Confusing error messages with new security fixes

[Fryguy]

Describe the problem as clearly as you can

In our project we have some custom gems that are locked down to our custom gemserver using a :source directly in the Gemfile. If I understand correctly, the new security fix now prefers that custom gem source for transient dependencies, and if there is an ambiguity across multiple gem sources for those transient dependencies, then bundling fails. Where I am confused is when there isn't an ambiguity and bundler still fails. It may just be a confusing error message, but it's hard to tell.

The project is ManageIQ, which has a custom public gemserver at https://rubygems.manageiq.org. One of the offending gems seems to be our fork of handsoap, which is locked down here. handsoap depends on nokogiri and yields the following error:

The gem 'nokogiri' was found in multiple relevant sources.
  * rubygems repository https://rubygems.manageiq.org/ or installed locally
  * rubygems repository https://rubygems.org/ or installed locally
You must add this gem to the source block for the source you wish it to be installed from.

However, what's confusing is that nokogiri doesn't exist on https://rubygems.manageiq.org/ at all. There is no ambiguity. Even more confusing is what happens when you try to reproduce this error.

Post steps to reproduce the problem

I was trying to reduce this, and I think this is as close as I can get. I started with the following Gemfile, which "works":

source "https://rubygems.org"
gem "handsoap", "=0.2.5.5", :source => "https://rubygems.manageiq.org"

I can't understand why that works, though, because both nokogiri and racc are not on https://rubygems.manageiq.org, but the Gemfile.lock is showing something completely different:

GEM
  remote: https://rubygems.manageiq.org/
  specs:
    handsoap (0.2.5.5)
      nokogiri (>= 1.2.3)
    nokogiri (1.11.1-x86_64-darwin)
      racc (~> 1.4)
    racc (1.5.2)

GEM
  remote: https://rubygems.org/
  specs:

PLATFORMS
  x86_64-darwin-19

DEPENDENCIES
  handsoap (= 0.2.5.5)!

BUNDLED WITH
   2.2.10

Even so, if I then add nokogiri

source "https://rubygems.org"
gem "handsoap", "=0.2.5.5", :source => "https://rubygems.manageiq.org"
gem "nokogiri"

I get the following error

The gem 'racc' was found in multiple relevant sources.
  * rubygems repository https://rubygems.manageiq.org/ or installed locally
  * rubygems repository https://rubygems.org/ or installed locally
You must add this gem to the source block for the source you wish it to be installed from.

Which, similar to the error I mentioned way above in the first section, is confusing because racc doesn't exist at all on https://rubygems.manageiq.org, and the fact that it passed the first time is even more confusing.

Which command did you run?

bundle update

What were you expecting to happen?

See above

What actually happened?

See above

If not included with the output of your command, run bundle env and paste the output below

bundle env

Environment

Bundler       2.2.10
  Platforms   ruby, x86_64-darwin-19
Ruby          2.6.6p146 (2020-03-31 revision 67876) [x86_64-darwin19]
  Full Path   /Users/jfrey/.rubies/ruby-2.6.6/bin/ruby
  Config Dir  /Users/jfrey/.rubies/ruby-2.6.6/etc
RubyGems      3.0.3
  Gem Home    /Users/jfrey/.gem/ruby/2.6.6
  Gem Path    /Users/jfrey/.gem/ruby/2.6.6:/Users/jfrey/.rubies/ruby-2.6.6/lib/ruby/gems/2.6.0
  User Home   /Users/jfrey
  User Path   /Users/jfrey/.gem/ruby/2.6.0
  Bin Dir     /Users/jfrey/.gem/ruby/2.6.6/bin
Tools
  Git         2.26.1
  RVM         not installed
  rbenv       not installed
  chruby      0.3.9

Bundler Build Metadata

Built At          2021-02-15
Git SHA           cc7c333721
Released Version  true

Bundler settings

gem.test
  Set for the current user (/Users/jfrey/.bundle/config): "rspec"
gem.mit
  Set for the current user (/Users/jfrey/.bundle/config): true
gem.coc
  Set for the current user (/Users/jfrey/.bundle/config): true

Gemfile

Gemfile

source "https://rubygems.org"
gem "handsoap", "=0.2.5.5", :source => "https://rubygems.manageiq.org"
gem "nokogiri"

Gemfile.lock

GEM
  remote: https://rubygems.manageiq.org/
  specs:
    handsoap (0.2.5.5)
      nokogiri (>= 1.2.3)
    nokogiri (1.11.1-x86_64-darwin)
      racc (~> 1.4)
    racc (1.5.2)

GEM
  remote: https://rubygems.org/
  specs:

PLATFORMS
  x86_64-darwin-19

DEPENDENCIES
  handsoap (= 0.2.5.5)!

BUNDLED WITH
   2.2.10

[deivid-rodriguez]

Thanks for the ticket @Fryguy, we've been also reported a similar issue on Slack. There's something wrong here, I'll investigate.

[Fryguy]

@deivid-rodriguez Thanks. I'm happy to help where needed. Feel free to use https://rubygems.manageiq.org if it would help

[deivid-rodriguez]

The fact that the first example works is expected to me. The way I approached this is to not fallback to the "block source" for direct and transitive dependencies that are present there, but if they are not present, pick them up from the global source. But the lockfile is just wrong.

[Fryguy]

Yes, I agree that the first one working makes sense. I think I worded that incorrectly. I wasn't surprised it worked, I was more surprised that it worked given the lockfile is wrong.

[Fryguy]

If it helps, playing with this a little more, if I continue and add racc to the Gemfile it "works" AND the Gemfile.lock is correct

source "https://rubygems.org"
gem "handsoap", "=0.2.5.5", :source => "https://rubygems.manageiq.org"
gem "nokogiri"
gem "racc"

GEM
  remote: https://rubygems.manageiq.org/
  specs:
    handsoap (0.2.5.5)
      nokogiri (>= 1.2.3)

GEM
  remote: https://rubygems.org/
  specs:
    nokogiri (1.11.1-x86_64-darwin)
      racc (~> 1.4)
    racc (1.5.2)

PLATFORMS
  x86_64-darwin-19

DEPENDENCIES
  handsoap (= 0.2.5.5)!
  nokogiri
  racc

BUNDLED WITH
   2.2.10

[deivid-rodriguez]

Oh, I see the issue now. Rubygems sources have this "or installed locally" fallback that's messing things up if you already have the gems installed.

[Fryguy]

@deivid-rodriguez That's interesting, if I do a gem uninstall nokogiri racc handsoap before each of the 3 iterations above, each one now works AND all of the Gemfile.locks are correct. I think you're onto something.

[deivid-rodriguez]

Yeah, I think it shouldn't be hard to fix, I'll work on it and try to push a fixed version tomorrow.

[deivid-rodriguez]

Hello everyone, sorry for this issue 🙏.

Can you try #4381 and verify whether it fixes your issues? Thanks!