to manage the settings that I want to commit. Do you feel like that is not a satisfactory way to do things, and it would be a worthwhile improvement to implement a second credentials file just to enable checking in the Bundler config file?

[dentarg]

I like the idea of checking in the Bundler config file (.bundle/config), to share Bundler settings for a project between team members, instead of every team member having to configure their shell. I've used it for settings like BUNDLE_CACHE_ALL.

[indirect]

@dentarg the Bundler team absolutely does not endorse checking in a per-app config file. The per-app Bundler config file is full of settings that do not transfer between machines at all, particularly absolute paths, even if you exclude credentials.

If your project has a specific set of Bundler settings, why aren't you setting them inside bin/setup or bin/update, to share those settings across everyone setting up the project?

[dentarg]

@indirect We haven't run into such problems, but it is good to know the reasoning the Bundler team has. I'll try to remember your suggestions about bin/-wrappers. Thanks!

[deivid-rodriguez]

In my opinion, checking in the .bundle/config file is useful for certain things, and a very useful for sharing Bundler settings for a project between team members as @dentarg pointed out. Regarding absolute paths, in most cases relative paths work just fine and use the root of the project as a base.

[lfv89]

hey @indirect,

The env approach works, what I keep thinking is that since bundle config foobar FOO:BAR stores the credentials by default in the bundle config file, unsuspecting people might possibly be affected. Mainly people that version their ~/.bundle/config since it has lots of tweaks that are very interesting to have by default and storing them on a dotfiles repo for future usage is extremely helpful!

Answering your question, I do feel indeed that it could make a bit more sense to store, at the user level, these credentials in a separated credentials file inside the ~/.bundle folder... I'd like to take a stab at it if you think it would make sense to do so.