rubygems-update 3.0.4 → 3.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3dcbed60214cfd0ed97ed7fce1d0c9e9a1298a823a26fcd2b75326d711ff299d
-  data.tar.gz: 6dd6fabe834fd5fc81dfa7bb55f874a6d182123a8d0e396fe7dd57cacee5e379
+  metadata.gz: 5841a757f2af5f047fd0da572963997ffd46bfc18fc22d6d1356ce29ab7fcfd9
+  data.tar.gz: 6b933f8b2706cf2ad447769a932971c6d32d56fc76ad3a840879e240f10fb6a7
 SHA512:
-  metadata.gz: ef072a34d1765edd4f67b83a19efbc691e2f4c4dac6c8fda9004dbb2a771f550aa7b8a61dd301a477310f9e3987c642c8c49e8d417abd1e4bffbe7dd1a485499
-  data.tar.gz: e30274bbce496312bcb34f45cce2d7f7c2f6916095f67de538ccb9429b197f402d75c9c3090472dea3d2481760632466c20c513890f3d924e671ff4df77b0982
+  metadata.gz: d3aa3c4d54466215f5e335789651920860379d22ec38a254a5dffc520b71b659708fda86c8a635c93f83b722fa2baaf9909224bbe18c066a57ae5e4f753d2455
+  data.tar.gz: 2999d7ec4984243c1112017c05533c5881a58c4224078397e40c8da08af3bf6ede8ac45686602c937645969c30b865a9be3f6b7608c6b7a34c3c2aa935458268

data/History.txt

@@ -1,5 +1,58 @@
 # coding: UTF-8
 
+=== 3.0.5 / 2019-08-16
+
+Minor enhancements:
+
+* Use env var to configure api key on push. Pull request #2559 by Luis
+  Sagastume.
+* Unswallow uninstall error. Pull request #2707 by David Rodríguez.
+* Expose windows path normalization utility. Pull request #2767 by David
+  Rodríguez.
+* Clean which command. Pull request #2801 by Luis Sagastume.
+* Upgrading S3 source signature to AWS SigV4. Pull request #2807 by
+  Alexander Pakulov.
+* Remove missleading comment, no reason to move Gem.host to Gem::Util.
+  Pull request #2811 by Luis Sagastume.
+* Drop support for 'gem env packageversion'. Pull request #2813 by Luis
+  Sagastume.
+* Take into account just git tracked files in update_manifest rake task.
+  Pull request #2816 by Luis Sagastume.
+* Remove TODO comment, there's no Gem::Dirs constant. Pull request #2819
+  by Luis Sagastume.
+* Remove unused 'raise' from test_case. Pull request #2820 by Luis
+  Sagastume.
+* Move TODO comment to an information comment. Pull request #2821 by Luis
+  Sagastume.
+* Use File#open instead of Kernel#open in stub_specification.rb. Pull
+  request #2834 by Luis Sagastume.
+* Make error code a gemcutter_utilities a constant. Pull request #2844 by
+  Luis Sagastume.
+* Remove FIXME comment related to PathSupport. Pull request #2854 by Luis
+  Sagastume.
+* Use gsub with Hash. Pull request #2860 by Kazuhiro NISHIYAMA.
+* Use the standard RUBY_ENGINE_VERSION instead of JRUBY_VERSION. Pull
+  request #2864 by Benoit Daloze.
+* Do not mutate uri.query during s3 signature creation. Pull request #2874
+  by Alexander Pakulov.
+* Fixup #2844. Pull request #2878 by SHIBATA Hiroshi.
+
+Bug fixes:
+
+* Fix intermittent test error on Appveyor & Travis. Pull request #2568 by
+  MSP-Greg.
+* Extend timeout on assert_self_install_permissions. Pull request #2605 by
+  SHIBATA Hiroshi.
+* Better folder assertions. Pull request #2644 by David Rodríguez.
+* Fix default gem executable installation when folder is not `bin/`. Pull
+  request #2649 by David Rodríguez.
+* Fix gem uninstall behavior. Pull request #2663 by Luis Sagastume.
+* Fix for large values in UID/GID fields in tar archives. Pull request
+  #2780 by Alexey Shein.
+* Fixed task order for release. Pull request #2792 by SHIBATA Hiroshi.
+* Ignore GEMRC variable for test suite. Pull request #2837 by SHIBATA
+  Hiroshi.
+
 === 3.0.4 / 2019-06-14
 
 Minor enhancements:

data/Manifest.txt

@@ -307,7 +307,6 @@ lib/rubygems/commands/unpack_command.rb
 lib/rubygems/commands/update_command.rb
 lib/rubygems/commands/which_command.rb
 lib/rubygems/commands/yank_command.rb
-lib/rubygems/compatibility.rb
 lib/rubygems/config_file.rb
 lib/rubygems/core_ext/kernel_gem.rb
 lib/rubygems/core_ext/kernel_require.rb
@@ -413,6 +412,7 @@ lib/rubygems/resolver/specification.rb
 lib/rubygems/resolver/stats.rb
 lib/rubygems/resolver/vendor_set.rb
 lib/rubygems/resolver/vendor_specification.rb
+lib/rubygems/s3_uri_signer.rb
 lib/rubygems/safe_yaml.rb
 lib/rubygems/security.rb
 lib/rubygems/security/policies.rb
@@ -639,7 +639,9 @@ test/rubygems/wrong_key_cert.pem
 test/rubygems/wrong_key_cert_32.pem
 util/CL2notes
 util/ci
+util/cops/deprecations.rb
 util/create_certs.rb
+util/create_certs.sh
 util/create_encrypted_key.rb
 util/generate_spdx_license_list.rb
 util/patch_with_prs.rb

data/Rakefile

@@ -79,7 +79,7 @@ end
 # --------------------------------------------------------------------
 # Creating a release
 
-task :prerelease => %w[clobber test bundler:build_metadata check_deprecations package]
+task :prerelease => %w[clobber test bundler:build_metadata check_deprecations]
 task :postrelease => %w[bundler:build_metadata:clean upload guides:publish blog:publish]
 
 desc "Check for deprecated methods with expired deprecation horizon"
@@ -93,9 +93,10 @@ end
 
 desc "Release rubygems-#{v}"
 task :release => :prerelease do
+  Rake::Task["package"].invoke
   sh "gem push pkg/rubygems-update-#{v}.gem"
+  Rake::Task["postrelease"].invoke
 end
-Rake::Task["release"].enhance(["postrelease"])
 
 Gem::PackageTask.new(spec) {}
 
@@ -362,9 +363,10 @@ end
 desc "Update the manifest to reflect what's on disk"
 task :update_manifest do
   files = []
-  require 'find'
-  exclude = %r[/\/tmp\/|\/pkg\/|CVS|\.DS_Store|\/doc\/|\/coverage\/|\.svn|\.git|TAGS|extconf.h|\.bundle$|\.o$|\.log$/|\./bundler/(?!lib|man|exe|[^/]+\.md|bundler.gemspec)]ox
-  Find.find(".") do |path|
+  exclude = %r[\.git|\./bundler/(?!lib|man|exe|[^/]+\.md|bundler.gemspec)]ox
+  tracked_files = `git ls-files --recurse-submodules`.split("\n").map {|f| "./#{f}" }
+
+  tracked_files.each do |path|
     next unless File.file?(path)
     next if path =~ exclude
     files << path[2..-1]

data/bundler/lib/bundler/build_metadata.rb

@@ -4,7 +4,7 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2019-06-14".freeze
+    @built_at = "2019-08-16".freeze
     @git_commit_sha = "d7089abb6".freeze
     @release = false
     # end ivars

data/lib/rubygems.rb

@@ -9,7 +9,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.0.4".freeze
+  VERSION = "3.0.5".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -568,8 +568,6 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
   #++
   #--
   #
-  # FIXME move to pathsupport
-  #
   #++
 
   def self.find_home
@@ -642,14 +640,12 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
   # <tt>https://rubygems.org</tt>.
 
   def self.host
-    # TODO: move to utils
     @host ||= Gem::DEFAULT_HOST
   end
 
   ## Set the default RubyGems API host.
 
   def self.host=(host)
-    # TODO: move to utils
     @host = host
   end
 
@@ -1377,14 +1373,12 @@ begin
 rescue LoadError
 end
 
-if defined?(RUBY_ENGINE)
-  begin
-    ##
-    # Defaults the Ruby implementation wants to provide for RubyGems
+begin
+  ##
+  # Defaults the Ruby implementation wants to provide for RubyGems
 
-    require "rubygems/defaults/#{RUBY_ENGINE}"
-  rescue LoadError
-  end
+  require "rubygems/defaults/#{RUBY_ENGINE}"
+rescue LoadError
 end
 
 ##

data/lib/rubygems/commands/environment_command.rb

@@ -9,7 +9,6 @@ class Gem::Commands::EnvironmentCommand < Gem::Command
 
   def arguments # :nodoc:
     args = <<-EOF
-          packageversion  display the package version
           gemdir          display the path where gems are installed
           gempath         display path used to search for gems
           version         display the gem format version
@@ -76,8 +75,6 @@ lib/rubygems/defaults/operating_system.rb
     arg = options[:args][0]
     out <<
       case arg
-      when /^packageversion/ then
-        Gem::RubyGemsPackageVersion
       when /^version/ then
         Gem::VERSION
       when /^gemdir/, /^gemhome/, /^home/, /^GEM_HOME/ then

data/lib/rubygems/commands/push_command.rb

@@ -15,6 +15,8 @@ https://rubygems.org) and adds it to the index.
 
 The gem can be removed from the index and deleted from the server using the yank
 command.  For further discussion see the help for the yank command.
+
+The push command will use ~/.gem/credentials to authenticate to a server, but you can use the RubyGems environment variable GEM_HOST_API_KEY to set the api key to authenticate.
     EOF
   end
 

data/lib/rubygems/commands/uninstall_command.rb

@@ -148,10 +148,13 @@ that is a dependency of an existing gem.  You can use the
 
   def uninstall_specific
     deplist = Gem::DependencyList.new
+    original_gem_version = {}
 
     get_all_gem_names_and_versions.each do |name, version|
-      requirement = Array(version || options[:version])
-      gem_specs = Gem::Specification.find_all_by_name(name, *requirement)
+      original_gem_version[name] = version || options[:version]
+
+      gem_specs = Gem::Specification.find_all_by_name(name, original_gem_version[name])
+
       say("Gem '#{name}' is not installed") if gem_specs.empty?
       gem_specs.each do |spec|
         deplist.add spec
@@ -160,16 +163,23 @@ that is a dependency of an existing gem.  You can use the
 
     deps = deplist.strongly_connected_components.flatten.reverse
 
+    gems_to_uninstall = {}
+
     deps.each do |dep|
-      options[:version] = dep.version
-      uninstall_gem(dep.name)
+      unless gems_to_uninstall[dep.name]
+        gems_to_uninstall[dep.name] = true
+
+        unless original_gem_version[dep.name] == Gem::Requirement.default
+          options[:version] = dep.version
+        end
+
+        uninstall_gem(dep.name)
+      end
     end
   end
 
   def uninstall_gem(gem_name)
     uninstall(gem_name)
-  rescue Gem::InstallError
-    nil
   rescue Gem::GemNotInHomeException => e
     spec = e.spec
     alert("In order to remove #{spec.name}, please execute:\n" +

data/lib/rubygems/commands/which_command.rb

@@ -52,13 +52,11 @@ requiring to see why it does not behave as you expect.
         end
       end
 
-      # TODO: this is totally redundant and stupid
       paths = find_paths arg, dirs
 
       if paths.empty?
         alert_error "Can't find Ruby library file or shared library #{arg}"
-
-        found &&= false
+        found = false
       else
         say paths
       end

data/lib/rubygems/defaults.rb

@@ -122,15 +122,8 @@ module Gem
     end
   end
 
-  ##
-  # A wrapper around RUBY_ENGINE const that may not be defined
-
   def self.ruby_engine
-    if defined? RUBY_ENGINE
-      RUBY_ENGINE
-    else
-      'ruby'
-    end
+    RUBY_ENGINE
   end
 
   ##

data/lib/rubygems/dependency_installer.rb

@@ -213,9 +213,8 @@ class Gem::DependencyInstaller
 
     if consider_remote?
       begin
-        # TODO this is pulled from #spec_for_dependency to allow
+        # This is pulled from #spec_for_dependency to allow
         # us to filter tuples before fetching specs.
-        #
         tuples, errors = Gem::SpecFetcher.fetcher.search_for_dependency dep
 
         if best_only && !tuples.empty?

data/lib/rubygems/exceptions.rb

@@ -1,8 +1,4 @@
 # frozen_string_literal: true
-# TODO: the documentation in here is terrible.
-#
-# Each exception needs a brief description and the scenarios where it is
-# likely to be raised
 
 require 'rubygems/deprecate'
 

data/lib/rubygems/gemcutter_utilities.rb

@@ -7,6 +7,8 @@ require 'rubygems/text'
 
 module Gem::GemcutterUtilities
 
+  ERROR_CODE = 1
+
   include Gem::Text
 
   # TODO: move to Gem::Command
@@ -41,7 +43,9 @@ module Gem::GemcutterUtilities
   # The API key from the command options or from the user's configuration.
 
   def api_key
-    if options[:key]
+    if ENV["GEM_HOST_API_KEY"]
+      ENV["GEM_HOST_API_KEY"]
+    elsif options[:key]
       verify_api_key options[:key]
     elsif Gem.configuration.api_keys.key?(host)
       Gem.configuration.api_keys[host]
@@ -79,7 +83,7 @@ module Gem::GemcutterUtilities
     self.host = host if host
     unless self.host
       alert_error "You must specify a gem server"
-      terminate_interaction 1 # TODO: question this
+      terminate_interaction(ERROR_CODE)
     end
 
     if allowed_push_host
@@ -88,7 +92,7 @@ module Gem::GemcutterUtilities
 
       unless (host_uri.scheme == allowed_host_uri.scheme) && (host_uri.host == allowed_host_uri.host)
         alert_error "#{self.host.inspect} is not allowed by the gemspec, which only allows #{allowed_push_host.inspect}"
-        terminate_interaction 1
+        terminate_interaction(ERROR_CODE)
       end
     end
 
@@ -148,7 +152,7 @@ module Gem::GemcutterUtilities
       Gem.configuration.api_keys[key]
     else
       alert_error "No such API key. Please add it to your configuration (done automatically on initial `gem push`)."
-      terminate_interaction 1 # TODO: question this
+      terminate_interaction(ERROR_CODE)
     end
   end
 
@@ -172,7 +176,7 @@ module Gem::GemcutterUtilities
       message = "#{error_prefix}: #{message}" if error_prefix
 
       say clean_text(message)
-      terminate_interaction 1 # TODO: question this
+      terminate_interaction(ERROR_CODE)
     end
   end
 

data/lib/rubygems/installer.rb

@@ -857,7 +857,7 @@ TEXT
   # without the full gem installed.
 
   def extract_bin
-    @package.extract_files gem_dir, "bin/*"
+    @package.extract_files gem_dir, "#{spec.bindir}/*"
   end
 
   ##

data/lib/rubygems/installer_test_case.rb

@@ -119,9 +119,9 @@ class Gem::InstallerTestCase < Gem::TestCase
   # The executable is also written to the bin dir in @tmpdir and the installed
   # gem directory for +spec+.
 
-  def util_make_exec(spec = @spec, shebang = "#!/usr/bin/ruby")
+  def util_make_exec(spec = @spec, shebang = "#!/usr/bin/ruby", bindir = "bin")
     spec.executables = %w[executable]
-    spec.files << 'bin/executable'
+    spec.bindir = bindir
 
     exec_path = spec.bin_file "executable"
     write_file exec_path do |io|

data/lib/rubygems/package/tar_header.rb

@@ -107,8 +107,8 @@ class Gem::Package::TarHeader
 
     new :name     => fields.shift,
         :mode     => strict_oct(fields.shift),
-        :uid      => strict_oct(fields.shift),
-        :gid      => strict_oct(fields.shift),
+        :uid      => oct_or_256based(fields.shift),
+        :gid      => oct_or_256based(fields.shift),
         :size     => strict_oct(fields.shift),
         :mtime    => strict_oct(fields.shift),
         :checksum => strict_oct(fields.shift),
@@ -130,6 +130,15 @@ class Gem::Package::TarHeader
     raise ArgumentError, "#{str.inspect} is not an octal string"
   end
 
+  def self.oct_or_256based(str)
+    # \x80 flags a positive 256-based number
+    # \ff flags a negative 256-based number
+    # In case we have a match, parse it as a signed binary value
+    # in big-endian order, except that the high-order bit is ignored.
+    return str.unpack('N2').last if str =~ /\A[\x80\xff]/n
+    strict_oct(str)
+  end
+
   ##
   # Creates a new TarHeader using +vals+
 

data/lib/rubygems/remote_fetcher.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 require 'rubygems'
 require 'rubygems/request'
+require 'rubygems/request/connection_pools'
+require 'rubygems/s3_uri_signer'
 require 'rubygems/uri_formatter'
 require 'rubygems/user_interaction'
-require 'rubygems/request/connection_pools'
 require 'resolv'
 
 ##
@@ -173,7 +174,7 @@ class Gem::RemoteFetcher
         path = source_uri.path
         path = File.dirname(path) if File.extname(path) == '.gem'
 
-        remote_gem_path = correct_for_windows_path(File.join(path, 'gems', gem_file_name))
+        remote_gem_path = Gem::Util.correct_for_windows_path(File.join(path, 'gems', gem_file_name))
 
         FileUtils.cp(remote_gem_path, local_gem_path)
       rescue Errno::EACCES
@@ -210,7 +211,7 @@ class Gem::RemoteFetcher
   # File Fetcher. Dispatched by +fetch_path+. Use it instead.
 
   def fetch_file(uri, *_)
-    Gem.read_binary correct_for_windows_path uri.path
+    Gem.read_binary Gem::Util.correct_for_windows_path uri.path
   end
 
   ##
@@ -275,7 +276,7 @@ class Gem::RemoteFetcher
   rescue Timeout::Error
     raise UnknownHostError.new('timed out', uri.to_s)
   rescue IOError, SocketError, SystemCallError,
-    *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
+         *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
     if e.message =~ /getaddrinfo/
       raise UnknownHostError.new('no such name', uri.to_s)
     else
@@ -284,10 +285,19 @@ class Gem::RemoteFetcher
   end
 
   def fetch_s3(uri, mtime = nil, head = false)
-    public_uri = sign_s3_url(uri)
+    begin
+      public_uri = s3_uri_signer(uri).sign
+    rescue Gem::S3URISigner::ConfigurationError, Gem::S3URISigner::InstanceProfileError => e
+      raise FetchError.new(e.message, "s3://#{uri.host}")
+    end
     fetch_https public_uri, mtime, head
   end
 
+  # we have our own signing code here to avoid a dependency on the aws-sdk gem
+  def s3_uri_signer(uri)
+    Gem::S3URISigner.new(uri)
+  end
+
   ##
   # Downloads +uri+ to +path+ if necessary. If no path is given, it just
   # passes the data.
@@ -317,14 +327,6 @@ class Gem::RemoteFetcher
     response['content-length'].to_i
   end
 
-  def correct_for_windows_path(path)
-    if path[0].chr == '/' && path[1].chr =~ /[a-z]/i && path[2].chr == ':'
-      path[1..-1]
-    else
-      path
-    end
-  end
-
   ##
   # Performs a Net::HTTP request of type +request_class+ on +uri+ returning
   # a Net::HTTP response object.  request maintains a table of persistent
@@ -349,31 +351,6 @@ class Gem::RemoteFetcher
     @pools.each_value {|pool| pool.close_all}
   end
 
-  protected
-
-  # we have our own signing code here to avoid a dependency on the aws-sdk gem
-  # fortunately, a simple GET request isn't too complex to sign properly
-  def sign_s3_url(uri, expiration = nil)
-    require 'base64'
-    require 'openssl'
-
-    id, secret = s3_source_auth uri
-
-    expiration ||= s3_expiration
-    canonical_path = "/#{uri.host}#{uri.path}"
-    payload = "GET\n\n\n#{expiration}\n#{canonical_path}"
-    digest = OpenSSL::HMAC.digest('sha1', secret, payload)
-    # URI.escape is deprecated, and there isn't yet a replacement that does quite what we want
-    signature = Base64.encode64(digest).gsub("\n", '').gsub(/[\+\/=]/) { |c| BASE64_URI_TRANSLATE[c] }
-    URI.parse("https://#{uri.host}.s3.amazonaws.com#{uri.path}?AWSAccessKeyId=#{id}&Expires=#{expiration}&Signature=#{signature}")
-  end
-
-  def s3_expiration
-    (Time.now + 3600).to_i # one hour from now
-  end
-
-  BASE64_URI_TRANSLATE = { '+' => '%2B', '/' => '%2F', '=' => '%3D' }.freeze
-
   private
 
   def proxy_for(proxy, uri)
@@ -386,20 +363,4 @@ class Gem::RemoteFetcher
     end
   end
 
-  def s3_source_auth(uri)
-    return [uri.user, uri.password] if uri.user && uri.password
-
-    s3_source = Gem.configuration[:s3_source] || Gem.configuration['s3_source']
-    host = uri.host
-    raise FetchError.new("no s3_source key exists in .gemrc", "s3://#{host}") unless s3_source
-
-    auth = s3_source[host] || s3_source[host.to_sym]
-    raise FetchError.new("no key for host #{host} in s3_source in .gemrc", "s3://#{host}") unless auth
-
-    id = auth[:id] || auth['id']
-    secret = auth[:secret] || auth['secret']
-    raise FetchError.new("s3_source for #{host} missing id or secret", "s3://#{host}") unless id and secret
-
-    [id, secret]
-  end
 end