[rubygems/rubygems] Switch `lockfile_checksums` to be true by default

https://github.com/rubygems/rubygems/commit/47c3dc19ee

Co-authored-by: Jonathan Barquero <jonbarlo@hotmail.com>

7 files changed, 43 insertions, 8 deletions

diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index 32dd13399e..49627cc562 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -136,7 +136,7 @@ module Bundler
         @locked_sources = []
         @originally_locked_specs = @locked_specs
         @originally_locked_sources = @locked_sources
-        @locked_checksums = Bundler.feature_flag.lockfile_checksums?
+        @locked_checksums = Bundler.settings[:lockfile_checksums]
       end
 
       @unlocking_ruby ||= if @ruby_version && locked_ruby_version_object
diff --git a/lib/bundler/feature_flag.rb b/lib/bundler/feature_flag.rb
index 73e6ddcc68..09a0ae593d 100644
--- a/lib/bundler/feature_flag.rb
+++ b/lib/bundler/feature_flag.rb
@@ -29,7 +29,6 @@ module Bundler
 
     settings_flag(:cache_all) { bundler_4_mode? }
     settings_flag(:global_gem_cache) { bundler_5_mode? }
-    settings_flag(:lockfile_checksums) { bundler_4_mode? }
     settings_flag(:plugins) { @bundler_version >= Gem::Version.new("1.14") }
     settings_flag(:update_requires_all_flag) { bundler_5_mode? }
 
diff --git a/lib/bundler/man/bundle-config.1 b/lib/bundler/man/bundle-config.1
index b7276daa89..29e830a3b0 100644
--- a/lib/bundler/man/bundle-config.1
+++ b/lib/bundler/man/bundle-config.1
@@ -146,7 +146,7 @@ Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init
 The number of gems Bundler can install in parallel\. Defaults to the number of available processors\.
 .TP
 \fBlockfile_checksums\fR (\fBBUNDLE_LOCKFILE_CHECKSUMS\fR)
-Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\.
+Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources\. Defaults to true\.
 .TP
 \fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR)
 Whether \fBbundle package\fR should skip installing gems\.
diff --git a/lib/bundler/man/bundle-config.1.ronn b/lib/bundler/man/bundle-config.1.ronn
index 18260c6c93..62fce8fa91 100644
--- a/lib/bundler/man/bundle-config.1.ronn
+++ b/lib/bundler/man/bundle-config.1.ronn
@@ -190,7 +190,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
    The number of gems Bundler can install in parallel. Defaults to the number of
    available processors.
 * `lockfile_checksums` (`BUNDLE_LOCKFILE_CHECKSUMS`):
-   Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources.
+   Whether Bundler should include a checksums section in new lockfiles, to protect from compromised gem sources. Defaults to true.
 * `no_install` (`BUNDLE_NO_INSTALL`):
    Whether `bundle package` should skip installing gems.
 * `no_prune` (`BUNDLE_NO_PRUNE`):
diff --git a/lib/bundler/settings.rb b/lib/bundler/settings.rb
index ecc3ee8080..bfd6869082 100644
--- a/lib/bundler/settings.rb
+++ b/lib/bundler/settings.rb
@@ -81,6 +81,7 @@ module Bundler
       "BUNDLE_RETRY" => 3,
       "BUNDLE_TIMEOUT" => 10,
       "BUNDLE_VERSION" => "lockfile",
+      "BUNDLE_LOCKFILE_CHECKSUMS" => true,
     }.freeze
 
     def initialize(root = nil)
diff --git a/spec/bundler/commands/lock_spec.rb b/spec/bundler/commands/lock_spec.rb
index 5a31d1733a..a7460ed695 100644
--- a/spec/bundler/commands/lock_spec.rb
+++ b/spec/bundler/commands/lock_spec.rb
@@ -2097,7 +2097,7 @@ RSpec.describe "bundle lock" do
     L
   end
 
-  it "generates checksums by default if configured to do so" do
+  it "generates checksums by default" do
     build_repo4 do
       build_gem "nokogiri", "1.14.2"
       build_gem "nokogiri", "1.14.2" do |s|
@@ -2105,8 +2105,6 @@ RSpec.describe "bundle lock" do
       end
     end
 
-    bundle "config lockfile_checksums true"
-
     simulate_platform "x86_64-linux" do
       install_gemfile <<-G
         source "https://gem.repo4"
@@ -2139,6 +2137,43 @@ RSpec.describe "bundle lock" do
     L
   end
 
+  it "disables checksums if configured to do so" do
+    build_repo4 do
+      build_gem "nokogiri", "1.14.2"
+      build_gem "nokogiri", "1.14.2" do |s|
+        s.platform = "x86_64-linux"
+      end
+    end
+
+    bundle "config lockfile_checksums false"
+
+    simulate_platform "x86_64-linux" do
+      install_gemfile <<-G
+        source "https://gem.repo4"
+
+        gem "nokogiri"
+      G
+    end
+
+    expect(lockfile).to eq <<~L
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          nokogiri (1.14.2)
+          nokogiri (1.14.2-x86_64-linux)
+
+      PLATFORMS
+        ruby
+        x86_64-linux
+
+      DEPENDENCIES
+        nokogiri
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+  end
+
   context "when re-resolving to include prereleases" do
     before do
       build_repo4 do
diff --git a/spec/bundler/support/checksums.rb b/spec/bundler/support/checksums.rb
index 8e0dea4a71..cf8ea417d6 100644
--- a/spec/bundler/support/checksums.rb
+++ b/spec/bundler/support/checksums.rb
@@ -58,7 +58,7 @@ module Spec
       begin
         enabled = (target_lockfile || lockfile).match?(/^CHECKSUMS$/)
       rescue Errno::ENOENT
-        enabled = Bundler.feature_flag.bundler_4_mode?
+        enabled = true
       end
       checksums_section(enabled, &block)
     end