bson 5.0.0-java → 5.0.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a402a1cf7ac93f6d12ed5acaad7ae5aa04fe0dacdfb7571392d09d35f6eaf9b
-  data.tar.gz: e3afd667f703c5cd401ef6231a4cf055fd835908546ba4b6503e7418beafc57c
+  metadata.gz: 8abd0210ffaac5ff6d506ec5a872ad8230f9a4253be7bb26d7b5726ff5f4f0e1
+  data.tar.gz: 2abc7512e12d5ebd109038a22e1a71d1174df6e86d82a43bd52dc5f2ae368c4b
 SHA512:
-  metadata.gz: 78a555961d750296ea66c0808edef55c1e2a5dcd24ff8761e0497ab671c8fe9dbc2d44f4e8ada2b2b0ec642ae347d62abe3358dc0f55cc5c81563900cd5cfb6b
-  data.tar.gz: '049eed7dbb37c42142a468566d44ee531f0a4ac0ac585d4e3a67b9e0ddcd3ba26c90e4f50650ec3544b5a51cb73a55c9882409c58ea6cebfb937cebe2f3b10af'
+  metadata.gz: bb55a15f35cb6700df2a3f45f13dae8525714adb796037db59cab549d21ae299c1999321e33c1e74b4f6eb1731e84972fd77e1814392f38e62ab7398ea35b7af
+  data.tar.gz: 52af2ff9e32b7f935b3abbfc482044eb5f62b2b4b1e70a85154ea32b7f36913dabbc183831864589d56b4293458d7b9290eeed15b2e535ac5f1301b8ecd2104c

data/README.md

@@ -1,16 +1,54 @@
 BSON
 [![Gem Version][rubygems-img]][rubygems-url]
 [![Build Status][ghactions-img]][ghactions-url]
-[![Coverage Status][coveralls-img]][coveralls-url]
-[![Inline docs][inch-img]][inch-url]
 ====
 
 An implementation of the BSON specification in Ruby.
 
+Installation
+------------
+
+BSON can be installed via RubyGems:
+
+```
+> gem install bson
+```
+
+Or by adding it to your project's Gemfile:
+
+```ruby
+gem 'bson'
+```
+
+### Release Integrity
+
+Each release of the BSON library for Ruby after version 5.0.0 has been automatically built and signed using the team's GPG key.
+
+To verify the bson gem file:
+
+1. [Download the GPG key](https://pgp.mongodb.com/ruby-driver.asc).
+2. Import the key into your GPG keyring with `gpg --import ruby-driver.asc`.
+3. Download the gem file (if you don't already have it). You can download it from RubyGems with `gem fetch bson`, or you can download it from the [releases page](https://github.com/mongodb/bson-ruby/releases) on GitHub.
+4. Download the corresponding detached signature file from the [same release](https://github.com/mongodb/bson-ruby/releases). Look at the bottom of the release that corresponds to the gem file, under the 'Assets' list, for a `.sig` file with the same version number as the gem you wish to install.
+5. Verify the gem with `gpg --verify bson-X.Y.Z.gem.sig bson-X.Y.Z.gem` (replacing `X.Y.Z` with the actual version number).
+
+You are looking for text like "Good signature from "MongoDB Ruby Driver Release Signing Key <packaging@mongodb.com>" in the output. If you see that, the signature was found to correspond to the given gem file.
+
+(Note that other output, like "This key is not certified with a trusted signature!", is related to *web of trust* and depends on how strongly you, personally, trust the `ruby-driver.asc` key that you downloaded from us. To learn more, see https://www.gnupg.org/gph/en/manual/x334.html)
+
+### Why not use RubyGems' gem-signing functionality?
+
+RubyGems' own gem signing is problematic, most significantly because there is no established chain of trust related to the keys used to sign gems. RubyGems' own documentation admits that "this method of signing gems is not widely used" (see https://guides.rubygems.org/security/). Discussions about this in the RubyGems community have been off-and-on for more than a decade, and while a solution will eventually arrive, we have settled on using GPG instead for the following reasons:
+
+1. Many of the other driver teams at MongoDB are using GPG to sign their product releases. Consistency with the other teams means that we can reuse existing tooling for our own product releases.
+2. GPG is widely available and has existing tools and procedures for dealing with web of trust (though they are admittedly quite arcane and intimidating to the uninitiated, unfortunately).
+
+Ultimately, most users do not bother to verify gems, and will not be impacted by our choice of GPG over RubyGems' native method.
+
 Compatibility
 -------------
 
-BSON is tested against MRI (2.6) and JRuby (9.2+).
+BSON is tested against MRI (2.7+) and JRuby (9.3+).
 
 Documentation
 -------------
@@ -29,6 +67,56 @@ BSON Specification
 
 The [BSON specification](http://bsonspec.org) is at bsonspec.org.
 
+## Bugs & Feature Requests
+
+To report a bug in the `bson` gem or request a feature:
+
+1. Visit [our issue tracker](https://jira.mongodb.org/) and login
+   (or create an account if you do not have one already).
+2. Navigate to the [RUBY project](https://jira.mongodb.org/browse/RUBY).
+3. Click 'Create Issue' and fill out all of the applicable form fields, making
+sure to select `BSON` in the _Component/s_ field.
+
+When creating an issue, please keep in mind that all information in JIRA
+for the RUBY project, as well as the core server (the SERVER project),
+is publicly visible.
+
+**PLEASE DO:**
+
+- Provide as much information as possible about the issue.
+- Provide detailed steps for reproducing the issue.
+- Provide any applicable code snippets, stack traces and log data.
+- Specify version numbers of the `bson` gem and/or Ruby driver and MongoDB 
+server.
+
+**PLEASE DO NOT:**
+
+- Provide any sensitive data or server logs.
+- Report potential security issues publicly (see 'Security Issues' below).
+
+## Security Issues
+
+If you have identified a potential security-related issue in the `bson` gem
+(or any other MongoDB product), please report it by following the
+[instructions here](https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report).
+
+## Product Feature Requests
+
+To request a feature which is not specific to the `bson` gem, or which
+affects more than the `bson` gem and/or Ruby driver alone (for example, a 
+feature which requires MongoDB server support), please submit your idea through 
+the [MongoDB Feedback Forum](https://feedback.mongodb.com/forums/924286-drivers).
+
+## Maintenance and Bug Fix Policy
+
+New library functionality is generally added in a backwards-compatible manner
+and results in new minor releases. Bug fixes are generally made on
+master first and are backported to the current minor library release. Exceptions
+may be made on a case-by-case basis, for example security fixes may be
+backported to older stable branches. Only the most recent minor release
+is officially supported. Customers should use the most recent release in
+their applications.
+
 Versioning
 ----------
 
@@ -56,7 +144,3 @@ limitations under the License.
 [rubygems-url]: http://badge.fury.io/rb/bson
 [ghactions-img]: https://github.com/mongodb/bson-ruby/actions/workflows/bson-ruby.yml/badge.svg?query=branch%3Amaster
 [ghactions-url]: https://github.com/mongodb/bson-ruby/actions/workflows/bson-ruby.yml?query=branch%3Amaster
-[coveralls-img]: https://coveralls.io/repos/mongodb/bson-ruby/badge.svg?branch=master
-[coveralls-url]: https://coveralls.io/r/mongodb/bson-ruby?branch=master
-[inch-img]: http://inch-ci.org/github/mongodb/bson-ruby.svg?branch=master
-[inch-url]: http://inch-ci.org/github/mongodb/bson-ruby

data/Rakefile

@@ -47,28 +47,37 @@ else
   end
 end
 
-require "bson/version"
+RSpec::Core::RakeTask.new(:rspec)
 
-def extension
-  RUBY_PLATFORM =~ /darwin/ ? "bundle" : "so"
+desc 'Build the bson gem'
+task :build => [ :clean_all, *(jruby? ? :compile : nil) ] do
+  output = "--output=#{ENV['GEM_FILE_NAME']}" if ENV['GEM_FILE_NAME']
+  system "gem build #{output} bson.gemspec"
 end
 
-require_relative "perf/bench"
-
-RSpec::Core::RakeTask.new(:rspec)
+# `rake version` is used by the deployment system so get the release version
+# of the product beng deployed. It must do nothing more than just print the
+# product version number.
+desc 'Print the current version of the Ruby-BSON library'
+task :version do
+  require 'bson/version'
+  puts BSON::VERSION
+end
 
-if jruby?
-  task :build => [ :clean_all, :compile ] do
-    system "gem build bson.gemspec"
-  end
-else
-  task :build => :clean_all do
-    system "gem build bson.gemspec"
-  end
+# `rake gem_file_name` is used by the deployment system so get the name of
+# the gem file to be generated. It must do nothing more than just print the
+# name of the gem file to generate.
+desc 'Print the name of the gem file to generate.'
+task :gem_file_name do
+  require 'bson/version'
+  base = "bson-#{BSON::VERSION}"
+  base << '-java' if jruby?
+  puts "#{base}.gem"
 end
 
 task :clean_all => :clean do
-  FileUtils.rm_f(File.join(File.dirname(__FILE__), 'lib', "bson_native.#{extension}"))
+  FileUtils.rm_f(File.join(File.dirname(__FILE__), 'lib', "bson_native.bundle"))
+  FileUtils.rm_f(File.join(File.dirname(__FILE__), 'lib', "bson_native.so"))
   FileUtils.rm_f(File.join(File.dirname(__FILE__), 'lib', "bson_native.o"))
   FileUtils.rm_f(File.join(File.dirname(__FILE__), 'lib', "bson-ruby.jar"))
 end
@@ -77,49 +86,63 @@ task :spec => :compile do
   Rake::Task["rspec"].invoke
 end
 
-# Run bundle exec rake release with mri and jruby. Ex:
-#
-# rvm use 2.1.0@bson
-# bundle exec rake release
-# rvm use jruby@bson
-# bundle exec rake release
-task :release => :build do
-  system "git tag -a v#{BSON::VERSION} -m 'Tagging release: #{BSON::VERSION}'"
-  system "git push --tags"
-  if jruby?
-    system "gem push bson-#{BSON::VERSION}-java.gem"
-    system "rm bson-#{BSON::VERSION}-java.gem"
-  else
-    system "gem push bson-#{BSON::VERSION}.gem"
-    system "rm bson-#{BSON::VERSION}.gem"
+# overrides the default Bundler-provided `release` task, which also
+# builds the gem. Our release process assumes the gem has already
+# been built (and signed via GPG), so we just need `rake release` to
+# push the gem to rubygems.
+task :release do
+  require 'bson/version'
+
+  # confirm: there ought to be two gems, one for MRI, and one for Java. These
+  # will have been previously generated by the 'BSON Release' GitHub action.
+  gems = Dir['*.gem']
+  if gems.length != 2
+    abort "Expected two gem files to be ready to release; got #{gems.length}"
+  end
+
+  if ENV['GITHUB_ACTION'].nil?
+    abort <<~WARNING
+      `rake release` must be invoked from the `BSON Release` GitHub action,
+      and must not be invoked locally. This ensures the gem is properly signed
+      and distributed by the appropriate user.
+
+      Note that it is the `rubygems/release-gem@v1` step in the `BSON Release`
+      action that invokes this task. Do not rename or remove this task, or the
+      release-gem step will fail. Reimplement this task with caution.
+
+      NO GEMS were pushed to RubyGems.
+    WARNING
+  end
+
+  gems.each do |gem|
+    system 'gem', 'push', gem
   end
 end
 
 namespace :benchmark do
 
-  task :ruby => :clean_all do
+  task :prep do
+    require_relative "perf/bench"
+  end
+
+  task ruby: [ :clean_all, 'benchmark:prep' ] do
     puts "Benchmarking pure Ruby..."
-    require "bson"
     benchmark!
   end
 
-  task :native => :compile do
+  task native: [ :compile, 'benchmark:prep' ] do
     puts "Benchmarking with native extensions..."
-    require "bson"
     benchmark!
   end
 
   namespace :decimal128 do
-
-    task :from_string do
+    task from_string: 'benchmark:prep' do
       puts "Benchmarking creating Decimal128 objects from a string"
-      require 'bson'
       benchmark_decimal128_from_string!
     end
 
-    task :to_string do
+    task to_string: 'benchmark:prep' do
       puts "Benchmarking getting a string representation of a Decimal128"
-      require 'bson'
       benchmark_decimal128_to_string!
     end
   end
@@ -133,6 +156,7 @@ task :docs => 'docs:yard'
 namespace :docs do
   desc "Generate yard documention"
   task :yard do
+    require 'bson/version'
     out = File.join('yard-docs', BSON::VERSION)
     FileUtils.rm_rf(out)
     system "yardoc -o #{out} --title bson-#{BSON::VERSION}"

data/lib/bson/decimal128/builder.rb

@@ -156,7 +156,7 @@ module BSON
         # @return [ Regex ] The regex for a valid decimal128 string.
         #
         # @since 4.2.0
-        VALID_DECIMAL128_STRING_REGEX = /^[\-\+]?(\d+(\.\d*)?|\.\d+)(E[\-\+]?\d+)?$/i
+        VALID_DECIMAL128_STRING_REGEX = /\A[\-\+]?(\d+(\.\d*)?|\.\d+)(E[\-\+]?\d+)?\Z/i
 
         # Initialize the FromString Builder object.
         #

data/lib/bson/object_id.rb

@@ -356,12 +356,22 @@ module BSON
         block_given? ? yield(object) : object
       end
 
+      # The largest numeric value that can be converted to an integer by MRI's
+      # NUM2UINT. Further, the spec dictates that the time component of an
+      # ObjectID must be no more than 4 bytes long, so the spec itself is
+      # constrained in this regard.
+      MAX_INTEGER = 2 ** 32
+
       # Returns an integer timestamp (seconds since the Epoch). Primarily used
       # by the generator to produce object ids.
       #
+      # @note This value is guaranteed to be no more than 4 bytes in length. A
+      #   time value far enough in the future to require a larger integer than
+      #   4 bytes will be truncated to 4 bytes.
+      #
       # @return [ Integer ] the number of seconds since the Epoch.
       def timestamp
-        ::Time.now.to_i
+        ::Time.now.to_i % MAX_INTEGER
       end
     end
 

data/lib/bson/version.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 # rubocop:todo all
+
 # Copyright (C) 2009-2020 MongoDB Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +16,5 @@
 # limitations under the License.
 
 module BSON
-  VERSION = "5.0.0"
+  VERSION = "5.0.1"
 end

data/spec/bson/object_id_spec.rb

@@ -622,6 +622,20 @@ describe BSON::ObjectId do
     end
   end
 
+  context 'when the timestamp is larger than a 32-bit integer' do
+    let(:distant_future) { Time.at(2 ** 32) }
+
+    before do
+      allow(Time).to receive(:now).and_return(distant_future)
+    end
+
+    let(:object_id) { BSON::ObjectId.new }
+
+    it 'wraps the timestamp to 0' do
+      expect(object_id.to_time).to be == Time.at(0)
+    end
+  end
+
   context 'when fork changes the pid' do
     before do
       skip 'requires Process.fork' unless Process.respond_to?(:fork)