[rubygems/rubygems] Switch lockfile_checksums to be true by default

https://github.com/rubygems/rubygems/commit/47c3dc19ee Co-authored-by: Jonathan Barquero <jonbarlo@hotmail.com>
2026-01-27 04:24:23 +00:00 · 2025-09-09 19:20:53 +02:00 · 2025-09-09 19:20:53 +02:00 · 44a4f88159
commit 44a4f88159
parent 23fb4d5020
7 changed files with 43 additions and 8 deletions
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@ -136,7 +136,7 @@ module Bundler
        @locked_sources = []
        @originally_locked_specs = @locked_specs
        @originally_locked_sources = @locked_sources
-        @locked_checksums = Bundler.feature_flag.lockfile_checksums?
+        @locked_checksums = Bundler.settings[:lockfile_checksums]
      end

      @unlocking_ruby ||= if @ruby_version && locked_ruby_version_object
--- a/lib/bundler/feature_flag.rb
+++ b/lib/bundler/feature_flag.rb
@ -29,7 +29,6 @@ module Bundler

    settings_flag(:cache_all) { bundler_4_mode? }
    settings_flag(:global_gem_cache) { bundler_5_mode? }
-    settings_flag(:lockfile_checksums) { bundler_4_mode? }
    settings_flag(:plugins) { @bundler_version >= Gem::Version.new("1.14") }
    settings_flag(:update_requires_all_flag) { bundler_5_mode? }

--- a/lib/bundler/man/bundle-config.1
+++ b/lib/bundler/man/bundle-config.1
@ -146,7 +146,7 @@ Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init
 The number of gems Bundler can install in parallel\. Defaults to the number of available processors\.
 .TP
 \fBlockfile_checksums\fR (\fBBUNDLE_LOCKFILE_CHECKSUMS\fR)
-Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\.
+Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\. Defaults to true\.
 .TP
 \fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR)
 Whether \fBbundle package\fR should skip installing gems\.
--- a/lib/bundler/man/bundle-config.1.ronn
+++ b/lib/bundler/man/bundle-config.1.ronn
@ -190,7 +190,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
   The number of gems Bundler can install in parallel. Defaults to the number of
   available processors.
 * `lockfile_checksums` (`BUNDLE_LOCKFILE_CHECKSUMS`):
-   Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources.
+   Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources. Defaults to true.
 * `no_install` (`BUNDLE_NO_INSTALL`):
   Whether `bundle package` should skip installing gems.
 * `no_prune` (`BUNDLE_NO_PRUNE`):
--- a/lib/bundler/settings.rb
+++ b/lib/bundler/settings.rb
@ -81,6 +81,7 @@ module Bundler
      "BUNDLE_RETRY" => 3,
      "BUNDLE_TIMEOUT" => 10,
      "BUNDLE_VERSION" => "lockfile",
+      "BUNDLE_LOCKFILE_CHECKSUMS" => true,
    }.freeze

    def initialize(root = nil)
--- a/spec/bundler/commands/lock_spec.rb
+++ b/spec/bundler/commands/lock_spec.rb
@ -2097,7 +2097,7 @@ RSpec.describe "bundle lock" do
    L
  end

-  it "generates checksums by default if configured to do so" do
+  it "generates checksums by default" do
    build_repo4 do
      build_gem "nokogiri", "1.14.2"
      build_gem "nokogiri", "1.14.2" do |s|
@ -2105,8 +2105,6 @@ RSpec.describe "bundle lock" do
      end
    end

-    bundle "config lockfile_checksums true"
-
    simulate_platform "x86_64-linux" do
      install_gemfile <<-G
        source "https://gem.repo4"
@ -2139,6 +2137,43 @@ RSpec.describe "bundle lock" do
    L
  end

+  it "disables checksums if configured to do so" do
+    build_repo4 do
+      build_gem "nokogiri", "1.14.2"
+      build_gem "nokogiri", "1.14.2" do |s|
+        s.platform = "x86_64-linux"
+      end
+    end
+
+    bundle "config lockfile_checksums false"
+
+    simulate_platform "x86_64-linux" do
+      install_gemfile <<-G
+        source "https://gem.repo4"
+
+        gem "nokogiri"
+      G
+    end
+
+    expect(lockfile).to eq <<~L
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          nokogiri (1.14.2)
+          nokogiri (1.14.2-x86_64-linux)
+
+      PLATFORMS
+        ruby
+        x86_64-linux
+
+      DEPENDENCIES
+        nokogiri
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+  end
+
  context "when re-resolving to include prereleases" do
    before do
      build_repo4 do
--- a/spec/bundler/support/checksums.rb
+++ b/spec/bundler/support/checksums.rb
@ -58,7 +58,7 @@ module Spec
      begin
        enabled = (target_lockfile || lockfile).match?(/^CHECKSUMS$/)
      rescue Errno::ENOENT
-        enabled = Bundler.feature_flag.bundler_4_mode?
+        enabled = true
      end
      checksums_section(enabled, &block)
    end