RFC for bundler checksum verification

[martinemde]

This is a draft based on the feature work in rubygems/rubygems#6374.

[deivid-rodriguez]

Overall my main concern here would be how to roll this out.

I tend to think the safest way to battle test this before making it the default would be:

• Add checksums only to fresh lockfiles, and let existing lockfiles work as they work now for the moment.
• Additionally, provide an --add-checksums flag to bundle lock for users to opt-in to the feature.

This would be consistent with how I'm approaching https://github.com/rubygems/rubygems/pull/5700, by applying it only to new lockfiles, and having already a bundle lock --add-platform command to opt-in to locking more platforms in an existing lockfile.

[martinemde]

@deivid-rodriguez for the most part this works so smoothly and invisibly that many people may not notice it.

However, for the frozen bundle situation there are some drawbacks. My instinct is that we should fail in that case, but we hopefully have provided a clear way to avoid the failure in the way of messaging how to add all checksums.

Almost all failure will trigger in CI on the "update bundler version" commit. Then everyone will become aware of how frozen impacts the deployment. Then they will run bundle lock, commit again, and they should be good to go.

Please check my assumptions if you disagree.

[deivid-rodriguez]

I think not being sure whether we want to even raise if we find mismatches in frozen mode is a symptom that this should be battle tested with users first for a period.

In my opinion, this feature, when enabled, should be strict. But it should not get in the middle unless something bad is happening. I think there are many edge cases that we may only find once this starts being used by people.

Hence my take of letting people experiment with this first, listen to feedback, fix issues, and only then start enforcing checksums.