mini_portile2 2.2.0.rc1 → 2.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7085b002833202ee7455beb829f9fb787bca8129
-  data.tar.gz: 097a89cc3ffe2a742947a3310c284d518ab8a9f6
+SHA256:
+  metadata.gz: 1f30e371678c82b2de1219ec842fa298bf1e6acc47b2f210ebfda77939aed190
+  data.tar.gz: 7ac927dc6453bf1532db4e55677cebefa115b17fffc43358ef68b8d80c967210
 SHA512:
-  metadata.gz: 033fb41be5b3c882e6a02eb806695a22db54ce2b8ef2253b9475822f4bb5764157d411cb2a2da143da8c10ca887e65fc85a0dd60c741867d700ce07afa688e20
-  data.tar.gz: 6b0df87be823d602b38508a924f85de1d1923840d184484bddb7ccf05542e8d9895919593c6e8870c5515b320ddd640aec5f20470ad1b19dd348ff28f1605fac
+  metadata.gz: df62e128fdb0a950c7f6eb45ba97bdab7793b6e8b6e4a139dd5fe93913bffee194a5505114dfe421f6d64efb25ad17215eb8f1ecd8fdc1d40969aa2b888bebee
+  data.tar.gz: c05f9262bdbb32fcdcda598c8ae0f16962219f39306ae9d4433b1e13af6e2c2ec181c33864ee99284ebe5f82828940ce3d96a9bb9a4ce00947ab56b7d3699252

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+tidelift: "rubygems/mini_portile2"

data/.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  schedule:
+    - cron: "0 8 * * 5" # At 08:00 on Friday # https://crontab.guru/#0_8_*_*_5
+  workflow_dispatch:
+
+jobs:
+  test-unit:
+    env:
+      MAKEFLAGS: -j2
+    strategy:
+      matrix:
+        platform: [ubuntu-latest, windows-latest]
+        ruby: ["2.5", "2.6", "2.7", "3.0"]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: configure git crlf on windows
+        if: matrix.platform == 'windows-latest'
+        run: |
+          git config --system core.autocrlf false
+          git config --system core.eol lf
+      - uses: actions/checkout@v2
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
+        with:
+          apt-get: _update_ build-essential cmake
+          mingw: _upgrade_ cmake
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - run: bundle exec rake test:unit
+
+  test-examples:
+    env:
+      MAKEFLAGS: -j2
+    strategy:
+      matrix:
+        platform: [ubuntu-latest, windows-latest]
+        ruby: ["3.0"]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: configure git crlf on windows
+        if: matrix.platform == 'windows-latest'
+        run: |
+          git config --system core.autocrlf false
+          git config --system core.eol lf
+      - uses: actions/checkout@v2
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
+        with:
+          apt-get: _update_ build-essential cmake
+          mingw: _upgrade_ cmake
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - uses: actions/cache@v2
+        with:
+          path: examples/ports/archives
+          key: ${{ matrix.platform }}-examples-${{ hashFiles('examples/Rakefile') }}
+      - run: bundle exec rake test:examples

data/.gitignore

@@ -1,5 +1,5 @@
-pkg
-tmp
-Gemfile.lock
 .bundle
+Gemfile.lock
+pkg
 ports
+tmp

data/CHANGELOG.md

@@ -1,8 +1,49 @@
-### 2.2.0.rc1 / 2016-03-08
+## mini_portile changelog
+
+### 2.5.1 / 2021-04-28
+
+#### Dependencies
+
+This release ends support for ruby < 2.3.0. If you're on 2.2.x or earlier, we strongly suggest that you find the time to upgrade, because [official support for Ruby 2.2 ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/).
+
+#### Enhancements
+
+* `MiniPortile.execute` now takes an optional `:env` hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
+* Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)
+
+
+### 2.5.0 / 2020-02-24
+
+#### Enhancements
+
+* When verifying GPG signatures, remove all imported pubkeys from keyring [#90] (Thanks, @hanazuki!)
+    
+
+### 2.4.0 / 2018-12-02
+
+#### Enhancements
+
+* Skip progress report when Content-Length is unavailable. [#85] (Thanks, @eagletmt!)
+
+
+### 2.3.0 / 2017-09-13
+
+#### Enhancements
+
+* Verify checksums of files at extraction time (in addition to at download time). (#56)
+* Clarify error message if a `tar` command can't be found. (#81)
+
+
+### 2.2.0 / 2017-06-04
 
 #### Enhancements
 
-* Add experimental support for cmake-based projects
+* Remove MD5 hashing of configure options, not avialbale in FIPS mode. (#78)
+* Add experimental support for cmake-based projects.
+* Retry on HTTP failures during downloads. [#63] (Thanks, @jtarchie and @jvshahid!)
+* Support Ruby 2.4 frozen string literals.
+* Support applying patches for users with misconfigured git worktree. [#69]
+* Support gpg signature verification of download resources.
 
 
 ### 2.1.0 / 2016-01-06

data/README.md

@@ -5,8 +5,8 @@ renamed to `mini_portile2`. For mini_portile versions 0.6.x and
 previous, please visit
 [the v0.6.x branch](https://github.com/flavorjones/mini_portile/tree/v0.6.x).
 
-[![travis status](https://travis-ci.org/flavorjones/mini_portile.svg?branch=master)](https://travis-ci.org/flavorjones/mini_portile?branch=master)
-[![appveyor status](https://ci.appveyor.com/api/projects/status/509669xx1qlhqqab/branch/master?svg=true)](https://ci.appveyor.com/project/flavorjones/mini-portile/branch/master)
+[![Continuous Integration](https://github.com/flavorjones/mini_portile/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/mini_portile/actions/workflows/ci.yml)
+[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/mini_portile2)](https://tidelift.com/subscription/pkg/rubygems-mini.portile2?utm_source=undefined&utm_medium=referral&utm_campaign=readme)
 
 * Documentation: http://www.rubydoc.info/github/flavorjones/mini_portile
 * Source Code: https://github.com/flavorjones/mini_portile
@@ -147,7 +147,7 @@ task :libiconv do
   recipe = MiniPortile.new("libiconv", "1.13.1")
   recipe.files << {
     url: "http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz"],
-    md5: "7ab33ebd26687c744a37264a330bbe9a"
+    sha256: "55a36168306089009d054ccdd9d013041bfc3ab26be7033d107821f1c4949a49"
   }
   checkpoint = ".#{recipe.name}-#{recipe.version}.installed"
 
@@ -174,6 +174,45 @@ The above example will:
 As an exercise for the reader, you could specify the libiconv version
 in an environment variable or a configuration file.
 
+### Download verification
+MiniPortile supports HTTPS, HTTP, FTP and FILE sources for download.
+The integrity of the downloaded file can be verified per hash value or PGP signature.
+This is particular important for untrusted sources (non-HTTPS).
+
+#### Hash digest verification
+MiniPortile can verify the integrity of the downloaded file per SHA256, SHA1 or MD5 hash digest.
+
+```ruby
+  recipe.files << {
+    url: "http://your.host/file.tar.bz2",
+    sha256: "<32 byte hex value>",
+  }
+```
+
+#### PGP signature verification
+MiniPortile can also verify the integrity of the downloaded file per PGP signature.
+
+```ruby
+  public_key = <<-EOT
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: GnuPG v1
+
+    mQENBE7SKu8BCADQo6x4ZQfAcPlJMLmL8zBEBUS6GyKMMMDtrTh3Yaq481HB54oR
+    [...]
+    -----END PGP PUBLIC KEY BLOCK-----
+  EOT
+
+  recipe.files << {
+    url: "http://your.host/file.tar.bz2",
+    gpg: {
+      key: public_key,
+      signature_url: "http://your.host/file.tar.bz2.sig"
+    }
+  }
+```
+
+Please note, that the `gpg` executable is required to verify the signature.
+It is therefore recommended to use the hash verification method instead of PGP, when used in `extconf.rb` while `gem install`.
 
 ### Native and/or Cross Compilation
 
@@ -201,6 +240,22 @@ toolchain. This has been tested against Ubuntu, OSX and even Windows
 (RubyInstaller with DevKit)
 
 
+## Support
+
+The bug tracker is available here:
+
+* https://github.com/flavorjones/mini_portile/issues
+
+Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
+
+  [tidelift]: https://tidelift.com/subscription/pkg/rubygems-mini.portile2?utm_source=rubygems-mini.portile2&utm_medium=referral&utm_campaign=enterprise
+
+
+## Security
+
+See [`SECURITY.md`](SECURITY.md) for vulnerability reporting details.
+
+
 ## License
 
 This library is licensed under MIT license. Please see LICENSE.txt for details.

data/Rakefile

@@ -1,10 +1,10 @@
 require "rake/clean"
-require 'bundler/gem_tasks'
+require "bundler/gem_tasks"
 
 namespace :test do
   desc "Test MiniPortile by running unit tests"
   task :unit do
-    sh "ruby -w -W2 -I. -Ilib -e \"#{Dir["test/test_*.rb"].map{|f| "require '#{f}';"}.join}\" -- -v"
+    sh "ruby -w -W2 -I. -Ilib -e \"#{Dir["test/test_*.rb"].map { |f| "require '#{f}';" }.join}\" -- #{ENV["TESTOPTS"]} -v"
   end
 
   desc "Test MiniPortile by compiling examples"

data/SECURITY.md

@@ -0,0 +1,13 @@
+# Security and Vulnerability Reporting
+
+The mini_portile core contributors take security very seriously and investigate all reported vulnerabilities.
+
+If you would like to report a vulnerablity or have a security concern regarding mini_portile, please [report it via Tidelift](https://tidelift.com/security).
+
+Your report will be acknowledged within 48 hours, and you'll receive a more detailed response within 96 hours indicating next steps in handling your report.
+
+If you have not received a reply to your submission within 96 hours, Contact the current security coordinator, Mike Dalessio <mike.dalessio@gmail.com>.
+
+The information you share with the mini_portile core contributors as part of this process will be kept confidential within the team, unless or until we need to share information upstream with our dependent libraries' core teams, at which point we will notify you.
+
+If a vulnerability is first reported by you, we will credit you with the discovery in the public disclosure.

data/lib/mini_portile2/mini_portile.rb

@@ -4,7 +4,7 @@ require 'net/https'
 require 'net/ftp'
 require 'fileutils'
 require 'tempfile'
-require 'digest/md5'
+require 'digest'
 require 'open-uri'
 require 'cgi'
 require 'rbconfig'
@@ -34,7 +34,17 @@ class MiniPortile
   attr_accessor :host, :files, :patch_files, :target, :logger
 
   def self.windows?
-    RbConfig::CONFIG['target_os'] =~ /mswin|mingw32/
+    RbConfig::CONFIG['target_os'] =~ /mswin|mingw/
+  end
+
+  # GNU MinGW compiled Ruby?
+  def self.mingw?
+    RbConfig::CONFIG['target_os'] =~ /mingw/
+  end
+
+  # MS Visual-C compiled Ruby?
+  def self.mswin?
+    RbConfig::CONFIG['target_os'] =~ /mswin/
   end
 
   def initialize(name, version)
@@ -58,6 +68,7 @@ class MiniPortile
 
   def extract
     files_hashs.each do |file|
+      verify_file(file)
       extract_file(file[:local_path], tmp_path)
     end
   end
@@ -72,7 +83,7 @@ class MiniPortile
           message "Running git apply with #{file}... "
           # By --work-tree=. git-apply uses the current directory as
           # the project root and will not search upwards for .git.
-          execute('patch', ["git", "--work-tree=.", "apply", "--whitespace=warn", file], :initial_message => false)
+          execute('patch', ["git", "--git-dir=.", "--work-tree=.", "apply", "--whitespace=warn", file], :initial_message => false)
         }
       when which('patch')
         lambda { |file|
@@ -99,9 +110,8 @@ class MiniPortile
   def configure
     return if configured?
 
-    md5_file = File.join(tmp_path, 'configure.md5')
-    digest   = Digest::MD5.hexdigest(computed_options.to_s)
-    File.open(md5_file, "w") { |f| f.write digest }
+    cache_file = File.join(tmp_path, 'configure.options_cache')
+    File.open(cache_file, "w") { |f| f.write computed_options.to_s }
 
     if RUBY_PLATFORM=~/mingw|mswin/
       # Windows doesn't recognize the shebang.
@@ -131,12 +141,12 @@ class MiniPortile
   def configured?
     configure = File.join(work_path, 'configure')
     makefile  = File.join(work_path, 'Makefile')
-    md5_file  = File.join(tmp_path, 'configure.md5')
+    cache_file  = File.join(tmp_path, 'configure.options_cache')
 
-    stored_md5  = File.exist?(md5_file) ? File.read(md5_file) : ""
-    current_md5 = Digest::MD5.hexdigest(computed_options.to_s)
+    stored_options  = File.exist?(cache_file) ? File.read(cache_file) : ""
+    current_options = computed_options.to_s
 
-    (current_md5 == stored_md5) && newer?(makefile, configure)
+    (current_options == stored_options) && newer?(makefile, configure)
   end
 
   def installed?
@@ -251,16 +261,50 @@ private
     end
   end
 
+  KEYRING_NAME = "mini_portile_keyring.gpg"
+
   def verify_file(file)
-    digest = case
-      when exp=file[:sha256] then Digest::SHA256
-      when exp=file[:sha1] then Digest::SHA1
-      when exp=file[:md5] then Digest::MD5
-    end
-    if digest
-      is = digest.file(file[:local_path]).hexdigest
-      unless is == exp.downcase
-        raise "Downloaded file '#{file[:local_path]}' has wrong hash: expected: #{exp} is: #{is}"
+    if file.has_key?(:gpg)
+      gpg = file[:gpg]
+
+      signature_url = gpg[:signature_url] || "#{file[:url]}.asc"
+      signature_file = file[:local_path] + ".asc"
+      # download the signature file
+      download_file(signature_url, signature_file)
+
+      gpg_exe = which('gpg2') || which('gpg') || raise("Neither GPG nor GPG2 is installed")
+
+      # import the key into our own keyring
+      gpg_status = IO.popen([gpg_exe, "--status-fd", "1", "--no-default-keyring", "--keyring", KEYRING_NAME, "--import"], "w+") do |io|
+        io.write gpg[:key]
+        io.close_write
+        io.read
+      end
+      key_ids = gpg_status.scan(/\[GNUPG:\] IMPORT_OK \d+ (?<key_id>[0-9a-f]+)/i).map(&:first)
+      raise "invalid gpg key provided" if key_ids.empty?
+
+      # verify the signature against our keyring
+      gpg_status = IO.popen([gpg_exe, "--status-fd", "1", "--no-default-keyring", "--keyring", KEYRING_NAME, "--verify", signature_file, file[:local_path]], &:read)
+
+      # remove the key from our keyring
+      key_ids.each do |key_id|
+        IO.popen([gpg_exe, "--batch", "--yes", "--no-default-keyring", "--keyring", KEYRING_NAME, "--delete-keys", key_id], &:read)
+        raise "unable to delete the imported key" unless $?.exitstatus==0
+      end
+
+      raise "signature mismatch" unless gpg_status.match(/^\[GNUPG:\] VALIDSIG/)
+
+    else
+      digest = case
+        when exp=file[:sha256] then Digest::SHA256
+        when exp=file[:sha1] then Digest::SHA1
+        when exp=file[:md5] then Digest::MD5
+      end
+      if digest
+        is = digest.file(file[:local_path]).hexdigest
+        unless is == exp.downcase
+          raise "Downloaded file '#{file[:local_path]}' has wrong hash: expected: #{exp} is: #{is}"
+        end
       end
     end
   end
@@ -272,11 +316,12 @@ private
       }
   end
 
+  TAR_EXECUTABLES = %w[gtar bsdtar tar basic-bsdtar]
   def tar_exe
     @@tar_exe ||= begin
-      %w[gtar bsdtar tar basic-bsdtar].find { |c|
+      TAR_EXECUTABLES.find { |c|
         which(c)
-      }
+      } or raise("tar not found - please make sure that one of the following commands is in the PATH: #{TAR_EXECUTABLES.join(", ")}")
     end
   end
 
@@ -335,24 +380,36 @@ private
     execute('extract', [tar_exe, "#{tar_compression_switch(filename)}xf", file, "-C", target], {:cd => Dir.pwd, :initial_message => false})
   end
 
-  def execute(action, command, options={})
-    log_out    = log_file(action)
+  # command could be an array of args, or one string containing a command passed to the shell. See
+  # Process.spawn for more information.
+  def execute(action, command, command_opts={})
+    opt_message = command_opts.fetch(:initial_message, true)
+    opt_debug =   command_opts.fetch(:debug, false)
+    opt_cd =      command_opts.fetch(:cd) { work_path }
+    opt_env =     command_opts.fetch(:env) { Hash.new }
 
-    Dir.chdir (options.fetch(:cd){ work_path }) do
-      if options.fetch(:initial_message){ true }
-        message "Running '#{action}' for #{@name} #{@version}... "
-      end
+    log_out = log_file(action)
+
+    Dir.chdir(opt_cd) do
+      output "DEBUG: env is #{opt_env.inspect}" if opt_debug
+      output "DEBUG: command is #{command.inspect}" if opt_debug
+      message "Running '#{action}' for #{@name} #{@version}... " if opt_message
 
       if Process.respond_to?(:spawn) && ! RbConfig.respond_to?(:java)
-        args = [command].flatten + [{[:out, :err]=>[log_out, "a"]}]
+        options = {[:out, :err]=>[log_out, "a"]}
+        output "DEBUG: options are #{options.inspect}" if opt_debug
+        args = [opt_env, command, options].flatten
         pid = spawn(*args)
         Process.wait(pid)
       else
-        redirected = if command.kind_of?(Array)
-                       %Q{#{command.map(&:shellescape).join(" ")} > #{log_out.shellescape} 2>&1}
-                     else
-                       %Q{#{command} > #{log_out.shellescape} 2>&1}
-                     end
+        env_args = opt_env.map { |k,v| "#{k}=#{v}".shellescape }.join(" ")
+        c = if command.kind_of?(Array)
+              command.map(&:shellescape).join(" ")
+            else
+              command
+            end
+        redirected = %Q{env #{env_args} #{c} > #{log_out.shellescape} 2>&1}
+        output "DEBUG: final command is #{redirected.inspect}" if opt_debug
         system redirected
       end
 
@@ -422,9 +479,14 @@ private
         "Accept-Encoding" => 'identity',
         :content_length_proc => lambda{|length| total = length },
         :progress_proc => lambda{|bytes|
-          new_progress = (bytes * 100) / total
-          message "\rDownloading %s (%3d%%) " % [filename, new_progress]
-          progress = new_progress
+          if total
+            new_progress = (bytes * 100) / total
+            message "\rDownloading %s (%3d%%) " % [filename, new_progress]
+            progress = new_progress
+          else
+            # Content-Length is unavailable because Transfer-Encoding is chunked
+            message "\rDownloading %s " % [filename]
+          end
         }
       }
       proxy_uri = URI.parse(url).scheme.downcase == 'https' ?
@@ -438,6 +500,7 @@ private
             [proxy_uri, proxy_user, proxy_pass]
         end
       end
+
       begin
         OpenURI.open_uri(url, 'rb', params) do |io|
           temp_file << io.read
@@ -446,8 +509,15 @@ private
       rescue OpenURI::HTTPRedirect => redirect
         raise "Too many redirections for the original URL, halting." if count <= 0
         count = count - 1
-        return download_file(redirect.url, full_path, count - 1)
+        return download_file(redirect.url, full_path, count-1)
       rescue => e
+        count = count - 1
+        puts "#{count} retrie(s) left for #{filename}"
+        if count > 0
+          sleep 1
+          return download_file_http(url, full_path, count)
+        end
+
         output e.message
         return false
       end