bundler 1.3.0.pre.7 → 1.3.0.pre.8

data/.rspec

@@ -1,2 +1,2 @@
 --format documentation
---color
+--color

data/.travis.yml

@@ -16,6 +16,11 @@ notifications:
     on_failure: always
     channels:
       - "irc.freenode.org#bundler"
+  campfire:
+    on_success: change
+    on_failure: always
+    rooms:
+      - secure: "geau3P+A9ZJHkA/OHN5v9Mcb8hAti1PllXw5DsHNJfLAWBAw5ReGGMA8Xfpf\nLdT7ktIUlQwzw94cKQ6sRZk8szXTiHncf3bxXTACJf2RpiKmbkoQU51TmCDq\nYSMuY1FIryk/3t9aZCrarufbIDI3DBscDEe4Bj9bERl+TJ8ArBY="
 rvm:
   - 1.9.3
   - 1.9.2

data/CHANGELOG.md

@@ -1,3 +1,34 @@
+## 1.3.0.pre.8 (12 February 2013)
+
+Security:
+
+  - validate SSL certificate chain during HTTPS network requests
+  - don't send HTTP Basic Auth creds when redirected to other hosts (@perplexes)
+  - add `--trust-policy` to `install`, like `gem install -P` (@CosmicCat, #2293)
+
+Features:
+
+  - optimize resolver when too new of a gem is already activated (@rykov, #2248)
+  - update Net::HTTP::Persistent for SSL cert validation and no_proxy ENV
+  - explain SSL cert validation failures
+  - generate gemspecs when installing git repos, removing shellouts
+  - add pager selection (@csgui)
+  - add `licenses` command (@bryanwoods, #1898)
+  - sort output from `outdated` (@richardkmichael, #1896)
+  - add a .travis.yml to `gem -t` (@ndbroadbent, #2143)
+  - inform users when the resolver starts
+  - disable reverse DNS to speed up API requests (@raggi)
+
+Bugfixes:
+
+  - raise errors while requiring dashed gems (#1807)
+  - quote the Bundler path on Windows (@jgeiger, #1862, #1856)
+  - load gemspecs containing unicode (@gaffneyc, #2301)
+  - support any ruby version in --standalone
+  - resolve some ruby -w warnings (@chastell, #2193)
+  - don't scare users with an error message during API fallback
+  - `install --binstubs` is back to overwriting. thanks, SemVer.
+
 ## 1.3.0.pre.7 (22 January 2013)
 
 Bugfixes:
@@ -107,6 +138,22 @@ Bugfixes:
   - `gem` generates gemspecs that block double-requires
   - `gem` generates gemspecs that admit they depend on rake
 
+## 1.2.4 (Feb 12, 2013)
+
+Features:
+
+  - warn about Ruby 2.0 and Rubygems 2.0
+  - inform users when the resolver starts
+  - disable reverse DNS to speed up API requests (@raggi)
+
+Bugfixes:
+
+  - don't send user/pass when redirected to another host (@perplexes)
+  - load gemspecs containing unicode (@gaffneyc, #2301)
+  - support any ruby version in --standalone
+  - resolve some ruby -w warnings (@chastell, #2193)
+  - don't scare users with an error message during API fallback
+
 ## 1.2.3 (Nov 29, 2012)
 
 Bugfixes:

data/CONTRIBUTE.md

@@ -1,4 +1,3 @@
-
 Great to have you here! Here are a few ways you can help out with [Bundler](http://github.com/carlhuda/bundler).
 
 # Learn & listen
@@ -94,4 +93,4 @@ If you let someone on the core team know you wrote about Bundler, we will add yo
 
 If you’re interested in contributing to Bundler, that’s awesome! We’d love your help.
 
-If you have any questions after reading this page, please feel free to contact either [@indirect](http://github.com/indirect) or [@hone](http://github.com/hone). They are both happy to provide help working through your first bugfix or thinking through the problem you’re trying to resolve.
+If you have any questions after reading this page, please feel free to contact either [@indirect](http://github.com/indirect) or [@hone](http://github.com/hone). They are both happy to provide help working through your first bugfix or thinking through the problem you’re trying to resolve.

data/CONTRIBUTING.md

@@ -10,4 +10,4 @@ If you'd like to discuss features, ask questions, or just engage in general Bund
 
 If you'd like to help make Bundler better, you totally rock! Please check out the [CONTRIBUTE](https://github.com/carlhuda/bundler/blob/master/CONTRIBUTE.md) file for an introduction to the project, guidelines for contributing, and suggestions for things anyone can do that would be helpful.
 
-Thanks for helping us make Bundler better.
+Thanks for helping us make Bundler better.

data/{LICENSE → LICENSE.md}

@@ -20,4 +20,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -5,6 +5,16 @@ require 'rubygems'
 require 'shellwords'
 require 'benchmark'
 
+task :build => ["man:clean", "man:build"]
+task :release => ["man:clean", "man:build"]
+
+def safe_task(&block)
+  yield
+  true
+rescue
+  false
+end
+
 # Benchmark task execution
 module Rake
   class Task
@@ -19,20 +29,13 @@ module Rake
   end
 end
 
-task :release => ["man:clean", "man:build"]
-
-def safe_task(&block)
-  yield
-  true
-rescue
-  false
-end
-
 namespace :spec do
   desc "Ensure spec dependencies are installed"
   task :deps do
-    sh "#{Gem.ruby} -S gem list ronn | (grep 'ronn' 1> /dev/null) || #{Gem.ruby} -S gem install ronn --no-ri --no-rdoc"
-    sh "#{Gem.ruby} -S gem list rspec | (grep 'rspec (2.' 1> /dev/null) || #{Gem.ruby} -S gem install rspec --no-ri --no-rdoc"
+    {"rdiscount" => "~> 1.6", "ronn" => "~> 0.7.3", "rspec" => "~> 2.12"}.each do |name, version|
+      sh "#{Gem.ruby} -S gem list #{name} -v '#{version}' | grep '#{name}' -q || " \
+         "#{Gem.ruby} -S gem install #{name} -v '#{version}' --no-ri --no-rdoc"
+    end
   end
 
   namespace :travis do
@@ -88,7 +91,7 @@ begin
     namespace :rubygems do
       # Rubygems specs by version
       rubyopt = ENV["RUBYOPT"]
-      %w(master v1.3.6 v1.3.7 v1.4.2 v1.5.3 v1.6.2 v1.7.2 v1.8.24 v2.0.0.preview2.2).each do |rg|
+      %w(master v1.3.6 v1.3.7 v1.4.2 v1.5.3 v1.6.2 v1.7.2 v1.8.24 v2.0.0.rc.1).each do |rg|
         desc "Run specs with Rubygems #{rg}"
         RSpec::Core::RakeTask.new(rg) do |t|
           t.rspec_opts = %w(-fs --color)
@@ -142,7 +145,7 @@ begin
 
     desc "Run the tests on Travis CI against a rubygem version (using ENV['RGV'])"
     task :travis do
-      rg = ENV['RGV'] || 'master'
+      rg = ENV['RGV'] || 'v1.8.24'
 
       puts "\n\e[1;33m[Travis CI] Running bundler specs against rubygems #{rg}\e[m\n\n"
       specs = safe_task { Rake::Task["spec:rubygems:#{rg}"].invoke }

data/bundler.gemspec

@@ -1,32 +1,28 @@
-# -*- encoding: utf-8 -*-
+# coding: utf-8
 lib = File.expand_path('../lib/', __FILE__)
 $:.unshift lib unless $:.include?(lib)
-
 require 'bundler/version'
 
-Gem::Specification.new do |s|
-  s.name        = "bundler"
-  s.version     = Bundler::VERSION
-  s.platform    = Gem::Platform::RUBY
-  s.license     = "MIT"
-  s.authors     = ["André Arko", "Terence Lee", "Carl Lerche", "Yehuda Katz"]
-  s.email       = ["andre@arko.net"]
-  s.homepage    = "http://gembundler.com"
-  s.summary     = %q{The best way to manage your application's dependencies}
-  s.description = %q{Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably}
+Gem::Specification.new do |spec|
+  spec.name        = 'bundler'
+  spec.version     = Bundler::VERSION
+  spec.licenses    = ['MIT']
+  spec.authors     = ["André Arko", "Terence Lee", "Carl Lerche", "Yehuda Katz"]
+  spec.email       = ["andre@arko.net"]
+  spec.homepage    = "http://gembundler.com"
+  spec.summary     = %q{The best way to manage your application's dependencies}
+  spec.description = %q{Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably}
+
+  spec.required_ruby_version     = '>= 1.8.7'
+  spec.required_rubygems_version = '>= 1.3.6'
 
-  s.required_ruby_version     = ">= 1.8.7"
-  s.required_rubygems_version = ">= 1.3.6"
-  s.rubyforge_project         = "bundler"
+  spec.add_development_dependency 'ronn', '~> 0.7.3'
+  spec.add_development_dependency 'rspec', '~> 2.11'
 
-  s.add_development_dependency "ronn"
-  s.add_development_dependency "rspec", "~> 2.11"
+  spec.files       = `git ls-files`.split($/)
+  spec.files      += Dir.glob('man/**/*') # man/ is ignored by git
+  spec.test_files  = spec.files.grep(%r{^spec/})
 
-  # Man files are required because they are ignored by git
-  man_files            = Dir.glob("lib/bundler/man/**/*")
-  git_files            = `git ls-files`.split("\n") rescue ''
-  s.files              = git_files + man_files
-  s.test_files         = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables        = %w(bundle)
-  s.require_paths      = ["lib"]
+  spec.executables   = %w(bundle)
+  spec.require_paths = ["lib"]
 end

data/lib/bundler.rb

@@ -1,6 +1,6 @@
-require 'rbconfig'
 require 'fileutils'
 require 'pathname'
+require 'rbconfig'
 require 'bundler/gem_path_manipulation'
 require 'bundler/rubygems_ext'
 require 'bundler/rubygems_integration'
@@ -61,6 +61,7 @@ module Bundler
   class ProductionError      < BundlerError; status_code(16) ; end
   class HTTPError            < BundlerError; status_code(17) ; end
   class RubyVersionMismatch  < BundlerError; status_code(18) ; end
+  class SecurityError        < BundlerError; status_code(19) ; end
 
   WINDOWS = RbConfig::CONFIG["host_os"] =~ %r!(msdos|mswin|djgpp|mingw)!
   FREEBSD = RbConfig::CONFIG["host_os"] =~ /bsd/
@@ -100,9 +101,9 @@ module Bundler
     def bin_path
       @bin_path ||= begin
         path = settings[:bin] || "bin"
-        path = Pathname.new(path).expand_path(root)
+        path = Pathname.new(path).expand_path(root).expand_path
         FileUtils.mkdir_p(path)
-        Pathname.new(path).expand_path
+        path
       end
     end
 
@@ -320,9 +321,9 @@ module Bundler
 
     def eval_gemspec(path, contents)
       eval(contents, TOPLEVEL_BINDING, path.expand_path.to_s)
-    rescue LoadError, SyntaxError => e
+    rescue ScriptError, StandardError => e
       original_line = e.backtrace.find { |line| line.include?(path.to_s) }
-      msg  = "There was a #{e.class} while evaluating #{path.basename}: \n#{e.message}"
+      msg  = "There was a #{e.class} while loading #{path.basename}: \n#{e.message}"
       msg << " from\n  #{original_line}" if original_line
       msg << "\n"
 
@@ -335,7 +336,6 @@ module Bundler
 
     def configure_gem_home_and_path
       blank_home = ENV['GEM_HOME'].nil? || ENV['GEM_HOME'].empty?
-
       if settings[:disable_shared_gems]
         ENV['GEM_PATH'] = ''
         configure_gem_home

data/lib/bundler/cli.rb

@@ -1,7 +1,7 @@
+require 'bundler/similarity_detector'
 require 'bundler/vendored_thor'
 require 'rubygems/user_interaction'
-require 'rubygems/config_file'
-require 'bundler/similarity_detector'
+require 'rubygems/security'
 
 module Bundler
   class CLI < Thor
@@ -18,7 +18,6 @@ module Bundler
     end
 
     check_unknown_options!(:except => [:config, :exec])
-
     stop_on_unknown_option! :exec
 
     default_task :install
@@ -46,8 +45,8 @@ module Bundler
         root = File.expand_path("../man", __FILE__)
 
         if have_groff? && root !~ %r{^file:/.+!/META-INF/jruby.home/.+}
-          groff   = "groff -Wall -mtty-char -mandoc -Tascii"
-          pager   = ENV['MANPAGER'] || ENV['PAGER'] || 'less -R'
+          groff = "groff -Wall -mtty-char -mandoc -Tascii"
+          pager = pager_system
 
           Kernel.exec "#{groff} #{root}/#{command} | #{pager}"
         else
@@ -171,6 +170,9 @@ module Bundler
       "Use the rubygems modern index instead of the API endpoint"
     method_option "clean", :type => :boolean, :banner =>
       "Run bundle clean automatically after install"
+    method_option "trust-policy", :alias => "P", :type => :string, :banner =>
+      "Gem trust policy (like gem install -P). Must be one of " + Gem::Security::Policies.keys.join('|')
+
     def install
       opts = options.dup
       if opts[:without]
@@ -190,6 +192,17 @@ module Bundler
         exit 1
       end
 
+      if (opts["trust-policy"])
+        unless (Gem::Security::Policies.keys.include?(opts["trust-policy"]))
+          Bundler.ui.error "Rubygems doesn't know about trust policy '#{opts["trust-policy"]}'. " \
+            "The known policies are: #{Gem::Security::Policies.keys.join(', ')}."
+          exit 1
+        end
+        Bundler.settings["trust-policy"] = opts["trust-policy"]
+      else
+        Bundler.settings["trust-policy"] = nil if Bundler.settings["trust-policy"]
+      end
+
       if opts[:deployment] || opts[:frozen]
         unless Bundler.default_lockfile.exist?
           flag = opts[:deployment] ? '--deployment' : '--frozen'
@@ -222,7 +235,7 @@ module Bundler
       Bundler.settings[:no_prune] = true if opts["no-prune"]
       Bundler.settings[:disable_shared_gems] = Bundler.settings[:path] ? '1' : nil
       Bundler.settings.without = opts[:without]
-      Bundler.ui.be_quiet! if opts[:quiet]
+      Bundler.ui.quiet = opts[:quiet]
       Bundler.settings[:clean] = opts[:clean] if opts[:clean]
 
       Bundler::Fetcher.disable_endpoint = opts["full-index"]
@@ -276,7 +289,7 @@ module Bundler
         "Use the rubygems modern index instead of the API endpoint"
     def update(*gems)
       sources = Array(options[:source])
-      Bundler.ui.be_quiet! if options[:quiet]
+      Bundler.ui.quiet = options[:quiet]
 
       if gems.empty? && sources.empty?
         # We're doing a full update
@@ -344,8 +357,8 @@ module Bundler
       Bundler.definition.validate_ruby!
       Bundler.settings[:bin] = options["path"] if options["path"]
       Bundler.settings[:bin] = nil if options["path"] && options["path"].empty?
-      installer              = Installer.new(Bundler.root, Bundler.definition)
-      spec                   = installer.specs.find{|s| s.name == gem_name }
+      installer = Installer.new(Bundler.root, Bundler.definition)
+      spec      = installer.specs.find{|s| s.name == gem_name }
       raise GemNotFound, not_found_message(gem_name, Bundler.load.specs) unless spec
 
       if spec.name == "bundler"
@@ -383,7 +396,7 @@ module Bundler
 
       out_count = 0
       # Loop through the current specs
-      current_specs.each do |current_spec|
+      current_specs.sort_by { |s| s.name }.each do |current_spec|
         next if !gems.empty? && !gems.include?(current_spec.name)
 
         active_spec = definition.index[current_spec.name].sort_by { |b| b.version }
@@ -593,6 +606,20 @@ module Bundler
     end
     map %w(-v --version) => :version
 
+    desc "licenses", "Prints the license of all gems in the bundle"
+    def licenses
+      Bundler.load.specs.sort_by { |s| s.license.to_s }.reverse.each do |s|
+        gem_name = s.name
+        license  = s.license || s.licenses
+
+        if license.empty?
+          Bundler.ui.warn "#{gem_name}: Unknown"
+        else
+          Bundler.ui.info "#{gem_name}: #{license}"
+        end
+      end
+    end
+
     desc 'viz', "Generates a visual dependency graph"
     long_desc <<-D
       Viz generates a PNG file of the current Gemfile as a dependency graph.
@@ -625,7 +652,7 @@ module Bundler
 
     desc "gem GEM", "Creates a skeleton for creating a rubygem"
     method_option :bin, :type => :boolean, :default => false, :aliases => '-b', :banner => "Generate a binary for your library."
-    method_option :test, :type => :string, :default => 'rspec', :aliases => '-t', :banner => "Generate a test directory for your library: 'rspec' is the default, but 'minitest' is also supported."
+    method_option :test, :type => :string, :lazy_default => 'rspec', :aliases => '-t', :banner => "Generate a test directory for your library: 'rspec' is the default, but 'minitest' is also supported."
     method_option :edit, :type => :string, :aliases => "-e",
                   :lazy_default => [ENV['BUNDLER_EDITOR'], ENV['VISUAL'], ENV['EDITOR']].find{|e| !e.nil? && !e.empty? },
                   :required => false, :banner => "/path/to/your/editor",
@@ -670,6 +697,9 @@ module Bundler
         template(File.join("newgem/test/minitest_helper.rb.tt"), File.join(target, "test/minitest_helper.rb"),         opts)
         template(File.join("newgem/test/test_newgem.rb.tt"),     File.join(target, "test/test_#{namespaced_path}.rb"), opts)
       end
+      if options[:test]
+        template(File.join("newgem/.travis.yml.tt"),         File.join(target, ".travis.yml"),            opts)
+      end
       Bundler.ui.info "Initializating git repo in #{target}"
       Dir.chdir(target) { `git init`; `git add .` }
 
@@ -801,5 +831,12 @@ module Bundler
       message
     end
 
+    def pager_system
+      pager = ENV['PAGER'] || ENV['MANPAGER']
+      pager ||= 'less -R' if !(`which less` rescue '').empty?
+      pager ||= 'more' if !(`which more` rescue '').empty?
+      pager ||= 'cat'
+    end
+
   end
 end

data/lib/bundler/deployment.rb

@@ -21,7 +21,8 @@ module Bundler
           test group will not be installed. The install command is executed \
           with the --deployment and --quiet flags. If the bundle cmd cannot \
           be found then you can override the bundle_cmd variable to specifiy \
-          which one it should use.
+          which one it should use. The base path to the app is fetched from \
+          the :latest_release variable. Set it for custom deploy layouts.
 
           You can override any of these defaults by setting the variables shown below.
 

data/lib/bundler/deprecate.rb

@@ -12,4 +12,4 @@ module Bundler
     def Deprecate.skip_during; yield; end
   end
 
-end
+end

data/lib/bundler/dsl.rb

@@ -107,7 +107,10 @@ module Bundler
     def source(source, options = {})
       case source
       when :gemcutter, :rubygems, :rubyforge then
-        @rubygems_source.add_remote "http://rubygems.org"
+        Bundler.ui.warn "The source :#{source} is deprecated because HTTP " \
+          "requests are insecure.\nPlease change your source to 'https://" \
+          "rubygems.org' if possible, or 'http://rubygems.org' if not."
+        @rubygems_source.add_remote "https://rubygems.org"
         return
       when String
         @rubygems_source.add_remote source

data/lib/bundler/env.rb

@@ -53,4 +53,4 @@ module Bundler
     end
 
   end
-end
+end

data/lib/bundler/fetcher.rb

@@ -1,15 +1,24 @@
-require 'uri'
 require 'bundler/vendored_persistent'
-require 'openssl' if defined?(JRUBY_VERSION)
 
 module Bundler
+  # This is the error raised if OpenSSL fails the cert verification
+  class CertificateFailureError < HTTPError
+    def initialize(message = nil)
+      @message = message
+      @message ||= "\nCould not verify the SSL certificate for " \
+        "#{@remote_uri}. Either you don't have the CA certificates needed to " \
+        "verify it, or you are experiencing a man-in-the-middle attack. To " \
+        "connect without using SSL, edit your Gemfile sources to and change " \
+        "'https' to 'http'."
+    end
+  end
+
   # Handles all the fetching with the rubygems server
   class Fetcher
     REDIRECT_LIMIT = 5
     # how long to wait for each gemcutter API call
     API_TIMEOUT    = 10
-
-    attr_reader :has_api
+    class FallbackError < Bundler::HTTPError; end
 
     class << self
       attr_accessor :disable_endpoint
@@ -20,7 +29,7 @@ module Bundler
         spec, uri = @@spec_fetch_map[spec.full_name]
         if spec
           path = download_gem_from_uri(spec, uri)
-          s = Bundler.rubygems.spec_from_gem(path)
+          s = Bundler.rubygems.spec_from_gem(path, Bundler.settings["trust-policy"])
           spec.__swap__(s)
         end
       end
@@ -45,9 +54,12 @@ module Bundler
 
     def initialize(remote_uri)
       @remote_uri = remote_uri
-      @has_api    = true # will be set to false if the rubygems index is ever fetched
-      @@connection ||= Net::HTTP::Persistent.new nil, :ENV
-      @@connection.read_timeout = API_TIMEOUT
+      @public_uri = remote_uri.dup
+      @public_uri.user, @public_uri.password = nil, nil # don't print these
+      @connection ||= Net::HTTP::Persistent.new 'bundler', :ENV
+      @connection.read_timeout = API_TIMEOUT
+
+      Socket.do_not_reverse_lookup = true
     end
 
     # fetch a gem specification
@@ -65,35 +77,19 @@ module Bundler
     def specs(gem_names, source)
       index = Index.new
 
-      specs = nil
+      if gem_names && use_api
+        Bundler.ui.info "Fetching gem metadata from #{@public_uri}", Bundler.ui.debug?
+        specs = fetch_remote_specs(gem_names)
+        # new line now that the dots are over
+        Bundler.ui.info "" if specs && !Bundler.ui.debug?
+      end
 
-      if !gem_names || @remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
-        Bundler.ui.info "Fetching source index from #{strip_user_pass_from_uri(@remote_uri)}"
-        specs = fetch_all_remote_specs
-      else
-        Bundler.ui.info "Fetching gem metadata from #{strip_user_pass_from_uri(@remote_uri)}", Bundler.ui.debug?
-        begin
-          specs = fetch_remote_specs(gem_names)
-        # fall back to the legacy index in the following cases
-        # 1. Gemcutter Endpoint doesn't return a 200
-        # 2. Marshal blob doesn't load properly
-        # 3. One of the YAML gemspecs has the Syck::DefaultKey problem
-        rescue HTTPError, TypeError, GemspecError => e
-          # new line now that the dots are over
-          Bundler.ui.info "" unless Bundler.ui.debug?
-
-          if @remote_uri.to_s.include?("rubygems.org")
-            Bundler.ui.info "Error #{e.class} during request to dependency API"
-          end
-          Bundler.ui.debug e.message
-          Bundler.ui.debug e.backtrace
+      if specs.nil?
+        # API errors mean we should treat this as a non-API source
+        @use_api = false
 
-          Bundler.ui.info "Fetching full source index from #{strip_user_pass_from_uri(@remote_uri)}"
-          specs = fetch_all_remote_specs
-        else
-          # new line now that the dots are over
-          Bundler.ui.info "" unless Bundler.ui.debug?
-        end
+        Bundler.ui.info "Fetching source index from #{@public_uri}"
+        specs = fetch_all_remote_specs
       end
 
       specs[@remote_uri].each do |name, version, platform, dependencies|
@@ -110,6 +106,8 @@ module Bundler
       end
 
       index
+    rescue OpenSSL::SSL::SSLError
+      raise CertificateFailureError.new
     end
 
     # fetch index
@@ -129,6 +127,36 @@ module Bundler
       returned_gems = spec_list.map {|spec| spec.first }.uniq
 
       fetch_remote_specs(deps_list, full_dependency_list + returned_gems, spec_list + last_spec_list)
+    # fall back to the legacy index in the following cases
+    # 1. Gemcutter Endpoint doesn't return a 200
+    # 2,3. Marshal blob doesn't load properly
+    # 4. One of the YAML gemspecs has the Syck::DefaultKey problem
+    rescue HTTPError, ArgumentError, TypeError, GemspecError => e
+      @use_api = false
+
+      # new line now that the dots are over
+      Bundler.ui.info "" unless Bundler.ui.debug?
+
+      Bundler.ui.debug "Error during API request. #{e.class}: #{e.message}"
+      Bundler.ui.debug e.backtrace.join("  ")
+
+      return nil
+    end
+
+    def use_api
+      return @use_api if defined?(@use_api)
+
+      if @remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
+        @use_api = false
+      elsif fetch(dependency_api_uri)
+        @use_api = true
+      end
+    rescue HTTPError
+      @use_api = false
+    end
+
+    def inspect
+      "#<#{self.class}:0x#{object_id} uri=#{@public_uri.to_s}>"
     end
 
   private
@@ -138,7 +166,7 @@ module Bundler
 
       begin
         Bundler.ui.debug "Fetching from: #{uri}"
-        response = @@connection.request(uri)
+        response = @connection.request(uri)
       rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, Errno::ETIMEDOUT,
              EOFError, SocketError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError,
              Errno::EAGAIN, Net::HTTP::Persistent::Error, Net::ProtocolError
@@ -149,24 +177,31 @@ module Bundler
       when Net::HTTPRedirection
         Bundler.ui.debug("HTTP Redirection")
         new_uri = URI.parse(response["location"])
-        new_uri.user = uri.user
-        new_uri.password = uri.password
+        if new_uri.host == uri.host
+          new_uri.user = uri.user
+          new_uri.password = uri.password
+        end
         fetch(new_uri, counter + 1)
       when Net::HTTPSuccess
         Bundler.ui.debug("HTTP Success")
         response.body
+      when Net::HTTPRequestEntityTooLarge
+        raise FallbackError, response.body
       else
-        Bundler.ui.debug("HTTP Error")
-        raise HTTPError, "Don't know how to process #{response.class}"
+        raise HTTPError, "#{response.class}: #{response.body}"
       end
     end
 
+    def dependency_api_uri(gem_names = [])
+      url = "#{@remote_uri}api/v1/dependencies"
+      url << "?gems=#{URI.encode(gem_names.join(","))}" if gem_names.any?
+      URI.parse(url)
+    end
+
     # fetch from Gemcutter Dependency Endpoint API
     def fetch_dependency_remote_specs(gem_names)
-      Bundler.ui.debug "Query Gemcutter Dependency Endpoint API: #{gem_names.join(' ')}"
-      encoded_gem_names = URI.encode(gem_names.join(","))
-      uri = URI.parse("#{@remote_uri}api/v1/dependencies?gems=#{encoded_gem_names}")
-      marshalled_deps = fetch(uri)
+      Bundler.ui.debug "Query Gemcutter Dependency Endpoint API: #{gem_names.join(',')}"
+      marshalled_deps = fetch dependency_api_uri(gem_names)
       gem_list = Marshal.load(marshalled_deps)
       deps_list = []
 
@@ -200,22 +235,15 @@ module Bundler
 
     # fetch from modern index: specs.4.8.gz
     def fetch_all_remote_specs
-      @has_api = false
       Bundler.rubygems.sources = ["#{@remote_uri}"]
-
-      begin
-        Bundler.rubygems.fetch_all_remote_specs
-      rescue Gem::RemoteFetcher::FetchError
-        raise HTTPError, "Could not reach #{strip_user_pass_from_uri(@remote_uri)}"
+      Bundler.rubygems.fetch_all_remote_specs
+    rescue Gem::RemoteFetcher::FetchError => e
+      if e.message.match("certificate verify failed")
+        raise CertificateFailureError.new
+      else
+        raise HTTPError, "Could not fetch specs from #{@public_uri}"
       end
     end
 
-    def strip_user_pass_from_uri(uri)
-      uri_dup = uri.dup
-      uri_dup.user = "****" if uri_dup.user
-      uri_dup.password = "****" if uri_dup.password
-
-      uri_dup
-    end
   end
 end