rubygems-update 3.5.7 → 3.5.8

data/bundler/lib/bundler/plugin/source_list.rb

@@ -9,6 +9,10 @@ module Bundler
         add_source_to_list Plugin::Installer::Git.new(options), git_sources
       end
 
+      def add_path_source(options = {})
+        add_source_to_list Plugin::Installer::Path.new(options), path_sources
+      end
+
       def add_rubygems_source(options = {})
         add_source_to_list Plugin::Installer::Rubygems.new(options), @rubygems_sources
       end
@@ -17,10 +21,6 @@ module Bundler
         path_sources + git_sources + rubygems_sources + [metadata_source]
       end
 
-      def default_source
-        git_sources.first || global_rubygems_source
-      end
-
       private
 
       def rubygems_aggregate_class

data/bundler/lib/bundler/resolver/candidate.rb

@@ -15,7 +15,7 @@ module Bundler
     # considered separately.
     #
     # Some candidates may also keep some information explicitly about the
-    # package the refer to. These candidates are referred to as "canonical" and
+    # package they refer to. These candidates are referred to as "canonical" and
     # are used when materializing resolution results back into RubyGems
     # specifications that can be installed, written to lock files, and so on.
     #

data/bundler/lib/bundler/resolver.rb

@@ -50,26 +50,26 @@ module Bundler
         specs[name] = matches.sort_by {|s| [s.version, s.platform.to_s] }
       end
 
+      @all_versions = Hash.new do |candidates, package|
+        candidates[package] = all_versions_for(package)
+      end
+
       @sorted_versions = Hash.new do |candidates, package|
-        candidates[package] = if package.root?
-          [root_version]
-        else
-          all_versions_for(package).sort
-        end
+        candidates[package] = filtered_versions_for(package).sort
       end
 
+      @sorted_versions[root] = [root_version]
+
       root_dependencies = prepare_dependencies(@requirements, @packages)
 
       @cached_dependencies = Hash.new do |dependencies, package|
-        dependencies[package] = if package.root?
-          { root_version => root_dependencies }
-        else
-          Hash.new do |versions, version|
-            versions[version] = to_dependency_hash(version.dependencies.reject {|d| d.name == package.name }, @packages)
-          end
+        dependencies[package] = Hash.new do |versions, version|
+          versions[version] = to_dependency_hash(version.dependencies.reject {|d| d.name == package.name }, @packages)
         end
       end
 
+      @cached_dependencies[root] = { root_version => root_dependencies }
+
       logger = Bundler::UI::Shell.new
       logger.level = debug? ? "debug" : "warn"
 
@@ -156,9 +156,15 @@ module Bundler
     end
 
     def versions_for(package, range=VersionRange.any)
-      versions = range.select_versions(@sorted_versions[package])
+      versions = select_sorted_versions(package, range)
 
-      sort_versions(package, versions)
+      # Conditional avoids (among other things) calling
+      # sort_versions_by_preferred with the root package
+      if versions.size > 1
+        sort_versions_by_preferred(package, versions)
+      else
+        versions
+      end
     end
 
     def no_versions_incompatibility_for(package, unsatisfied_term)
@@ -247,7 +253,7 @@ module Bundler
       locked_requirement = base_requirements[name]
       results = filter_matching_specs(results, locked_requirement) if locked_requirement
 
-      versions = results.group_by(&:version).reduce([]) do |groups, (version, specs)|
+      results.group_by(&:version).reduce([]) do |groups, (version, specs)|
         platform_specs = package.platforms.map {|platform| select_best_platform_match(specs, platform) }
 
         # If package is a top-level dependency,
@@ -274,8 +280,6 @@ module Bundler
 
         groups
       end
-
-      sort_versions(package, versions)
     end
 
     def source_for(name)
@@ -334,6 +338,21 @@ module Bundler
 
     private
 
+    def filtered_versions_for(package)
+      @gem_version_promoter.filter_versions(package, @all_versions[package])
+    end
+
+    def raise_all_versions_filtered_out!(package)
+      level = @gem_version_promoter.level
+      name = package.name
+      locked_version = package.locked_version
+      requirement = package.dependency
+
+      raise GemNotFound,
+        "#{name} is locked to #{locked_version}, while Gemfile is requesting #{requirement}. " \
+        "--strict --#{level} was specified, but there are no #{level} level upgrades from #{locked_version} satisfying #{requirement}, so version solving has failed"
+    end
+
     def filter_matching_specs(specs, requirements)
       Array(requirements).flat_map do |requirement|
         specs.select {| spec| requirement_satisfied_by?(requirement, spec) }
@@ -357,12 +376,8 @@ module Bundler
       requirement.satisfied_by?(spec.version) || spec.source.is_a?(Source::Gemspec)
     end
 
-    def sort_versions(package, versions)
-      if versions.size > 1
-        @gem_version_promoter.sort_versions(package, versions).reverse
-      else
-        versions
-      end
+    def sort_versions_by_preferred(package, versions)
+      @gem_version_promoter.sort_versions(package, versions)
     end
 
     def repository_for(package)
@@ -379,12 +394,19 @@ module Bundler
 
         next [dep_package, dep_constraint] if name == "bundler"
 
-        versions = versions_for(dep_package, dep_constraint.range)
+        dep_range = dep_constraint.range
+        versions = select_sorted_versions(dep_package, dep_range)
         if versions.empty? && dep_package.ignores_prereleases?
+          @all_versions.delete(dep_package)
           @sorted_versions.delete(dep_package)
           dep_package.consider_prereleases!
-          versions = versions_for(dep_package, dep_constraint.range)
+          versions = select_sorted_versions(dep_package, dep_range)
         end
+
+        if versions.empty? && select_all_versions(dep_package, dep_range).any?
+          raise_all_versions_filtered_out!(dep_package)
+        end
+
         next [dep_package, dep_constraint] unless versions.empty?
 
         next unless dep_package.current_platform?
@@ -393,6 +415,14 @@ module Bundler
       end.compact.to_h
     end
 
+    def select_sorted_versions(package, range)
+      range.select_versions(@sorted_versions[package])
+    end
+
+    def select_all_versions(package, range)
+      range.select_versions(@all_versions[package])
+    end
+
     def other_specs_matching_message(specs, requirement)
       message = String.new("The source contains the following gems matching '#{requirement}':\n")
       message << specs.map {|s| "  * #{s.full_name}" }.join("\n")

data/bundler/lib/bundler/self_manager.rb

@@ -113,7 +113,7 @@ module Bundler
     end
 
     def local_specs
-      @local_specs ||= Bundler::Source::Rubygems.new("allow_local" => true).specs.select {|spec| spec.name == "bundler" }
+      @local_specs ||= Bundler::Source::Rubygems.new("allow_local" => true, "allow_cached" => true).specs.select {|spec| spec.name == "bundler" }
     end
 
     def remote_specs

data/bundler/lib/bundler/source/rubygems.rb

@@ -17,7 +17,7 @@ module Bundler
         @remotes = []
         @dependency_names = []
         @allow_remote = false
-        @allow_cached = false
+        @allow_cached = options["allow_cached"] || false
         @allow_local = options["allow_local"] || false
         @checksum_store = Checksum::Store.new
 
@@ -133,7 +133,7 @@ module Bundler
           # sources, and large_idx.merge! small_idx is way faster than
           # small_idx.merge! large_idx.
           index = @allow_remote ? remote_specs.dup : Index.new
-          index.merge!(cached_specs) if @allow_cached || @allow_remote
+          index.merge!(cached_specs) if @allow_cached
           index.merge!(installed_specs) if @allow_local
           index
         end

data/bundler/lib/bundler/source_list.rb

@@ -9,7 +9,7 @@ module Bundler
       :metadata_source
 
     def global_rubygems_source
-      @global_rubygems_source ||= rubygems_aggregate_class.new("allow_local" => true)
+      @global_rubygems_source ||= rubygems_aggregate_class.new("allow_local" => true, "allow_cached" => true)
     end
 
     def initialize
@@ -174,7 +174,7 @@ module Bundler
       replacement_source = replacement_sources.find {|s| s == global_rubygems_source }
       return global_rubygems_source unless replacement_source
 
-      replacement_source.local!
+      replacement_source.cached!
       replacement_source
     end
 

data/bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.5.7".freeze
+  VERSION = "2.5.8".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/rubygems/command_manager.rb

@@ -60,6 +60,7 @@ class Gem::CommandManager
     :push,
     :query,
     :rdoc,
+    :rebuild,
     :search,
     :server,
     :signin,

data/lib/rubygems/commands/build_command.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
 require_relative "../command"
+require_relative "../gemspec_helpers"
 require_relative "../package"
 require_relative "../version_option"
 
 class Gem::Commands::BuildCommand < Gem::Command
   include Gem::VersionOption
+  include Gem::GemspecHelpers
 
   def initialize
     super "build", "Build a gem from a gemspec"
@@ -75,17 +77,6 @@ Gems can be saved to a specified filename with the output option:
 
   private
 
-  def find_gemspec(glob = "*.gemspec")
-    gemspecs = Dir.glob(glob).sort
-
-    if gemspecs.size > 1
-      alert_error "Multiple gemspecs found: #{gemspecs}, please specify one"
-      terminate_interaction(1)
-    end
-
-    gemspecs.first
-  end
-
   def build_gem
     gemspec = resolve_gem_name
 

data/lib/rubygems/commands/rebuild_command.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+require "date"
+require "digest"
+require "fileutils"
+require "tmpdir"
+require_relative "../gemspec_helpers"
+require_relative "../package"
+
+class Gem::Commands::RebuildCommand < Gem::Command
+  include Gem::GemspecHelpers
+
+  DATE_FORMAT = "%Y-%m-%d %H:%M:%S.%N Z"
+
+  def initialize
+    super "rebuild", "Attempt to reproduce a build of a gem."
+
+    add_option "--diff", "If the files don't match, compare them using diffoscope." do |_value, options|
+      options[:diff] = true
+    end
+
+    add_option "--force", "Skip validation of the spec." do |_value, options|
+      options[:force] = true
+    end
+
+    add_option "--strict", "Consider warnings as errors when validating the spec." do |_value, options|
+      options[:strict] = true
+    end
+
+    add_option "--source GEM_SOURCE", "Specify the source to download the gem from." do |value, options|
+      options[:source] = value
+    end
+
+    add_option "--original GEM_FILE", "Specify a local file to compare against (instead of downloading it)." do |value, options|
+      options[:original_gem_file] = value
+    end
+
+    add_option "--gemspec GEMSPEC_FILE", "Specify the name of the gemspec file." do |value, options|
+      options[:gemspec_file] = value
+    end
+
+    add_option "-C PATH", "Run as if gem build was started in <PATH> instead of the current working directory." do |value, options|
+      options[:build_path] = value
+    end
+  end
+
+  def arguments # :nodoc:
+    "GEM_NAME      gem name on gem server\n" \
+    "GEM_VERSION   gem version you are attempting to rebuild"
+  end
+
+  def description # :nodoc:
+    <<-EOF
+The rebuild command allows you to (attempt to) reproduce a build of a gem
+from a ruby gemspec.
+
+This command assumes the gemspec can be built with the `gem build` command.
+If you use any of `gem build`, `rake build`, or`rake release` in the
+build/release process for a gem, it is a potential candidate.
+
+You will need to match the RubyGems version used, since this is included in
+the Gem metadata.
+
+If the gem includes lockfiles (e.g. Gemfile.lock) and similar, it will
+require more effort to reproduce a build. For example, it might require
+more precisely matched versions of Ruby and/or Bundler to be used.
+    EOF
+  end
+
+  def usage # :nodoc:
+    "#{program_name} GEM_NAME GEM_VERSION"
+  end
+
+  def execute
+    gem_name, gem_version = get_gem_name_and_version
+
+    old_dir, new_dir = prep_dirs
+
+    gem_filename = "#{gem_name}-#{gem_version}.gem"
+    old_file = File.join(old_dir, gem_filename)
+    new_file = File.join(new_dir, gem_filename)
+
+    if options[:original_gem_file]
+      FileUtils.copy_file(options[:original_gem_file], old_file)
+    else
+      download_gem(gem_name, gem_version, old_file)
+    end
+
+    rg_version = rubygems_version(old_file)
+    unless rg_version == Gem::VERSION
+      alert_error <<-EOF
+You need to use the same RubyGems version #{gem_name} v#{gem_version} was built with.
+
+#{gem_name} v#{gem_version} was built using RubyGems v#{rg_version}.
+Gem files include the version of RubyGems used to build them.
+This means in order to reproduce #{gem_filename}, you must also use RubyGems v#{rg_version}.
+
+You're using RubyGems v#{Gem::VERSION}.
+
+Please install RubyGems v#{rg_version} and try again.
+      EOF
+      terminate_interaction 1
+    end
+
+    source_date_epoch = get_timestamp(old_file).to_s
+
+    if build_path = options[:build_path]
+      Dir.chdir(build_path) { build_gem(gem_name, source_date_epoch, new_file) }
+    else
+      build_gem(gem_name, source_date_epoch, new_file)
+    end
+
+    compare(source_date_epoch, old_file, new_file)
+  end
+
+  private
+
+  def sha256(file)
+    Digest::SHA256.hexdigest(Gem.read_binary(file))
+  end
+
+  def get_timestamp(file)
+    mtime = nil
+    File.open(file, Gem.binary_mode) do |f|
+      Gem::Package::TarReader.new(f) do |tar|
+        mtime = tar.seek("metadata.gz") {|tf| tf.header.mtime }
+      end
+    end
+
+    mtime
+  end
+
+  def compare(source_date_epoch, old_file, new_file)
+    date = Time.at(source_date_epoch.to_i).strftime("%F %T %Z")
+
+    old_hash = sha256(old_file)
+    new_hash = sha256(new_file)
+
+    say
+    say "Built at: #{date} (#{source_date_epoch})"
+    say "Original build saved to:   #{old_file}"
+    say "Reproduced build saved to: #{new_file}"
+    say "Working directory: #{options[:build_path] || Dir.pwd}"
+    say
+    say "Hash comparison:"
+    say "  #{old_hash}\t#{old_file}"
+    say "  #{new_hash}\t#{new_file}"
+    say
+
+    if old_hash == new_hash
+      say "SUCCESS - original and rebuild hashes matched"
+    else
+      say "FAILURE - original and rebuild hashes did not match"
+      say
+
+      if options[:diff]
+        if system("diffoscope", old_file, new_file).nil?
+          alert_error "error: could not find `diffoscope` executable"
+        end
+      else
+        say "Pass --diff for more details (requires diffoscope to be installed)."
+      end
+
+      terminate_interaction 1
+    end
+  end
+
+  def prep_dirs
+    rebuild_dir = Dir.mktmpdir("gem_rebuild")
+    old_dir = File.join(rebuild_dir, "old")
+    new_dir = File.join(rebuild_dir, "new")
+
+    FileUtils.mkdir_p(old_dir)
+    FileUtils.mkdir_p(new_dir)
+
+    [old_dir, new_dir]
+  end
+
+  def get_gem_name_and_version
+    args = options[:args] || []
+    if args.length == 2
+      gem_name, gem_version = args
+    elsif args.length > 2
+      raise Gem::CommandLineError, "Too many arguments"
+    else
+      raise Gem::CommandLineError, "Expected GEM_NAME and GEM_VERSION arguments (gem rebuild GEM_NAME GEM_VERSION)"
+    end
+
+    [gem_name, gem_version]
+  end
+
+  def build_gem(gem_name, source_date_epoch, output_file)
+    gemspec = options[:gemspec_file] || find_gemspec("#{gem_name}.gemspec")
+
+    if gemspec
+      build_package(gemspec, source_date_epoch, output_file)
+    else
+      alert_error error_message(gem_name)
+      terminate_interaction(1)
+    end
+  end
+
+  def build_package(gemspec, source_date_epoch, output_file)
+    with_source_date_epoch(source_date_epoch) do
+      spec = Gem::Specification.load(gemspec)
+      if spec
+        Gem::Package.build(
+          spec,
+          options[:force],
+          options[:strict],
+          output_file
+        )
+      else
+        alert_error "Error loading gemspec. Aborting."
+        terminate_interaction 1
+      end
+    end
+  end
+
+  def with_source_date_epoch(source_date_epoch)
+    old_sde = ENV["SOURCE_DATE_EPOCH"]
+    ENV["SOURCE_DATE_EPOCH"] = source_date_epoch.to_s
+
+    yield
+  ensure
+    ENV["SOURCE_DATE_EPOCH"] = old_sde
+  end
+
+  def error_message(gem_name)
+    if gem_name
+      "Couldn't find a gemspec file matching '#{gem_name}' in #{Dir.pwd}"
+    else
+      "Couldn't find a gemspec file in #{Dir.pwd}"
+    end
+  end
+
+  def download_gem(gem_name, gem_version, old_file)
+    # This code was based loosely off the `gem fetch` command.
+    version = "= #{gem_version}"
+    dep = Gem::Dependency.new gem_name, version
+
+    specs_and_sources, errors =
+      Gem::SpecFetcher.fetcher.spec_for_dependency dep
+
+    # There should never be more than one item in specs_and_sources,
+    # since we search for an exact version.
+    spec, source = specs_and_sources[0]
+
+    if spec.nil?
+      show_lookup_failure gem_name, version, errors, options[:domain]
+      terminate_interaction 1
+    end
+
+    download_path = source.download spec
+
+    FileUtils.move(download_path, old_file)
+
+    say "Downloaded #{gem_name} version #{gem_version} as #{old_file}."
+  end
+
+  def rubygems_version(gem_file)
+    Gem::Package.new(gem_file).spec.rubygems_version
+  end
+end

data/lib/rubygems/config_file.rb

@@ -202,21 +202,33 @@ class Gem::ConfigFile
       @hash = @hash.merge environment_config
     end
 
+    @hash.transform_keys! do |k|
+      # gemhome and gempath are not working with symbol keys
+      if %w[backtrace bulk_threshold verbose update_sources cert_expiration_length_days
+            install_extension_in_lib ipv4_fallback_enabled sources disable_default_gem_server
+            ssl_verify_mode ssl_ca_cert ssl_client_cert].include?(k)
+        k.to_sym
+      else
+        k
+      end
+    end
+
     # HACK: these override command-line args, which is bad
     @backtrace                   = @hash[:backtrace]                   if @hash.key? :backtrace
     @bulk_threshold              = @hash[:bulk_threshold]              if @hash.key? :bulk_threshold
-    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
-    @path                        = @hash[:gempath]                     if @hash.key? :gempath
-    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
     @verbose                     = @hash[:verbose]                     if @hash.key? :verbose
-    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
-    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
+    # TODO: We should handle concurrent_downloads same as other options
     @cert_expiration_length_days = @hash[:cert_expiration_length_days] if @hash.key? :cert_expiration_length_days
     @ipv4_fallback_enabled       = @hash[:ipv4_fallback_enabled]       if @hash.key? :ipv4_fallback_enabled
 
-    @ssl_verify_mode  = @hash[:ssl_verify_mode]  if @hash.key? :ssl_verify_mode
-    @ssl_ca_cert      = @hash[:ssl_ca_cert]      if @hash.key? :ssl_ca_cert
-    @ssl_client_cert  = @hash[:ssl_client_cert]  if @hash.key? :ssl_client_cert
+    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
+    @path                        = @hash[:gempath]                     if @hash.key? :gempath
+    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
+    @ssl_verify_mode             = @hash[:ssl_verify_mode]             if @hash.key? :ssl_verify_mode
+    @ssl_ca_cert                 = @hash[:ssl_ca_cert]                 if @hash.key? :ssl_ca_cert
+    @ssl_client_cert             = @hash[:ssl_client_cert]             if @hash.key? :ssl_client_cert
 
     @api_keys         = nil
     @rubygems_api_key = nil

data/lib/rubygems/gemspec_helpers.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "../rubygems"
+
+##
+# Mixin methods for commands that work with gemspecs.
+
+module Gem::GemspecHelpers
+  def find_gemspec(glob = "*.gemspec")
+    gemspecs = Dir.glob(glob).sort
+
+    if gemspecs.size > 1
+      alert_error "Multiple gemspecs found: #{gemspecs}, please specify one"
+      terminate_interaction(1)
+    end
+
+    gemspecs.first
+  end
+end

data/lib/rubygems/package.rb

@@ -59,7 +59,7 @@ class Gem::Package
 
     def initialize(message, source = nil)
       if source
-        @path = source.path
+        @path = source.is_a?(String) ? source : source.path
 
         message += " in #{path}" if path
       end
@@ -454,7 +454,7 @@ EOM
 
         if entry.file?
           File.open(destination, "wb") {|out| copy_stream(entry, out) }
-          FileUtils.chmod file_mode(entry.header.mode), destination
+          FileUtils.chmod file_mode(entry.header.mode) & ~File.umask, destination
         end
 
         verbose destination

data/lib/rubygems/resolver/spec_specification.rb

@@ -66,4 +66,11 @@ class Gem::Resolver::SpecSpecification < Gem::Resolver::Specification
   def version
     spec.version
   end
+
+  ##
+  # The hash value for this specification.
+
+  def hash
+    spec.hash
+  end
 end

data/lib/rubygems.rb

@@ -9,7 +9,7 @@
 require "rbconfig"
 
 module Gem
-  VERSION = "3.5.7"
+  VERSION = "3.5.8"
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/rubygems-update.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.5.7"
+  s.version = "3.5.8"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]