rubygems-update 3.6.7 → 3.6.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fabd6b3a8c9a1227a3e8ff908a04bf28135b91899339425536dbec5559ce3dc1
-  data.tar.gz: ec941700bc4d70da0affb1585808eaacc4031a325fa2d2fc06d4d5575cef051b
+  metadata.gz: a27b88f13655c46ac4a7e221526bba0507a4abb98fa767dae209ce8d5ee43a80
+  data.tar.gz: 4abec332a0660f5f8bda5f727e1e2b0f28fbb14f3d8739213a8ddb3eb7fee9cf
 SHA512:
-  metadata.gz: 219a1de618e568af684eadc59945d7f773e0fcb5e1e9c55510c8c2401911bf41a22f546414b0f01a24f4adabc8ba4cf28fc05078b817c49bf737601b1ca4925d
-  data.tar.gz: 5cb299dedf5e3eda38a970205e5354a326964efe7d70fc53b9444a4982c96dc0852d693cc3e1833e41a633bc13eec86f430e7e1d13da7b67676eceecc14d32dd
+  metadata.gz: 9e2c1e36afe7b9c34738b7e675d9a8eacaa7de0b748abe9abe8dcb02ac12201b66d6e7d65991608f1b3e9258307241c8b04d4f378dfabd3c1dcc234d4b041ba6
+  data.tar.gz: 171f85c2ef9b011cf049d8f415481ff7543723409a60ba30ab77caca83ee545db50d3fa1b3f18d4863d39cfcf44d8175f38b2319c24aaca5357479b56e09d4a6

data/CHANGELOG.md

@@ -1,3 +1,33 @@
+# 3.6.9 / 2025-05-13
+
+## Enhancements:
+
+* Add mtime to Gem::Package::TarWriter#add_file argument. Pull request
+  [#8673](https://github.com/rubygems/rubygems/pull/8673) by unasuke
+* Print webauthn authentication link as a separate line to make it easier
+  to visit. Pull request
+  [#8663](https://github.com/rubygems/rubygems/pull/8663) by mperham
+* Remove shellwords autoload. Pull request
+  [#8644](https://github.com/rubygems/rubygems/pull/8644) by
+  deivid-rodriguez
+* Installs bundler 2.6.9 as a default gem.
+
+## Performance:
+
+* Avoid unnecessary splat allocation. Pull request
+  [#8640](https://github.com/rubygems/rubygems/pull/8640) by jeremyevans
+
+## Documentation:
+
+* Fix typo in Changelog for 3.6.0 / 2024-12-16. Pull request
+  [#8638](https://github.com/rubygems/rubygems/pull/8638) by thatrobotdev
+
+# 3.6.8 / 2025-04-13
+
+## Enhancements:
+
+* Installs bundler 2.6.8 as a default gem.
+
 # 3.6.7 / 2025-04-03
 
 ## Enhancements:
@@ -166,7 +196,7 @@
 
 * Fix missing single quote in git source example. Pull request
   [#8303](https://github.com/rubygems/rubygems/pull/8303) by nobu
-* Update the `gem install` demo in REAME to use a gem that just works on
+* Update the `gem install` demo in README to use a gem that just works on
   Windows. Pull request
   [#8262](https://github.com/rubygems/rubygems/pull/8262) by soda92
 * Unify rubygems and bundler docs directory. Pull request

data/Manifest.txt

@@ -26,6 +26,8 @@ bundler/lib/bundler/cli/common.rb
 bundler/lib/bundler/cli/config.rb
 bundler/lib/bundler/cli/console.rb
 bundler/lib/bundler/cli/doctor.rb
+bundler/lib/bundler/cli/doctor/diagnose.rb
+bundler/lib/bundler/cli/doctor/ssl.rb
 bundler/lib/bundler/cli/exec.rb
 bundler/lib/bundler/cli/fund.rb
 bundler/lib/bundler/cli/gem.rb
@@ -518,7 +520,6 @@ lib/rubygems/security/policy.rb
 lib/rubygems/security/signer.rb
 lib/rubygems/security/trust_dir.rb
 lib/rubygems/security_option.rb
-lib/rubygems/shellwords.rb
 lib/rubygems/source.rb
 lib/rubygems/source/git.rb
 lib/rubygems/source/installed.rb

data/README.md

@@ -1,4 +1,4 @@
-# RubyGems [![Maintainability](https://api.codeclimate.com/v1/badges/30f913e9c2dd932132c1/maintainability)](https://codeclimate.com/github/rubygems/rubygems/maintainability)
+# RubyGems
 
 RubyGems is a package management framework for Ruby.
 

data/bundler/CHANGELOG.md

@@ -1,3 +1,28 @@
+# 2.6.9 (May 13, 2025)
+
+## Enhancements:
+
+  - Fix doctor command parsing of otool output [#8665](https://github.com/rubygems/rubygems/pull/8665)
+  - Add SSL troubleshooting to `bundle doctor` [#8624](https://github.com/rubygems/rubygems/pull/8624)
+  - Let `bundle lock --normalize-platforms` remove invalid platforms [#8631](https://github.com/rubygems/rubygems/pull/8631)
+
+## Bug fixes:
+
+  - Fix `bundle lock` sometimes allowing invalid platforms into the lockfile [#8630](https://github.com/rubygems/rubygems/pull/8630)
+  - Fix false positive warning about insecure materialization in frozen mode [#8629](https://github.com/rubygems/rubygems/pull/8629)
+
+# 2.6.8 (April 13, 2025)
+
+## Enhancements:
+
+  - Refine `bundle update --verbose` logs [#8627](https://github.com/rubygems/rubygems/pull/8627)
+  - Improve bug report instructions [#8607](https://github.com/rubygems/rubygems/pull/8607)
+
+## Bug fixes:
+
+  - Fix `bundle update` crash in an edge case [#8626](https://github.com/rubygems/rubygems/pull/8626)
+  - Fix `bundle lock --normalize-platforms` regression [#8620](https://github.com/rubygems/rubygems/pull/8620)
+
 # 2.6.7 (April 3, 2025)
 
 ## Enhancements:

data/bundler/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = "1980-01-02".freeze
-    @git_commit_sha = "32896b3570e".freeze
+    @git_commit_sha = "8a2a14d63da".freeze
     @release = true
     # end ivars
 

data/bundler/lib/bundler/cli/doctor/diagnose.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require "rbconfig"
+require "shellwords"
+
+module Bundler
+  class CLI::Doctor::Diagnose
+    DARWIN_REGEX = /\s+(.+) \(compatibility /
+    LDD_REGEX = /\t\S+ => (\S+) \(\S+\)/
+
+    attr_reader :options
+
+    def initialize(options)
+      @options = options
+    end
+
+    def otool_available?
+      Bundler.which("otool")
+    end
+
+    def ldd_available?
+      Bundler.which("ldd")
+    end
+
+    def dylibs_darwin(path)
+      output = `/usr/bin/otool -L #{path.shellescape}`.chomp
+      dylibs = output.split("\n")[1..-1].filter_map {|l| l.match(DARWIN_REGEX)&.match(1) }.uniq
+      # ignore @rpath and friends
+      dylibs.reject {|dylib| dylib.start_with? "@" }
+    end
+
+    def dylibs_ldd(path)
+      output = `/usr/bin/ldd #{path.shellescape}`.chomp
+      output.split("\n").filter_map do |l|
+        match = l.match(LDD_REGEX)
+        next if match.nil?
+        match.captures[0]
+      end
+    end
+
+    def dylibs(path)
+      case RbConfig::CONFIG["host_os"]
+      when /darwin/
+        return [] unless otool_available?
+        dylibs_darwin(path)
+      when /(linux|solaris|bsd)/
+        return [] unless ldd_available?
+        dylibs_ldd(path)
+      else # Windows, etc.
+        Bundler.ui.warn("Dynamic library check not supported on this platform.")
+        []
+      end
+    end
+
+    def bundles_for_gem(spec)
+      Dir.glob("#{spec.full_gem_path}/**/*.bundle")
+    end
+
+    def lookup_with_fiddle(path)
+      require "fiddle"
+      Fiddle.dlopen(path)
+      false
+    rescue Fiddle::DLError
+      true
+    end
+
+    def check!
+      require_relative "../check"
+      Bundler::CLI::Check.new({}).run
+    end
+
+    def diagnose_ssl
+      require_relative "ssl"
+      Bundler::CLI::Doctor::SSL.new({}).run
+    end
+
+    def run
+      Bundler.ui.level = "warn" if options[:quiet]
+      Bundler.settings.validate!
+      check!
+      diagnose_ssl if options[:ssl]
+
+      definition = Bundler.definition
+      broken_links = {}
+
+      definition.specs.each do |spec|
+        bundles_for_gem(spec).each do |bundle|
+          bad_paths = dylibs(bundle).select do |f|
+            lookup_with_fiddle(f)
+          end
+          if bad_paths.any?
+            broken_links[spec] ||= []
+            broken_links[spec].concat(bad_paths)
+          end
+        end
+      end
+
+      permissions_valid = check_home_permissions
+
+      if broken_links.any?
+        message = "The following gems are missing OS dependencies:"
+        broken_links.flat_map do |spec, paths|
+          paths.uniq.map do |path|
+            "\n * #{spec.name}: #{path}"
+          end
+        end.sort.each {|m| message += m }
+        raise ProductionError, message
+      elsif permissions_valid
+        Bundler.ui.info "No issues found with the installed bundle"
+      end
+    end
+
+    private
+
+    def check_home_permissions
+      require "find"
+      files_not_readable = []
+      files_not_readable_and_owned_by_different_user = []
+      files_not_owned_by_current_user_but_still_readable = []
+      broken_symlinks = []
+      Find.find(Bundler.bundle_path.to_s).each do |f|
+        if !File.exist?(f)
+          broken_symlinks << f
+        elsif !File.readable?(f)
+          if File.stat(f).uid != Process.uid
+            files_not_readable_and_owned_by_different_user << f
+          else
+            files_not_readable << f
+          end
+        elsif File.stat(f).uid != Process.uid
+          files_not_owned_by_current_user_but_still_readable << f
+        end
+      end
+
+      ok = true
+
+      if broken_symlinks.any?
+        Bundler.ui.warn "Broken links exist in the Bundler home. Please report them to the offending gem's upstream repo. These files are:\n - #{broken_symlinks.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_owned_by_current_user_but_still_readable.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
+          "user, but are still readable. These files are:\n - #{files_not_owned_by_current_user_but_still_readable.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_readable_and_owned_by_different_user.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
+          "user, and are not readable. These files are:\n - #{files_not_readable_and_owned_by_different_user.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_readable.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are not " \
+          "readable by the current user. These files are:\n - #{files_not_readable.join("\n - ")}"
+
+        ok = false
+      end
+
+      ok
+    end
+  end
+end

data/bundler/lib/bundler/cli/doctor/ssl.rb

@@ -0,0 +1,249 @@
+# frozen_string_literal: true
+
+require "rubygems/remote_fetcher"
+require "uri"
+
+module Bundler
+  class CLI::Doctor::SSL
+    attr_reader :options
+
+    def initialize(options)
+      @options = options
+    end
+
+    def run
+      return unless openssl_installed?
+
+      output_ssl_environment
+      bundler_success = bundler_connection_successful?
+      rubygem_success = rubygem_connection_successful?
+
+      return unless net_http_connection_successful?
+
+      Explanation.summarize(bundler_success, rubygem_success, host)
+    end
+
+    private
+
+    def host
+      @options[:host] || "rubygems.org"
+    end
+
+    def tls_version
+      @options[:"tls-version"].then do |version|
+        "TLS#{version.sub(".", "_")}".to_sym if version
+      end
+    end
+
+    def verify_mode
+      mode = @options[:"verify-mode"] || :peer
+
+      @verify_mode ||= mode.then {|mod| OpenSSL::SSL.const_get("verify_#{mod}".upcase) }
+    end
+
+    def uri
+      @uri ||= URI("https://#{host}")
+    end
+
+    def openssl_installed?
+      require "openssl"
+
+      true
+    rescue LoadError
+      Bundler.ui.warn(<<~MSG)
+        Oh no! Your Ruby doesn't have OpenSSL, so it can't connect to #{host}.
+        You'll need to recompile or reinstall Ruby with OpenSSL support and try again.
+      MSG
+
+      false
+    end
+
+    def output_ssl_environment
+      Bundler.ui.info(<<~MESSAGE)
+        Here's your OpenSSL environment:
+
+        OpenSSL:       #{OpenSSL::VERSION}
+        Compiled with: #{OpenSSL::OPENSSL_VERSION}
+        Loaded with:   #{OpenSSL::OPENSSL_LIBRARY_VERSION}
+      MESSAGE
+    end
+
+    def bundler_connection_successful?
+      Bundler.ui.info("\nTrying connections to #{uri}:\n")
+
+      bundler_uri = Gem::URI(uri.to_s)
+      Bundler::Fetcher.new(
+        Bundler::Source::Rubygems::Remote.new(bundler_uri)
+      ).send(:connection).request(bundler_uri)
+
+      Bundler.ui.info("Bundler:       success")
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn("Bundler:       failed     (#{Explanation.explain_bundler_or_rubygems_error(error)})")
+
+      false
+    end
+
+    def rubygem_connection_successful?
+      Gem::RemoteFetcher.fetcher.fetch_path(uri)
+      Bundler.ui.info("RubyGems:      success")
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn("RubyGems:      failed     (#{Explanation.explain_bundler_or_rubygems_error(error)})")
+
+      false
+    end
+
+    def net_http_connection_successful?
+      ::Gem::Net::HTTP.new(uri.host, uri.port).tap do |http|
+        http.use_ssl = true
+        http.min_version = tls_version
+        http.max_version = tls_version
+        http.verify_mode = verify_mode
+      end.start
+
+      Bundler.ui.info("Ruby net/http: success")
+      warn_on_unsupported_tls12
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn(<<~MSG)
+        Ruby net/http: failed
+
+        Unfortunately, this Ruby can't connect to #{host}.
+
+        #{Explanation.explain_net_http_error(error, host, tls_version)}
+      MSG
+
+      false
+    end
+
+    def warn_on_unsupported_tls12
+      ctx = OpenSSL::SSL::SSLContext.new
+      supported = true
+
+      if ctx.respond_to?(:min_version=)
+        begin
+          ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+        rescue OpenSSL::SSL::SSLError, NameError
+          supported = false
+        end
+      else
+        supported = OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) # rubocop:disable Naming/VariableNumber
+      end
+
+      Bundler.ui.warn(<<~EOM) unless supported
+
+        WARNING: Although your Ruby can connect to #{host} today, your OpenSSL is very old!
+        WARNING: You will need to upgrade OpenSSL to use #{host}.
+
+      EOM
+    end
+
+    module Explanation
+      extend self
+
+      def explain_bundler_or_rubygems_error(error)
+        case error.message
+        when /certificate verify failed/
+          "certificate verification"
+        when /read server hello A/
+          "SSL/TLS protocol version mismatch"
+        when /tlsv1 alert protocol version/
+          "requested TLS version is too old"
+        else
+          error.message
+        end
+      end
+
+      def explain_net_http_error(error, host, tls_version)
+        case error.message
+        # Check for certificate errors
+        when /certificate verify failed/
+          <<~MSG
+            #{show_ssl_certs}
+            Your Ruby can't connect to #{host} because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine #{host} servers.
+          MSG
+        # Check for TLS version errors
+        when /read server hello A/, /tlsv1 alert protocol version/
+          if tls_version.to_s == "TLS1_3"
+            "Your Ruby can't connect to #{host} because #{tls_version} isn't supported yet.\n"
+          else
+            <<~MSG
+              Your Ruby can't connect to #{host} because your version of OpenSSL is too old.
+              You'll need to upgrade your OpenSSL install and/or recompile Ruby to use a newer OpenSSL.
+            MSG
+          end
+        # OpenSSL doesn't support TLS version specified by argument
+        when /unknown SSL method/
+          "Your Ruby can't connect because #{tls_version} isn't supported by your version of OpenSSL."
+        else
+          <<~MSG
+            Even worse, we're not sure why.
+
+            Here's the full error information:
+            #{error.class}: #{error.message}
+              #{error.backtrace.join("\n  ")}
+
+            You might have more luck using Mislav's SSL doctor.rb script. You can get it here:
+            https://github.com/mislav/ssl-tools/blob/8b3dec4/doctor.rb
+
+            Read more about the script and how to use it in this blog post:
+            https://mislav.net/2013/07/ruby-openssl/
+          MSG
+        end
+      end
+
+      def summarize(bundler_success, rubygems_success, host)
+        guide_url = "http://ruby.to/ssl-check-failed"
+
+        message = if bundler_success && rubygems_success
+          <<~MSG
+            Hooray! This Ruby can connect to #{host}.
+            You are all set to use Bundler and RubyGems.
+
+          MSG
+        elsif !bundler_success && !rubygems_success
+          <<~MSG
+            For some reason, your Ruby installation can connect to #{host}, but neither RubyGems nor Bundler can.
+            The most likely fix is to manually upgrade RubyGems by following the instructions at #{guide_url}.
+            After you've done that, run `gem install bundler` to upgrade Bundler, and then run this script again to make sure everything worked. ❣
+
+          MSG
+        elsif !bundler_success
+          <<~MSG
+            Although your Ruby installation and RubyGems can both connect to #{host}, Bundler is having trouble.
+            The most likely way to fix this is to upgrade Bundler by running `gem install bundler`.
+            Run this script again after doing that to make sure everything is all set.
+            If you're still having trouble, check out the troubleshooting guide at #{guide_url}.
+
+          MSG
+        else
+          <<~MSG
+            It looks like Ruby and Bundler can connect to #{host}, but RubyGems itself cannot.
+            You can likely solve this by manually downloading and installing a RubyGems update.
+            Visit #{guide_url} for instructions on how to manually upgrade RubyGems.
+
+          MSG
+        end
+
+        Bundler.ui.info("\n#{message}")
+      end
+
+      private
+
+      def show_ssl_certs
+        ssl_cert_file = ENV["SSL_CERT_FILE"] || OpenSSL::X509::DEFAULT_CERT_FILE
+        ssl_cert_dir  = ENV["SSL_CERT_DIR"]  || OpenSSL::X509::DEFAULT_CERT_DIR
+
+        <<~MSG
+          Below affect only Ruby net/http connections:
+          SSL_CERT_FILE: #{File.exist?(ssl_cert_file) ? "exists     #{ssl_cert_file}" : "is missing #{ssl_cert_file}"}
+          SSL_CERT_DIR:  #{Dir.exist?(ssl_cert_dir)   ? "exists     #{ssl_cert_dir}"  : "is missing #{ssl_cert_dir}"}
+        MSG
+      end
+    end
+  end
+end