Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 794493

Summary: dev-ruby/bundler: disable build-in sudo function
Product: Gentoo Linux Reporter: Anton Bolshakov <anton.bugs>
Component: Current packagesAssignee: Gentoo Ruby Team <ruby>
Status: RESOLVED UPSTREAM    
Severity: normal CC: anton.bugs, ionen
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rubygems/rubygems/issues/4031
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: nosudo patch

Description Anton Bolshakov 2021-06-06 00:31:34 UTC 
Created attachment 713847 [details, diff]
nosudo patch

Hello,

Gentoo wants to control all installed packages unconditionally.

bundler has a default build-in function to run sudo "if possible", i.e if a current user has NOPASSWD sudo option. For such users, bunlder will escalate it is privilege from a regular user quietly and install (overwrite) any files installed by portage earlier (/usr/bin, /usr/lib{32/64}/ruby locations. That is an unexpected and almost malicious because it will not even try to ask for password if NOPASSWD option is not configured and will install all packages to a local folder.

There is no option to disable it by default during installation and the upstream seems agreed that it should be removed, see:
https://github.com/rubygems/rubygems/issues/4031

I suggest disabling it in Gentoo earlier with a little provided patch.
Comment 1 Anton Bolshakov 2024-02-01 02:02:31 UTC 
FYI, https://github.com/rubygems/rubygems/discussions/5878
fixed: https://github.com/rubygems/rubygems/issues/4031
The upstream removed auto-sudo,
>=dev-ruby/bundler-2.4.0

Hopefully, it would be made stable soonest.