rubygems-update 3.5.3 → 3.7.1

data/lib/rubygems/commands/environment_command.rb

@@ -15,6 +15,7 @@ class Gem::Commands::EnvironmentCommand < Gem::Command
           version         display the gem format version
           remotesources   display the remote gem servers
           platform        display the supported gem platforms
+          credentials     display the path where credentials are stored
           <omitted>       display everything
     EOF
     args.gsub(/^\s+/, "")
@@ -88,6 +89,8 @@ lib/rubygems/defaults/operating_system.rb
         Gem.sources.to_a.join("\n")
       when /^platform/ then
         Gem.platforms.join(File::PATH_SEPARATOR)
+      when /^credentials/, /^creds/ then
+        Gem.configuration.credentials_path
       when nil then
         show_environment
       else
@@ -114,6 +117,8 @@ lib/rubygems/defaults/operating_system.rb
 
     out << "  - USER INSTALLATION DIRECTORY: #{Gem.user_dir}\n"
 
+    out << "  - CREDENTIALS FILE: #{Gem.configuration.credentials_path}\n"
+
     out << "  - RUBYGEMS PREFIX: #{Gem.prefix}\n" unless Gem.prefix.nil?
 
     out << "  - RUBY EXECUTABLE: #{Gem.ruby}\n"

data/lib/rubygems/commands/exec_command.rb

@@ -57,8 +57,6 @@ to the same gem path as user-installed gems.
   end
 
   def execute
-    gem_paths = { "GEM_HOME" => Gem.paths.home, "GEM_PATH" => Gem.paths.path.join(File::PATH_SEPARATOR), "GEM_SPEC_CACHE" => Gem.paths.spec_cache_dir }.compact
-
     check_executable
 
     print_command
@@ -74,9 +72,6 @@ to the same gem path as user-installed gems.
     end
 
     load!
-  ensure
-    ENV.update(gem_paths) if gem_paths
-    Gem.clear_paths
   end
 
   private
@@ -143,7 +138,7 @@ to the same gem path as user-installed gems.
   end
 
   def set_gem_exec_install_paths
-    home = File.join(Gem.dir, "gem_exec")
+    home = Gem.dir
 
     ENV["GEM_PATH"] = ([home] + Gem.path).join(File::PATH_SEPARATOR)
     ENV["GEM_HOME"] = home
@@ -200,7 +195,7 @@ to the same gem path as user-installed gems.
     argv = ARGV.clone
     ARGV.replace options[:args]
 
-    exe = executable = options[:executable]
+    executable = options[:executable]
 
     contains_executable = Gem.loaded_specs.values.select do |spec|
       spec.executables.include?(executable)
@@ -211,13 +206,22 @@ to the same gem path as user-installed gems.
     end
 
     if contains_executable.empty?
-      if (spec = Gem.loaded_specs[executable]) && (exe = spec.executable)
-        contains_executable << spec
-      else
+      spec = Gem.loaded_specs[executable]
+
+      if spec.nil? || spec.executables.empty?
         alert_error "Failed to load executable `#{executable}`," \
               " are you sure the gem `#{options[:gem_name]}` contains it?"
         terminate_interaction 1
       end
+
+      if spec.executables.size > 1
+        alert_error "Ambiguous which executable from gem `#{executable}` should be run: " \
+              "the options are #{spec.executables.sort}, specify one via COMMAND, and use `-g` and `-v` to specify gem and version"
+        terminate_interaction 1
+      end
+
+      contains_executable << spec
+      executable = spec.executable
     end
 
     if contains_executable.size > 1
@@ -227,8 +231,11 @@ to the same gem path as user-installed gems.
       terminate_interaction 1
     end
 
-    load Gem.activate_bin_path(contains_executable.first.name, exe, ">= 0.a")
+    old_exe = $0
+    $0 = executable
+    load Gem.activate_bin_path(contains_executable.first.name, executable, ">= 0.a")
   ensure
+    $0 = old_exe if old_exe
     ARGV.replace argv
   end
 

data/lib/rubygems/commands/fetch_command.rb

@@ -63,6 +63,17 @@ then repackaging it.
 
   def execute
     check_version
+
+    exit_code = fetch_gems
+
+    terminate_interaction exit_code
+  end
+
+  private
+
+  def fetch_gems
+    exit_code = 0
+
     version = options[:version]
 
     platform  = Gem.platforms.last
@@ -86,10 +97,13 @@ then repackaging it.
 
       if spec.nil?
         show_lookup_failure gem_name, gem_version, errors, suppress_suggestions, options[:domain]
+        exit_code |= 2
         next
       end
       source.download spec
       say "Downloaded #{spec.full_name}"
     end
+
+    exit_code
   end
 end

data/lib/rubygems/commands/help_command.rb

@@ -59,7 +59,7 @@ multiple environments.  The RubyGems implementation is designed to be
 compatible with Bundler's Gemfile format.  You can see additional
 documentation on the format at:
 
-  http://bundler.io
+  https://bundler.io
 
 RubyGems automatically looks for these gem dependencies files:
 
@@ -172,7 +172,7 @@ and #platforms methods:
 See the bundler Gemfile manual page for a list of platforms supported in a gem
 dependencies file.:
 
-  http://bundler.io/v1.6/man/gemfile.5.html
+  https://bundler.io/v2.5/man/gemfile.5.html
 
 Ruby Version and Engine Dependency
 ==================================

data/lib/rubygems/commands/install_command.rb

@@ -224,10 +224,6 @@ You can use `i` command instead of `install`.
       rescue Gem::InstallError => e
         alert_error "Error installing #{gem_name}:\n\t#{e.message}"
         exit_code |= 1
-      rescue Gem::GemNotFoundException => e
-        show_lookup_failure e.name, e.version, e.errors, suppress_suggestions
-
-        exit_code |= 2
       rescue Gem::UnsatisfiableDependencyError => e
         show_lookup_failure e.name, e.version, e.errors, suppress_suggestions,
                             "'#{gem_name}' (#{gem_version})"

data/lib/rubygems/commands/pristine_command.rb

@@ -57,7 +57,7 @@ class Gem::Commands::PristineCommand < Gem::Command
     end
 
     add_option("-i", "--install-dir DIR",
-               "Gem repository to get binstubs and plugins installed") do |value, options|
+               "Gem repository to get gems restored") do |value, options|
       options[:install_dir] = File.expand_path(value)
     end
 
@@ -103,22 +103,26 @@ extensions will be restored.
   end
 
   def execute
+    install_dir = options[:install_dir]
+
+    specification_record = install_dir ? Gem::SpecificationRecord.from_path(install_dir) : Gem::Specification.specification_record
+
     specs = if options[:all]
-      Gem::Specification.map
+      specification_record.map
 
     # `--extensions` must be explicitly given to pristine only gems
     # with extensions.
     elsif options[:extensions_set] &&
           options[:extensions] && options[:args].empty?
-      Gem::Specification.select do |spec|
+      specification_record.select do |spec|
         spec.extensions && !spec.extensions.empty?
       end
     elsif options[:only_missing_extensions]
-      Gem::Specification.select(&:missing_extensions?)
+      specification_record.select(&:missing_extensions?)
     else
-      get_all_gem_names.sort.map do |gem_name|
-        Gem::Specification.find_all_by_name(gem_name, options[:version]).reverse
-      end.flatten
+      get_all_gem_names.sort.flat_map do |gem_name|
+        specification_record.find_all_by_name(gem_name, options[:version]).reverse
+      end
     end
 
     specs = specs.select {|spec| spec.platform == RUBY_ENGINE || Gem::Platform.local === spec.platform || spec.platform == Gem::Platform::RUBY }
@@ -130,10 +134,17 @@ extensions will be restored.
 
     say "Restoring gems to pristine condition..."
 
-    specs.each do |spec|
-      if spec.default_gem?
-        say "Skipped #{spec.full_name}, it is a default gem"
-        next
+    specs.group_by(&:full_name_with_location).values.each do |grouped_specs|
+      spec = grouped_specs.find {|s| !s.default_gem? } || grouped_specs.first
+
+      only_executables = options[:only_executables]
+      only_plugins = options[:only_plugins]
+
+      unless only_executables || only_plugins
+        # Default gemspecs include changes provided by ruby-core installer that
+        # can't currently be pristined (inclusion of compiled extension targets in
+        # the file list). So stick to resetting executables if it's a default gem.
+        only_executables = true if spec.default_gem?
       end
 
       if options.key? :skip
@@ -143,17 +154,17 @@ extensions will be restored.
         end
       end
 
-      unless spec.extensions.empty? || options[:extensions] || options[:only_executables] || options[:only_plugins]
-        say "Skipped #{spec.full_name}, it needs to compile an extension"
+      unless spec.extensions.empty? || options[:extensions] || only_executables || only_plugins
+        say "Skipped #{spec.full_name_with_location}, it needs to compile an extension"
         next
       end
 
       gem = spec.cache_file
 
-      unless File.exist?(gem) || options[:only_executables] || options[:only_plugins]
+      unless File.exist?(gem) || only_executables || only_plugins
         require_relative "../remote_fetcher"
 
-        say "Cached gem for #{spec.full_name} not found, attempting to fetch..."
+        say "Cached gem for #{spec.full_name_with_location} not found, attempting to fetch..."
 
         dep = Gem::Dependency.new spec.name, spec.version
         found, _ = Gem::SpecFetcher.fetcher.spec_for_dependency dep
@@ -176,7 +187,6 @@ extensions will be restored.
         end
 
       bin_dir = options[:bin_dir] if options[:bin_dir]
-      install_dir = options[:install_dir] if options[:install_dir]
 
       installer_options = {
         wrappers: true,
@@ -187,10 +197,10 @@ extensions will be restored.
         bin_dir: bin_dir,
       }
 
-      if options[:only_executables]
+      if only_executables
         installer = Gem::Installer.for_spec(spec, installer_options)
         installer.generate_bin
-      elsif options[:only_plugins]
+      elsif only_plugins
         installer = Gem::Installer.for_spec(spec, installer_options)
         installer.generate_plugins
       else
@@ -198,7 +208,7 @@ extensions will be restored.
         installer.install
       end
 
-      say "Restored #{spec.full_name}"
+      say "Restored #{spec.full_name_with_location}"
     end
   end
 end

data/lib/rubygems/commands/push_command.rb

@@ -30,7 +30,7 @@ The push command will use ~/.gem/credentials to authenticate to a server, but yo
   end
 
   def initialize
-    super "push", "Push a gem up to the gem server", host: host
+    super "push", "Push a gem up to the gem server", host: host, attestations: []
 
     @user_defined_host = false
 
@@ -45,6 +45,11 @@ The push command will use ~/.gem/credentials to authenticate to a server, but yo
       @user_defined_host = true
     end
 
+    add_option("--attestation FILE",
+                "Push with sigstore attestations") do |value, options|
+      options[:attestations] << value
+    end
+
     @host = nil
   end
 
@@ -87,11 +92,20 @@ The push command will use ~/.gem/credentials to authenticate to a server, but yo
   private
 
   def send_push_request(name, args)
-    rubygems_api_request(*args, scope: get_push_scope) do |request|
-      request.body = Gem.read_binary name
-      request.add_field "Content-Length", request.body.size
-      request.add_field "Content-Type",   "application/octet-stream"
-      request.add_field "Authorization",  api_key
+    scope = get_push_scope
+    rubygems_api_request(*args, scope: scope) do |request|
+      body = Gem.read_binary name
+      if options[:attestations].any?
+        request.set_form([
+          ["gem", body, { filename: name, content_type: "application/octet-stream" }],
+          get_attestations_part,
+        ], "multipart/form-data")
+      else
+        request.body = body
+        request.add_field "Content-Type",   "application/octet-stream"
+        request.add_field "Content-Length", request.body.size
+      end
+      request.add_field "Authorization", api_key
     end
   end
 
@@ -107,4 +121,15 @@ The push command will use ~/.gem/credentials to authenticate to a server, but yo
   def get_push_scope
     :push_rubygem
   end
+
+  def get_attestations_part
+    bundles = "[" + options[:attestations].map do |attestation|
+      Gem.read_binary(attestation)
+    end.join(",") + "]"
+    [
+      "attestations",
+      bundles,
+      { content_type: "application/json" },
+    ]
+  end
 end

data/lib/rubygems/commands/rdoc_command.rb

@@ -64,9 +64,9 @@ Use --overwrite to force rebuilding of documentation.
     specs = if options[:all]
       Gem::Specification.to_a
     else
-      get_all_gem_names.map do |name|
+      get_all_gem_names.flat_map do |name|
         Gem::Specification.find_by_name name, options[:version]
-      end.flatten.uniq
+      end.uniq
     end
 
     if specs.empty?
@@ -84,14 +84,7 @@ Use --overwrite to force rebuilding of documentation.
         FileUtils.rm_rf File.join(spec.doc_dir, "rdoc")
       end
 
-      begin
-        doc.generate
-      rescue Errno::ENOENT => e
-        match = / - /.match(e.message)
-        alert_error "Unable to document #{spec.full_name}, " \
-                    " #{match.post_match} is missing, skipping"
-        terminate_interaction 1 if specs.length == 1
-      end
+      doc.generate
     end
   end
 end

data/lib/rubygems/commands/rebuild_command.rb

@@ -0,0 +1,262 @@
+# frozen_string_literal: true
+
+require "date"
+require "digest"
+require "fileutils"
+require "tmpdir"
+require_relative "../gemspec_helpers"
+require_relative "../package"
+
+class Gem::Commands::RebuildCommand < Gem::Command
+  include Gem::GemspecHelpers
+
+  def initialize
+    super "rebuild", "Attempt to reproduce a build of a gem."
+
+    add_option "--diff", "If the files don't match, compare them using diffoscope." do |_value, options|
+      options[:diff] = true
+    end
+
+    add_option "--force", "Skip validation of the spec." do |_value, options|
+      options[:force] = true
+    end
+
+    add_option "--strict", "Consider warnings as errors when validating the spec." do |_value, options|
+      options[:strict] = true
+    end
+
+    add_option "--source GEM_SOURCE", "Specify the source to download the gem from." do |value, options|
+      options[:source] = value
+    end
+
+    add_option "--original GEM_FILE", "Specify a local file to compare against (instead of downloading it)." do |value, options|
+      options[:original_gem_file] = value
+    end
+
+    add_option "--gemspec GEMSPEC_FILE", "Specify the name of the gemspec file." do |value, options|
+      options[:gemspec_file] = value
+    end
+
+    add_option "-C PATH", "Run as if gem build was started in <PATH> instead of the current working directory." do |value, options|
+      options[:build_path] = value
+    end
+  end
+
+  def arguments # :nodoc:
+    "GEM_NAME      gem name on gem server\n" \
+    "GEM_VERSION   gem version you are attempting to rebuild"
+  end
+
+  def description # :nodoc:
+    <<-EOF
+The rebuild command allows you to (attempt to) reproduce a build of a gem
+from a ruby gemspec.
+
+This command assumes the gemspec can be built with the `gem build` command.
+If you use any of `gem build`, `rake build`, or`rake release` in the
+build/release process for a gem, it is a potential candidate.
+
+You will need to match the RubyGems version used, since this is included in
+the Gem metadata.
+
+If the gem includes lockfiles (e.g. Gemfile.lock) and similar, it will
+require more effort to reproduce a build. For example, it might require
+more precisely matched versions of Ruby and/or Bundler to be used.
+    EOF
+  end
+
+  def usage # :nodoc:
+    "#{program_name} GEM_NAME GEM_VERSION"
+  end
+
+  def execute
+    gem_name, gem_version = get_gem_name_and_version
+
+    old_dir, new_dir = prep_dirs
+
+    gem_filename = "#{gem_name}-#{gem_version}.gem"
+    old_file = File.join(old_dir, gem_filename)
+    new_file = File.join(new_dir, gem_filename)
+
+    if options[:original_gem_file]
+      FileUtils.copy_file(options[:original_gem_file], old_file)
+    else
+      download_gem(gem_name, gem_version, old_file)
+    end
+
+    rg_version = rubygems_version(old_file)
+    unless rg_version == Gem::VERSION
+      alert_error <<-EOF
+You need to use the same RubyGems version #{gem_name} v#{gem_version} was built with.
+
+#{gem_name} v#{gem_version} was built using RubyGems v#{rg_version}.
+Gem files include the version of RubyGems used to build them.
+This means in order to reproduce #{gem_filename}, you must also use RubyGems v#{rg_version}.
+
+You're using RubyGems v#{Gem::VERSION}.
+
+Please install RubyGems v#{rg_version} and try again.
+      EOF
+      terminate_interaction 1
+    end
+
+    source_date_epoch = get_timestamp(old_file).to_s
+
+    if build_path = options[:build_path]
+      Dir.chdir(build_path) { build_gem(gem_name, source_date_epoch, new_file) }
+    else
+      build_gem(gem_name, source_date_epoch, new_file)
+    end
+
+    compare(source_date_epoch, old_file, new_file)
+  end
+
+  private
+
+  def sha256(file)
+    Digest::SHA256.hexdigest(Gem.read_binary(file))
+  end
+
+  def get_timestamp(file)
+    mtime = nil
+    File.open(file, Gem.binary_mode) do |f|
+      Gem::Package::TarReader.new(f) do |tar|
+        mtime = tar.seek("metadata.gz") {|tf| tf.header.mtime }
+      end
+    end
+
+    mtime
+  end
+
+  def compare(source_date_epoch, old_file, new_file)
+    date = Time.at(source_date_epoch.to_i).strftime("%F %T %Z")
+
+    old_hash = sha256(old_file)
+    new_hash = sha256(new_file)
+
+    say
+    say "Built at: #{date} (#{source_date_epoch})"
+    say "Original build saved to:   #{old_file}"
+    say "Reproduced build saved to: #{new_file}"
+    say "Working directory: #{options[:build_path] || Dir.pwd}"
+    say
+    say "Hash comparison:"
+    say "  #{old_hash}\t#{old_file}"
+    say "  #{new_hash}\t#{new_file}"
+    say
+
+    if old_hash == new_hash
+      say "SUCCESS - original and rebuild hashes matched"
+    else
+      say "FAILURE - original and rebuild hashes did not match"
+      say
+
+      if options[:diff]
+        if system("diffoscope", old_file, new_file).nil?
+          alert_error "error: could not find `diffoscope` executable"
+        end
+      else
+        say "Pass --diff for more details (requires diffoscope to be installed)."
+      end
+
+      terminate_interaction 1
+    end
+  end
+
+  def prep_dirs
+    rebuild_dir = Dir.mktmpdir("gem_rebuild")
+    old_dir = File.join(rebuild_dir, "old")
+    new_dir = File.join(rebuild_dir, "new")
+
+    FileUtils.mkdir_p(old_dir)
+    FileUtils.mkdir_p(new_dir)
+
+    [old_dir, new_dir]
+  end
+
+  def get_gem_name_and_version
+    args = options[:args] || []
+    if args.length == 2
+      gem_name, gem_version = args
+    elsif args.length > 2
+      raise Gem::CommandLineError, "Too many arguments"
+    else
+      raise Gem::CommandLineError, "Expected GEM_NAME and GEM_VERSION arguments (gem rebuild GEM_NAME GEM_VERSION)"
+    end
+
+    [gem_name, gem_version]
+  end
+
+  def build_gem(gem_name, source_date_epoch, output_file)
+    gemspec = options[:gemspec_file] || find_gemspec("#{gem_name}.gemspec")
+
+    if gemspec
+      build_package(gemspec, source_date_epoch, output_file)
+    else
+      alert_error error_message(gem_name)
+      terminate_interaction(1)
+    end
+  end
+
+  def build_package(gemspec, source_date_epoch, output_file)
+    with_source_date_epoch(source_date_epoch) do
+      spec = Gem::Specification.load(gemspec)
+      if spec
+        Gem::Package.build(
+          spec,
+          options[:force],
+          options[:strict],
+          output_file
+        )
+      else
+        alert_error "Error loading gemspec. Aborting."
+        terminate_interaction 1
+      end
+    end
+  end
+
+  def with_source_date_epoch(source_date_epoch)
+    old_sde = ENV["SOURCE_DATE_EPOCH"]
+    ENV["SOURCE_DATE_EPOCH"] = source_date_epoch.to_s
+
+    yield
+  ensure
+    ENV["SOURCE_DATE_EPOCH"] = old_sde
+  end
+
+  def error_message(gem_name)
+    if gem_name
+      "Couldn't find a gemspec file matching '#{gem_name}' in #{Dir.pwd}"
+    else
+      "Couldn't find a gemspec file in #{Dir.pwd}"
+    end
+  end
+
+  def download_gem(gem_name, gem_version, old_file)
+    # This code was based loosely off the `gem fetch` command.
+    version = "= #{gem_version}"
+    dep = Gem::Dependency.new gem_name, version
+
+    specs_and_sources, errors =
+      Gem::SpecFetcher.fetcher.spec_for_dependency dep
+
+    # There should never be more than one item in specs_and_sources,
+    # since we search for an exact version.
+    spec, source = specs_and_sources[0]
+
+    if spec.nil?
+      show_lookup_failure gem_name, version, errors, options[:domain]
+      terminate_interaction 1
+    end
+
+    download_path = source.download spec
+
+    FileUtils.move(download_path, old_file)
+
+    say "Downloaded #{gem_name} version #{gem_version} as #{old_file}."
+  end
+
+  def rubygems_version(gem_file)
+    Gem::Package.new(gem_file).spec.rubygems_version
+  end
+end