rubygems-update 2.1.0.rc.2 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7da132d518c17a925f7ab5d00e1017bd8cce49d4
-  data.tar.gz: ee8eb91dc1ea06f0784dc4924a2563d109ce0138
+  metadata.gz: 55bcc2565aada10c6c7710d6e7838ea85f6c1f94
+  data.tar.gz: c20b2a65ba400f0f6d870f0337d48982d61e25cf
 SHA512:
-  metadata.gz: 66a6e4769192f4c73ea72e465228dfee2e3145c0bcb836398a093deb621bf7be0650ca6ca9ac4d1146887997b179aac891a007017dea8749276ae8bafc5b19b8
-  data.tar.gz: ae9cc7d9106c3d141b2ea1100d279f1f94b05cdd4e817dc8e22795415df9b67a8a504b0d410232b9c4ad8bc0928e3cbed8afdc41cbf0e6c76e9479ea27a1ff0c
+  metadata.gz: d3d07022f951f289b684e8591b2f5d3aa5f0db7246f04169424f5641f559ce1dad1d78ed6e83c0e29871c71284609ebefda43a9f98ba5bb43b8711af0446ff88
+  data.tar.gz: d1a3cb1b550833963887bd2701a6daabf9f8c7d0b5bedd5dc14146fe00f6e4829ab087d90b1ddef33cdf8d6ab67e4ea3f76489f75bcd3973c1c56e9fbfe8219f

data/.autotest

@@ -6,7 +6,7 @@ require 'autotest/restart'
 require 'autotest/isolate'
 
 Autotest.add_hook :initialize do |at|
-  at.testlib = 'minitest/autorun'
+  at.testlib = ''
 
   at.add_exception %r%/\.git/%
   at.add_exception %r%/\.svn/%

data/CVE-2013-4287.txt

@@ -0,0 +1,36 @@
+= Algorithmic complexity vulnerability in RubyGems 2.0.7 and older
+
+RubyGems validates versions with a regular expression that is vulnerable to
+denial of service due to a backtracking regular expression.  For specially
+crafted RubyGems versions attackers can cause denial of service through CPU
+consumption.
+
+RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
+
+Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
+versions of RubyGems.
+
+It does not appear to be possible to exploit this vulnerability by installing a
+gem for RubyGems 1.8.x or 2.0.x.  Vulnerable uses of RubyGems API include
+packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
+sending user input to Gem::Version.new, Gem::Version.correct? or use of the
+Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
+constants.
+
+Notably, users of bundler that install gems from git are vulnerable if a
+malicious author changes the gemspec to an invalid version.
+
+The vulnerability can be fixed by changing the first grouping to an atomic
+grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb.  For
+RubyGems 2.0.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+
+For RubyGems 1.8.x:
+
+  -  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+  +  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+
+This vulnerability was discovered by Damir Sharipov <dammer2k@gmail.com>
+

data/History.txt

@@ -1,6 +1,13 @@
 # coding: UTF-8
 
-=== 2.1.0.rc.2
+=== 2.1.0 / 2013-09-09
+
+Security fixes:
+
+* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
+  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
+  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
 
 Major enhancements:
 
@@ -83,9 +90,15 @@ Minor enhancements:
 Bug fixes:
 
 * rubygems_plugin.rb files are now only loaded from the latest installed gem.
+* Fixed Gem.clear_paths when Security is defined at top-level.  Pull request
+  #625 by elarkin
+* Fixed credential creation for `gem push` when `--host` is not given.  Pull
+  request #622 by Arthur Nogueira Neves
 
 === 2.0.7 / 2013-08-15
 
+Bug fixes:
+
 * Extensions may now be built in parallel (therefore gems may be installed in
   parallel).  Bug #607 by Hemant Kumar.
 * Changed broken link to RubyGems Bookshelf to point to RubyGems guides.  Ruby

data/Manifest.txt

@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-4287.txt
 History.txt
 LICENSE.txt
 MIT.txt
@@ -230,7 +231,12 @@ test/rubygems/test_gem_dependency.rb
 test/rubygems/test_gem_dependency_installer.rb
 test/rubygems/test_gem_dependency_list.rb
 test/rubygems/test_gem_dependency_resolver.rb
+test/rubygems/test_gem_dependency_resolver_api_specification.rb
 test/rubygems/test_gem_dependency_resolver_dependency_conflict.rb
+test/rubygems/test_gem_dependency_resolver_index_set.rb
+test/rubygems/test_gem_dependency_resolver_index_specification.rb
+test/rubygems/test_gem_dependency_resolver_installed_specification.rb
+test/rubygems/test_gem_dependency_resolver_installer_set.rb
 test/rubygems/test_gem_doctor.rb
 test/rubygems/test_gem_ext_builder.rb
 test/rubygems/test_gem_ext_cmake_builder.rb

data/Rakefile

@@ -56,7 +56,9 @@ hoe = Hoe.spec 'rubygems-update' do
   dependency 'rake',          '~> 0.9.3', :dev
   dependency 'minitest',      '~> 4.0',   :dev
 
-  self.extra_rdoc_files = Dir["*.rdoc"]
+  self.extra_rdoc_files = Dir["*.rdoc"] + %w[
+    CVE-2013-4287.txt
+  ]
 
   spec_extras['rdoc_options'] = proc do |rdoc_options|
     rdoc_options << "--title=RubyGems Update Documentation"

data/lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.1.0.rc.2'
+  VERSION = '2.1.0'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -315,7 +315,7 @@ module Gem
     @paths         = nil
     @user_home     = nil
     Gem::Specification.reset
-    Gem::Security.reset if const_defined? :Security
+    Gem::Security.reset if defined?(Gem::Security)
   end
 
   ##

data/lib/rubygems/dependency_resolver.rb

@@ -79,7 +79,9 @@ class Gem::DependencyResolver
     needed = nil
 
     @needed.reverse_each do |n|
-      needed = Gem::List.new(Gem::DependencyResolver::DependencyRequest.new(n, nil), needed)
+      request = Gem::DependencyResolver::DependencyRequest.new n, nil
+
+      needed = Gem::List.new request, needed
     end
 
     res = resolve_for needed, nil
@@ -162,7 +164,9 @@ class Gem::DependencyResolver
 
         # Sort them so that we try the highest versions
         # first.
-        possible = possible.sort_by { |s| [s.source, s.version] }
+        possible = possible.sort_by do |s|
+          [s.source, s.version, s.platform == Gem::Platform::RUBY ? -1 : 1]
+        end
 
         # We track the conflicts seen so that we can report them
         # to help the user figure out how to fix the situation.

data/lib/rubygems/dependency_resolver/api_specification.rb

@@ -8,6 +8,7 @@ class Gem::DependencyResolver::APISpecification
 
   attr_reader :dependencies
   attr_reader :name
+  attr_reader :platform
   attr_reader :set # :nodoc:
   attr_reader :version
 
@@ -15,6 +16,7 @@ class Gem::DependencyResolver::APISpecification
     @set = set
     @name = api_data[:name]
     @version = Gem::Version.new api_data[:number]
+    @platform = api_data[:platform]
     @dependencies = api_data[:dependencies].map do |name, ver|
       Gem::Dependency.new name, ver.split(/\s*,\s*/)
     end
@@ -25,6 +27,7 @@ class Gem::DependencyResolver::APISpecification
       @set          == other.set and
       @name         == other.name and
       @version      == other.version and
+      @platform     == other.platform and
       @dependencies == other.dependencies
   end
 

data/lib/rubygems/dependency_resolver/index_set.rb

@@ -43,9 +43,14 @@ class Gem::DependencyResolver::IndexSet
   # Called from IndexSpecification to get a true Specification
   # object.
 
-  def load_spec name, ver, source
-    key = "#{name}-#{ver}"
-    @specs[key] ||= source.fetch_spec(Gem::NameTuple.new(name, ver))
+  def load_spec name, ver, platform, source
+    key = "#{name}-#{ver}-#{platform}"
+
+    @specs.fetch key do
+      tuple = Gem::NameTuple.new name, ver, platform
+
+      @specs[key] = source.fetch_spec tuple
+    end
   end
 
   ##

data/lib/rubygems/dependency_resolver/index_specification.rb

@@ -8,6 +8,8 @@ class Gem::DependencyResolver::IndexSpecification
 
   attr_reader :name
 
+  attr_reader :platform
+
   attr_reader :source
 
   attr_reader :version
@@ -39,14 +41,19 @@ class Gem::DependencyResolver::IndexSpecification
       q.breakable
       q.text full_name
 
+      unless Gem::Platform::RUBY == @platform then
+        q.breakable
+        q.text @platform
+      end
+
       q.breakable
-      q.text ' source '
+      q.text 'source '
       q.pp @source
     end
   end
 
   def spec
-    @spec ||= @set.load_spec(@name, @version, @source)
+    @spec ||= @set.load_spec(@name, @version, @platform, @source)
   end
 
 end

data/lib/rubygems/dependency_resolver/installed_specification.rb

@@ -26,6 +26,10 @@ class Gem::DependencyResolver::InstalledSpecification
     @spec.name
   end
 
+  def platform
+    @spec.platform
+  end
+
   def source
     @source ||= Gem::Source::Installed.new
   end

data/lib/rubygems/dependency_resolver/installer_set.rb

@@ -115,9 +115,14 @@ class Gem::DependencyResolver::InstallerSet
   # Called from IndexSpecification to get a true Specification
   # object.
 
-  def load_spec name, ver, source
-    key = "#{name}-#{ver}"
-    @specs[key] ||= source.fetch_spec Gem::NameTuple.new name, ver
+  def load_spec name, ver, platform, source
+    key = "#{name}-#{ver}-#{platform}"
+
+    @specs.fetch key do
+      tuple = Gem::NameTuple.new name, ver, platform
+
+      @specs[key] = source.fetch_spec tuple
+    end
   end
 
   ##

data/lib/rubygems/gemcutter_utilities.rb

@@ -77,7 +77,8 @@ module Gem::GemcutterUtilities
   # Signs in with the RubyGems API at +sign_in_host+ and sets the rubygems API
   # key.
 
-  def sign_in sign_in_host = self.host
+  def sign_in sign_in_host = nil
+    sign_in_host ||= self.host
     return if Gem.configuration.rubygems_api_key
 
     pretty_host = if Gem::DEFAULT_HOST == sign_in_host then

data/lib/rubygems/request_set.rb

@@ -28,7 +28,10 @@ class Gem::RequestSet
 
     @always_install = []
     @development    = false
+    @requests       = []
     @soft_missing   = false
+    @sorted         = nil
+    @specs          = nil
 
     yield self if block_given?
   end

data/lib/rubygems/spec_fetcher.rb

@@ -200,8 +200,11 @@ class Gem::SpecFetcher
                 when :released
                   tuples_for source, :released
                 when :complete
-                  tuples_for(source, :prerelease, true) +
+                  names =
+                    tuples_for(source, :prerelease, true) +
                     tuples_for(source, :released)
+
+                  names.sort
                 when :prerelease
                   tuples_for(source, :prerelease)
                 else

data/lib/rubygems/specification.rb

@@ -34,7 +34,7 @@ class Date; end
 #     s.homepage    = 'https://rubygems.org/gems/example'
 #   end
 #
-# Starting in RubyGems 1.9.0, a Specification can hold arbitrary
+# Starting in RubyGems 2.0, a Specification can hold arbitrary
 # metadata. This metadata is accessed via Specification#metadata
 # and has the following restrictions:
 #
@@ -2097,7 +2097,6 @@ class Gem::Specification < Gem::BasicSpecification
   # Returns an object you can use to sort specifications in #sort_by.
 
   def sort_obj
-    # TODO: this is horrible. Deprecate it.
     [@name, @version, @new_platform == Gem::Platform::RUBY ? -1 : 1]
   end
 

data/lib/rubygems/test_case.rb

@@ -1097,7 +1097,11 @@ Also, a list:
 
   class StaticSet
     def initialize(specs)
-      @specs = specs.sort_by { |s| s.full_name }
+      @specs = specs
+    end
+
+    def add spec
+      @specs << spec
     end
 
     def find_spec(dep)
@@ -1110,6 +1114,15 @@ Also, a list:
       @specs.find_all { |s| dep.matches_spec? s }
     end
 
+    def load_spec name, ver, platform, source
+      dep = Gem::Dependency.new name, ver
+      spec = find_spec dep
+
+      Gem::Specification.new spec.name, spec.version do |s|
+        s.platform = spec.platform
+      end
+    end
+
     def prefetch(reqs)
     end
   end

data/lib/rubygems/version.rb

@@ -147,7 +147,7 @@ class Gem::Version
 
   # FIX: These are only used once, in .correct?. Do they deserve to be
   # constants?
-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
   ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
 
   ##

data/test/rubygems/test_gem_dependency_resolver.rb

@@ -66,6 +66,27 @@ class TestGemDependencyResolver < Gem::TestCase
     assert_set [a2], res.resolve
   end
 
+  def test_picks_best_platform
+    is = Gem::DependencyResolver::IndexSpecification
+    a2_p = quick_spec 'a' do |s| s.platform = Gem::Platform.local end
+    version = Gem::Version.new 2
+    source = Gem::Source.new @gem_repo
+
+    s = set
+
+    a2   = is.new s, 'a', version, source, Gem::Platform::RUBY
+    a2_p = is.new s, 'a', version, source, Gem::Platform.local.to_s
+
+    s.add a2_p
+    s.add a2
+
+    ad = make_dep "a"
+
+    res = Gem::DependencyResolver.new([ad], s)
+
+    assert_set [a2_p], res.resolve
+  end
+
   def test_only_returns_spec_once
     a1 = util_spec "a", "1", "c" => "= 1"
     b1 = util_spec "b", "1", "c" => "= 1"

data/test/rubygems/test_gem_dependency_resolver_api_specification.rb

@@ -0,0 +1,33 @@
+require 'rubygems/test_case'
+require 'rubygems/dependency_resolver'
+
+class TestGemDependencyResolverAPISpecification < Gem::TestCase
+
+  def test_initialize
+    set = Gem::DependencyResolver::APISet.new
+    data = {
+      :name     => 'rails',
+      :number   => '3.0.3',
+      :platform => 'ruby',
+      :dependencies => [
+        ['bundler',  '~> 1.0'],
+        ['railties', '= 3.0.3'],
+      ],
+    }
+
+    spec = Gem::DependencyResolver::APISpecification.new set, data
+
+    assert_equal 'rails',                   spec.name
+    assert_equal Gem::Version.new('3.0.3'), spec.version
+    assert_equal Gem::Platform::RUBY,       spec.platform
+
+    expected = [
+      Gem::Dependency.new('bundler',  '~> 1.0'),
+      Gem::Dependency.new('railties', '= 3.0.3'),
+    ]
+
+    assert_equal expected, spec.dependencies
+  end
+
+end
+

data/test/rubygems/test_gem_dependency_resolver_index_set.rb

@@ -0,0 +1,53 @@
+require 'rubygems/test_case'
+require 'rubygems/dependency_resolver'
+
+class TestGemDependencyResolverIndexSet < Gem::TestCase
+
+  def test_load_spec
+    @fetcher = Gem::FakeFetcher.new
+    Gem::RemoteFetcher.fetcher = @fetcher
+
+    a_2   = quick_spec 'a', 2
+    a_2_p = quick_spec 'a', 2 do |s| s.platform = Gem::Platform.local end
+
+    Gem::Specification.add_specs a_2, a_2_p
+
+    util_setup_spec_fetcher a_2, a_2_p
+
+    source = Gem::Source.new @gem_repo
+    version = v 2
+
+    set = Gem::DependencyResolver::IndexSet.new
+
+    spec = set.load_spec 'a', version, Gem::Platform.local, source
+
+    assert_equal a_2_p.full_name, spec.full_name
+  end
+
+  def test_load_spec_cached
+    @fetcher = Gem::FakeFetcher.new
+    Gem::RemoteFetcher.fetcher = @fetcher
+
+    a_2   = quick_spec 'a', 2
+    a_2_p = quick_spec 'a', 2 do |s| s.platform = Gem::Platform.local end
+
+    Gem::Specification.add_specs a_2, a_2_p
+
+    util_setup_spec_fetcher a_2, a_2_p
+
+    source = Gem::Source.new @gem_repo
+    version = v 2
+
+    set = Gem::DependencyResolver::IndexSet.new
+
+    first = set.load_spec 'a', version, Gem::Platform.local, source
+
+    util_setup_spec_fetcher # clear
+
+    second = set.load_spec 'a', version, Gem::Platform.local, source
+
+    assert_same first, second
+  end
+
+end
+

data/test/rubygems/test_gem_dependency_resolver_index_specification.rb

@@ -0,0 +1,46 @@
+require 'rubygems/test_case'
+require 'rubygems/dependency_resolver'
+
+class TestGemDependencyResolverIndexSpecification < Gem::TestCase
+
+  def test_initialize
+    set     = Gem::DependencyResolver::IndexSet.new
+    source  = Gem::Source.new @gem_repo
+    version = Gem::Version.new '3.0.3'
+
+    spec = Gem::DependencyResolver::IndexSpecification.new(
+      set, 'rails', version, source, Gem::Platform::RUBY)
+
+    assert_equal 'rails',             spec.name
+    assert_equal version,             spec.version
+    assert_equal Gem::Platform::RUBY, spec.platform
+
+    assert_equal source, spec.source
+  end
+
+  def test_spec
+    @fetcher = Gem::FakeFetcher.new
+    Gem::RemoteFetcher.fetcher = @fetcher
+
+    a_2   = quick_spec 'a', 2
+    a_2_p = quick_spec 'a', 2 do |s| s.platform = Gem::Platform.local end
+
+    Gem::Specification.add_specs a_2, a_2_p
+
+    util_setup_spec_fetcher a_2, a_2_p
+
+    source = Gem::Source.new @gem_repo
+    version = v 2
+
+    set = Gem::DependencyResolver::IndexSet.new
+    i_spec = Gem::DependencyResolver::IndexSpecification.new \
+      set, 'a', version, source, Gem::Platform.local
+
+    spec = i_spec.spec
+
+    assert_equal a_2_p.full_name, spec.full_name
+  end
+
+
+end
+

data/test/rubygems/test_gem_dependency_resolver_installed_specification.rb

@@ -0,0 +1,19 @@
+require 'rubygems/test_case'
+require 'rubygems/dependency_resolver'
+
+class TestGemDependencyResolverInstalledSpecification < Gem::TestCase
+
+  def test_initialize
+    set     = Gem::DependencyResolver::CurrentSet.new
+
+    source_spec = quick_spec 'a'
+
+    spec = Gem::DependencyResolver::InstalledSpecification.new set, source_spec
+
+    assert_equal 'a',                 spec.name
+    assert_equal Gem::Version.new(2), spec.version
+    assert_equal Gem::Platform::RUBY, spec.platform
+  end
+
+end
+

data/test/rubygems/test_gem_dependency_resolver_installer_set.rb

@@ -0,0 +1,28 @@
+require 'rubygems/test_case'
+require 'rubygems/dependency_resolver'
+
+class TestGemDependencyResolverInstallerSet < Gem::TestCase
+
+  def test_load_spec
+    @fetcher = Gem::FakeFetcher.new
+    Gem::RemoteFetcher.fetcher = @fetcher
+
+    a_2   = quick_spec 'a', 2
+    a_2_p = quick_spec 'a', 2 do |s| s.platform = Gem::Platform.local end
+
+    Gem::Specification.add_specs a_2, a_2_p
+
+    util_setup_spec_fetcher a_2, a_2_p
+
+    source = Gem::Source.new @gem_repo
+    version = v 2
+
+    set = Gem::DependencyResolver::InstallerSet.new :remote
+
+    spec = set.load_spec 'a', version, Gem::Platform.local, source
+
+    assert_equal a_2_p.full_name, spec.full_name
+  end
+
+end
+

data/test/rubygems/test_gem_gemcutter_utilities.rb

@@ -101,7 +101,7 @@ class TestGemGemcutterUtilities < Gem::TestCase
   def test_sign_in_with_host
     api_key     = 'a5fdbb6ba150cbb83aad2bb2fede64cf040453903'
 
-    util_sign_in [api_key, 200, 'OK'], 'http://example.com', :param
+    util_sign_in [api_key, 200, 'OK'], 'http://example.com', ['http://example.com']
 
     assert_match "Enter your http://example.com credentials.",
                  @sign_in_ui.output
@@ -112,6 +112,20 @@ class TestGemGemcutterUtilities < Gem::TestCase
     assert_equal api_key, credentials[:rubygems_api_key]
   end
 
+  def test_sign_in_with_host_nil
+    api_key     = 'a5fdbb6ba150cbb83aad2bb2fede64cf040453903'
+
+    util_sign_in [api_key, 200, 'OK'], nil, [nil]
+
+    assert_match "Enter your RubyGems.org credentials.",
+                 @sign_in_ui.output
+    assert @fetcher.last_request["authorization"]
+    assert_match %r{Signed in.}, @sign_in_ui.output
+
+    credentials = YAML.load_file Gem.configuration.credentials_path
+    assert_equal api_key, credentials[:rubygems_api_key]
+  end
+
   def test_sign_in_with_host_ENV
     api_key     = 'a5fdbb6ba150cbb83aad2bb2fede64cf040453903'
     util_sign_in [api_key, 200, 'OK'], 'http://example.com'
@@ -163,14 +177,14 @@ class TestGemGemcutterUtilities < Gem::TestCase
     assert_match %r{Access Denied.}, @sign_in_ui.output
   end
 
-  def util_sign_in response, host = nil, style = :ENV
+  def util_sign_in response, host = nil, args = []
     skip 'Always uses $stdin on windows' if Gem.win_platform?
 
     email    = 'you@example.com'
     password = 'secret'
 
     if host
-      ENV['RUBYGEMS_HOST'] = host if style == :ENV
+      ENV['RUBYGEMS_HOST'] = host
     else
       host = Gem.host
     end
@@ -182,8 +196,8 @@ class TestGemGemcutterUtilities < Gem::TestCase
     @sign_in_ui = Gem::MockGemUi.new "#{email}\n#{password}\n"
 
     use_ui @sign_in_ui do
-      if style == :param then
-        @cmd.sign_in host
+      if args.length > 0 then
+        @cmd.sign_in(*args)
       else
         @cmd.sign_in
       end
@@ -209,4 +223,3 @@ class TestGemGemcutterUtilities < Gem::TestCase
   end
 
 end
-

data/test/rubygems/test_gem_spec_fetcher.rb

@@ -168,7 +168,7 @@ class TestGemSpecFetcher < Gem::TestCase
     specs, _ = @sf.available_specs(:latest)
 
     assert_equal [@source], specs.keys
-    assert_equal @latest_specs, specs[@source].sort
+    assert_equal @latest_specs, specs[@source]
   end
 
   def test_available_specs_released
@@ -176,7 +176,7 @@ class TestGemSpecFetcher < Gem::TestCase
 
     assert_equal [@source], specs.keys
 
-    assert_equal @released, specs[@source].sort
+    assert_equal @released, specs[@source]
   end
 
   def test_available_specs_complete
@@ -184,9 +184,9 @@ class TestGemSpecFetcher < Gem::TestCase
 
     assert_equal [@source], specs.keys
 
-    comp = @prerelease_specs + @released
+    expected = (@prerelease_specs + @released).sort
 
-    assert_equal comp.sort, specs[@source].sort
+    assert_equal expected, specs[@source]
   end
 
   def test_available_specs_complete_handles_no_prerelease
@@ -197,12 +197,9 @@ class TestGemSpecFetcher < Gem::TestCase
 
     assert_equal [@source], specs.keys
 
-    comp = @released
-
-    assert_equal comp.sort, specs[@source].sort
+    assert_equal @released, specs[@source]
   end
 
-
   def test_available_specs_cache
     specs, _ = @sf.available_specs(:latest)
 
@@ -230,7 +227,7 @@ class TestGemSpecFetcher < Gem::TestCase
   def test_available_specs_prerelease
     specs, _ = @sf.available_specs(:prerelease)
 
-    assert_equal @prerelease_specs, specs[@source].sort
+    assert_equal @prerelease_specs, specs[@source]
   end
 
   def test_available_specs_with_bad_source

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.1.0.rc.2
+  version: 2.1.0
 platform: ruby
 authors:
 - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
   KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
   wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2013-08-26 00:00:00.000000000 Z
+date: 2013-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -163,6 +163,7 @@ executables:
 - update_rubygems
 extensions: []
 extra_rdoc_files:
+- CVE-2013-4287.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -173,6 +174,7 @@ extra_rdoc_files:
 files:
 - .autotest
 - .document
+- CVE-2013-4287.txt
 - History.txt
 - LICENSE.txt
 - MIT.txt
@@ -403,7 +405,12 @@ files:
 - test/rubygems/test_gem_dependency_installer.rb
 - test/rubygems/test_gem_dependency_list.rb
 - test/rubygems/test_gem_dependency_resolver.rb
+- test/rubygems/test_gem_dependency_resolver_api_specification.rb
 - test/rubygems/test_gem_dependency_resolver_dependency_conflict.rb
+- test/rubygems/test_gem_dependency_resolver_index_set.rb
+- test/rubygems/test_gem_dependency_resolver_index_specification.rb
+- test/rubygems/test_gem_dependency_resolver_installed_specification.rb
+- test/rubygems/test_gem_dependency_resolver_installer_set.rb
 - test/rubygems/test_gem_doctor.rb
 - test/rubygems/test_gem_ext_builder.rb
 - test/rubygems/test_gem_ext_cmake_builder.rb
@@ -485,7 +492,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rubygems-update
-rubygems_version: 2.0.7
+rubygems_version: 2.1.0
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby
@@ -531,7 +538,12 @@ test_files:
 - test/rubygems/test_gem_dependency_installer.rb
 - test/rubygems/test_gem_dependency_list.rb
 - test/rubygems/test_gem_dependency_resolver.rb
+- test/rubygems/test_gem_dependency_resolver_api_specification.rb
 - test/rubygems/test_gem_dependency_resolver_dependency_conflict.rb
+- test/rubygems/test_gem_dependency_resolver_index_set.rb
+- test/rubygems/test_gem_dependency_resolver_index_specification.rb
+- test/rubygems/test_gem_dependency_resolver_installed_specification.rb
+- test/rubygems/test_gem_dependency_resolver_installer_set.rb
 - test/rubygems/test_gem_doctor.rb
 - test/rubygems/test_gem_ext_builder.rb
 - test/rubygems/test_gem_ext_cmake_builder.rb