rubygems-update 2.4.8 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 628e3b112ee81a73e5c1570bd8d92f656cd1270a
-  data.tar.gz: d3bdbbcfba8a3ec257cd6e55946cf6afb6e6eba9
+  metadata.gz: 6942268616ad45a23f4f41e7f073dcf914f004f6
+  data.tar.gz: f96fe2747ff20777d3d823fc71d2e0311a913ac0
 SHA512:
-  metadata.gz: 5874130383cb363d0f953b09df44484bd9f21595f371f712b1566cb4cc8e5aee34cb01953a661afb077dc4fa89658c0735f3502888a44f31b1cdd135a7e1d818
-  data.tar.gz: b3c162f82fe34a9436a8c46834285dfb64c59f2af57dee90a83f23c3ae4fe49347a4a399dbe645cc1e06736e98df853fa637e0ab9f90ee9a0a1b0cb2bf5b8fa9
+  metadata.gz: eaa189a001aebd337b78364031caa2b0670bba9eda11e994a8b43990618c346f61989dff990b0deb3d451cf2faebb077077b3329e9bda0f1f6878a794e53c617
+  data.tar.gz: 7dd8fff88d8e65a699fa35999b79502c1428e9bcb8afb4c95fa49748382bb10240abad513242e99c588556e3aec6348976e6cf472cf7e6f765dc5e9c5061c3e5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,40 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently applying these
+principles to every aspect of managing this project. Project maintainers who do
+not follow or enforce the Code of Conduct may be permanently removed from the
+project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by opening an issue or contacting one or more of the project
+maintainers.
+
+This Code of Conduct is adapted from the [Contributor
+Covenant](http://contributor-covenant.org), version 1.2.0, available at
+[http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

data/CVE-2015-3900.txt

@@ -0,0 +1,40 @@
+= Request hijacking vulnerability in RubyGems 2.4.6 and earlier
+
+RubyGems provides the ability of a domain to direct clients to a separate
+host that is used to fetch gems and make API calls against. This mechanism
+is implemented via DNS, specificly a SRV record _rubygems._tcp under the
+original requested domain.
+
+For example, this is the one that users who use rubygems.org see:
+
+  > dig _rubygems._tcp.rubygems.org SRV
+
+  ;; ANSWER SECTION:
+  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 api.rubygems.org.
+
+RubyGems did not validate the hostname returned in the SRV record before
+sending requests to it.
+
+This left clients open to a DNS hijack attack, whereby an attacker could
+return a SRV of their choosing and get the client to use it. For example:
+
+  > dig _rubygems._tcp.rubygems.org SRV
+
+  ;; ANSWER SECTION:
+  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 gems.nottobetrusted.wtf
+
+The fix, detailed at https://github.com/rubygems/rubygems/commit/6bbee35,
+shows that we validate the record now to be under the original domain. This
+restricts the client to be using the original trust/security domain as they
+would have otherwise.
+
+RubyGems versions between 2.0 and 2.4.6 are vulnerable.
+
+RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this
+issue.
+
+Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded
+versions of RubyGems.
+
+This vulnerability was reported by Jonathan Claudius <JClaudius@trustwave.com>.
+

data/History.txt

@@ -1,5 +1,136 @@
 # coding: UTF-8
 
+=== 2.5.0
+
+Major enhancements:
+
+* Added the Gem::Licenses class which provides a set of standard license
+  identifiers as set by spdx.org. This is now used by the
+  Gem::Specification#license attribute to try to standardize (though not
+  enforce) licenses set by gem authors.
+
+  Pull request #1249 by Kyle Mitchell.
+
+Minor enhancements:
+
+* Use Molinillo as the resolver library.  This is the same resolver as used by
+  Bundler.  Pull request #1189 by Samuel E. Giddins.
+* Add `--skip=gem_name` to Pristine command.  Pull request #1018 by windwiny.
+* The parsed gem dependencies file is now available via Gem.gemdeps following
+  Gem.use_gemdeps.  Pull request #1224 by Hsing-Hui Hsu, issue #1213 by
+  Michal Papis.
+* Moved description attribute to recommended for Gem::Specification.
+  Pull request #1046 by Michal Papis
+* Moved `Gem::Indexer#abbreviate` and `#sanitize` to `Gem::Specification`.
+  Pull request #1145 by Arthur Nogueira Neves
+* Cache Gem::Version segments for `#bump` and `#release`.
+  Pull request #1131 by Matijs van Zuijlen
+* Fix edge case in `levenshtein_distance` for comparing longer strings.
+  Pull request #1173 by Richard Schneeman
+* Remove duplication from List#to_a, improving from O(n^2) to O(n) time.
+  Pull request #1200 by Marc Siegel.
+* Gem::Specification.add_specs is deprecated and will be removed from version
+  3.0 with no replacement.  To add specs, install the gem, then reset the
+  cache.
+* Gem::Specification.add_spec is deprecated and will be removed from version
+  3.0 with no replacement.  To add specs, install the gem, then reset the
+  cache.
+* Gem::Specification.remove_spec is deprecated and will be removed from version
+  3.0 with no replacement.  To remove specs, uninstall the gem, then reset the
+  cache by calling Gem::Specification.reset.
+* Call Array#compact before calling Array#uniq for minor speed improvement in
+  the Gem::Specification#files method.
+  Pull request #1253 by Marat Amerov.
+* Use stringio instead of custom String classes.
+  Pull request #1250 by Petr Skocik.
+* Use URI#host instead of URI#hostname to retain backwards compatibility with
+  Ruby 1.9.2 and earlier in util library.
+  Pull request #1288 by Joe Rafaniello.
+* Documentation update for gem sources.
+  Pull request #1324 by Ilya Vassilevsky.
+* Documentation update for required_ruby_version.
+  Pull request #1321 by Matt Patterson.
+* Documentation update for gem update.
+  Pull request #1306 by Tim Blair.
+* Emit a warning on SRV resolve failure.
+  Pull request #1023 by Ivan Kuchin.
+* Allow duplicate dependencies between runtime and development.
+  Pull request #1032 by Murray Steele.
+* The gem env command now shows the user installation directory.
+  Pull request #1343 by Luis Sagastume.
+* The Gem::Platform#=== method now treats a nil cpu arch the same as 'universal'.
+  Pull request #1356 by Daniel Berger.
+* Improved memory performance in Gem::Specification.traverse.  Pull request
+  #1188 by Aaron Patterson.
+* RubyGems packages now support symlinks.  Pull request #1209 by Samuel E.
+  Giddins.
+* RubyGems no longer outputs mkmf.log if it does not exist.  Pull request
+  #1222 by Andrew Hooker.
+* Added Bitrig platform.  Pull request #1233 by John C. Vernaleo.
+* Improved error message for first-time RubyGems developers.  Pull request
+  #1241 by André Arko
+* Improved performance of Gem::Specification#load with cached specs.  Pull
+  request #1297 by Samuel E. Giddins.
+* Gem::RemoteFetcher allows users to set HTTP headers.  Pull request #1363 by
+  Agis Anastasopoulos.
+
+Bug fixes:
+
+* Fixed Rake homepage url in example for Gem::Specification#homepage.
+  Pull request #1171 by Arthur Nogueira Neves
+* Don't crash if partially uninstalled gem can't be found.
+  Pull request #1283 by Cezary Baginski.
+* Test warning cleanup.
+  Pull request #1298 by Samuel E. Giddins.
+* Documentation fix for GemDependencyAPI.
+  Pull request #1308 by Michael Papis.
+* Fetcher now ignores ENOLCK errors in single threaded environments. This
+  handles an issue with gem installation on NFS as best we can. Addresses
+  issue #1176 by Ryan Moore.
+  Pull request #1327 by Daniel Berger.
+* Fix some path quoting issues in the test suite.
+  Pull request #1328 by Gavin Miller.
+* Fix NoMethodError in running ruby processes when gems are uninstalled.
+  Pull request #1332 by Peter Drake.
+* Fixed a potential NoMethodError for gem cleanup.
+  Pull request #1333 by Peter Drake.
+* Fixed gem help bug.
+  Issue #1352 reported by bogem, pull request #1357 by Luis Sagastume.
+* Remove temporary directories after tests finish.  Pull request #1181 by
+  Nobuyoshi Nokada.
+* Update links in RubyGems documentation.  Pull request #1185 by Darío Hereñú.
+* Prerelease gem executables can now be run.  Pull request #1186 by Samuel E.
+  Giddins.
+* Updated RubyGems travis-ci ruby versions.  Pull request #1187 by Samuel E.
+  Giddins.
+* Fixed release date of RubyGems 2.4.6.  Pull request #1190 by Frieder
+  Bluemle.
+* Fixed bugs in gem activation.  Pull request #1202 by Miklós Fazekas.
+* Fixed documentation for `gem list`.  Pull request #1228 by Godfrey Chan.
+* Fixed #1200 history entry.  Pull request #1234 by Marc Siegel.
+* Fixed synchronization issue when resetting the Gem::Specification gem list.
+  Pull request #1239 by Samuel E. Giddins.
+* Fixed running tests in parallel.  Pull request #1257 by SHIBATA Hiroshi.
+* Fixed running tests with `--program-prefix` or `--program-suffix` for ruby.
+  Pull request #1258 by Shane Gibbs.
+* Fixed Gem::Specification#to_yaml.  Pull request #1262 by Hiroaki Izu.
+* Fixed taintedness of Gem::Specification#raw_require_paths.  Pull request
+  #1268 by Sam Ruby.
+* Fixed sorting of platforms when installing gems.  Pull request #1271 by
+  nonsequitur.
+* Use `--no-document` over deprecated documentation options when installing
+  dependencies on travis.  Pull request #1272 by takiy33.
+* Improved support for IPv6 addresses in URIs.  Pull request #1275 by Joe
+  Rafaniello.
+* Spec validation no longer crashes if a file does not exist.  Pull request
+  #1278 by Samuel E. Giddins.
+* Gems can now be installed within `rescue`.  Pull request #1282 by Samuel E.
+  Giddins.
+* Increased Diffie-Hellman key size for tests for modern OpenSSL.  Pull
+  request #1290 by Vít Ondruch.
+* RubyGems handles invalid config files better.  Pull request #1367 by Agis
+  Anastasopoulos.
+
 === 2.4.8 / 2015-06-08
 
 Bug fixes:
@@ -10,10 +141,10 @@ Bug fixes:
 
 Bug fixes:
 
-* Backport: Limit API endpoint to original security domain for CVE-2015-3900.
+* Limit API endpoint to original security domain for CVE-2015-3900.
   Fix by claudijd
 
-=== 2.4.6 / 2014-02-05
+=== 2.4.6 / 2015-02-05
 
 Bug fixes:
 
@@ -329,6 +460,26 @@ Bug fixes:
 * Gem::BasicSpecification#require_paths respects default_ext_dir_for now.  Bug
   #852 by Vít Ondruch.
 
+=== 2.2.5 / 2015-06-08
+
+Bug fixes:
+
+* Tightened API endpoint checks for CVE-2015-3900
+
+=== 2.2.4 / 2015-05-14
+
+Bug fixes:
+
+* Backport: Limit API endpoint to original security domain for CVE-2015-3900.
+  Fix by claudijd
+
+=== 2.2.3 / 2014-12-21
+
+Bug fixes:
+
+* Backport: Add alternate Root CA for upcoming certificate change.
+  Fixes #1050 by Protosac
+
 === 2.2.2 / 2014-02-05
 
 Bug fixes:
@@ -698,6 +849,26 @@ Bug fixes:
 * Fixed credential creation for `gem push` when `--host` is not given.  Pull
   request #622 by Arthur Nogueira Neves
 
+=== 2.0.17 / 2015-06-08
+
+Bug fixes:
+
+* Tightened API endpoint checks for CVE-2015-3900
+
+=== 2.0.16 / 2015-05-14
+
+Bug fixes:
+
+* Backport: Limit API endpoint to original security domain for CVE-2015-3900.
+  Fix by claudijd
+
+=== 2.0.15 / 2014-12-21
+
+Bug fixes:
+
+* Backport: Add alternate Root CA for upcoming certificate change.
+  Fixes #1050 by Protosac
+
 === 2.0.14 / 2013-11-12
 
 Bug fixes:

data/Manifest.txt

@@ -1,8 +1,10 @@
 .autotest
 .document
+CODE_OF_CONDUCT.md
 CONTRIBUTING.rdoc
 CVE-2013-4287.txt
 CVE-2013-4363.txt
+CVE-2015-3900.txt
 History.txt
 LICENSE.txt
 MIT.txt
@@ -128,6 +130,16 @@ lib/rubygems/resolver/installer_set.rb
 lib/rubygems/resolver/local_specification.rb
 lib/rubygems/resolver/lock_set.rb
 lib/rubygems/resolver/lock_specification.rb
+lib/rubygems/resolver/molinillo.rb
+lib/rubygems/resolver/molinillo/lib/molinillo.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/dependency_graph.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/errors.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/gem_metadata.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/modules/specification_provider.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/modules/ui.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/resolution.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/resolver.rb
+lib/rubygems/resolver/molinillo/lib/molinillo/state.rb
 lib/rubygems/resolver/requirement_list.rb
 lib/rubygems/resolver/set.rb
 lib/rubygems/resolver/spec_specification.rb
@@ -169,8 +181,8 @@ lib/rubygems/uninstaller.rb
 lib/rubygems/uri_formatter.rb
 lib/rubygems/user_interaction.rb
 lib/rubygems/util.rb
+lib/rubygems/util/licenses.rb
 lib/rubygems/util/list.rb
-lib/rubygems/util/stringio.rb
 lib/rubygems/validator.rb
 lib/rubygems/version.rb
 lib/rubygems/version_option.rb
@@ -355,4 +367,5 @@ test/rubygems/wrong_key_cert_32.pem
 util/CL2notes
 util/create_certs.rb
 util/create_encrypted_key.rb
+util/generate_spdx_license_list.rb
 util/update_bundled_ca_certificates.rb

data/Rakefile

@@ -13,7 +13,16 @@ rescue ::LoadError
   require 'yaml'
 end
 
-require 'hoe'
+begin
+  require 'hoe'
+rescue ::LoadError
+  abort <<-ERR
+Error while loading the hoe gem.
+Please install it by running the following:
+
+$ [sudo] gem install hoe
+  ERR
+end
 
 Hoe::RUBY_FLAGS << " --disable-gems" if RUBY_VERSION > "1.9"
 
@@ -99,6 +108,32 @@ task :install_test_deps => :clean_env do
   sh "gem install minitest -v '~> 4.0'"
 end
 
+namespace :molinillo do
+  task :namespace do
+    files = Dir.glob('lib/rubygems/resolver/molinillo/**/*.rb')
+    sh "sed -i.bak 's/Molinillo/Gem::Resolver::Molinillo/g' #{files.join(' ')}"
+    sh "sed -i.bak \"s/require 'molinillo/require 'rubygems\\/resolver\\/molinillo\\/lib\\/molinillo/g\" #{files.join(' ')}"
+    sh "rm #{files.join('.bak ')}.bak"
+  end
+
+  task :clean do
+    files = Dir.glob('lib/rubygems/resolver/molinillo*/*', File::FNM_DOTMATCH).reject { |f| %(. .. lib).include? f.split('/').last }
+    puts files
+    sh "rm -r #{files.join(' ')}"
+  end
+
+  task :update, [:tag] => [] do |t, args|
+    tag = args[:tag]
+    Dir.chdir 'lib/rubygems/resolver' do
+      sh "rm -rf molinillo"
+      sh "curl -L https://github.com/CocoaPods/molinillo/archive/#{tag}.tar.gz | tar -xz"
+      sh "mv Molinillo-* molinillo"
+    end
+    Rake::Task['molinillo:namespace'].invoke
+    Rake::Task['molinillo:clean'].invoke
+  end
+end
+
 # --------------------------------------------------------------------
 # Creating a release
 

data/lib/rubygems.rb

@@ -9,7 +9,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = '2.4.8'
+  VERSION = '2.5.0'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -26,12 +26,12 @@ require 'rubygems/errors'
 # For user documentation, see:
 #
 # * <tt>gem help</tt> and <tt>gem help [command]</tt>
-# * {RubyGems User Guide}[http://docs.rubygems.org/read/book/1]
-# * {Frequently Asked Questions}[http://docs.rubygems.org/read/book/3]
+# * {RubyGems User Guide}[http://guides.rubygems.org/]
+# * {Frequently Asked Questions}[http://guides.rubygems.org/faqs]
 #
 # For gem developer documentation see:
 #
-# * {Creating Gems}[http://docs.rubygems.org/read/chapter/5]
+# * {Creating Gems}[http://guides.rubygems.org/make-your-own-gem]
 # * Gem::Specification
 # * Gem::Version for version dependency notes
 #
@@ -156,6 +156,7 @@ module Gem
   @@win_platform = nil
 
   @configuration = nil
+  @gemdeps = nil
   @loaded_specs = {}
   LOADED_SPECS_MUTEX = Mutex.new
   @path_to_default_spec_map = {}
@@ -184,13 +185,9 @@ module Gem
     # or if it was ambiguous (and thus unresolved) the code in our custom
     # require will try to activate the more specific version.
 
-    spec = Gem::Specification.find_inactive_by_path path
-
-    unless spec
-      spec = Gem::Specification.find_by_path path
-      return true if spec && spec.activated?
-      return false
-    end
+    spec = Gem::Specification.find_by_path path
+    return false unless spec
+    return true if spec.activated?
 
     begin
       spec.activate
@@ -433,7 +430,7 @@ module Gem
 
     files = find_files_from_load_path glob if check_load_path
 
-    files.concat Gem::Specification.map { |spec|
+    files.concat Gem::Specification.stubs.map { |spec|
       spec.matches_for_glob("#{glob}#{Gem.suffix_pattern}")
     }.flatten
 
@@ -580,6 +577,10 @@ module Gem
   # gem's paths are inserted before site lib directory by default.
 
   def self.load_path_insert_index
+    $LOAD_PATH.each_with_index do |path, i|
+      return i if path.instance_variable_defined?(:@gem_prelude_index)
+    end
+
     index = $LOAD_PATH.index RbConfig::CONFIG['sitelibdir']
 
     index
@@ -596,6 +597,9 @@ module Gem
 
     test_syck = ENV['TEST_SYCK']
 
+    # Only Ruby 1.8 and 1.9 have syck
+    test_syck = false unless /^1\./ =~ RUBY_VERSION
+
     unless test_syck
       begin
         gem 'psych', '>= 1.2.1'
@@ -777,6 +781,14 @@ module Gem
     open path, 'rb' do |f|
       f.read
     end
+  rescue Errno::ENOLCK # NFS
+    if Thread.main != Thread.current
+      raise
+    else
+      open path, 'rb' do |f|
+        f.read
+      end
+    end
   end
 
   ##
@@ -1052,7 +1064,7 @@ module Gem
     end
 
     rs = Gem::RequestSet.new
-    rs.load_gemdeps path
+    @gemdeps = rs.load_gemdeps path
 
     rs.resolve_current.map do |s|
       sp = s.full_spec
@@ -1082,6 +1094,12 @@ module Gem
 
     attr_reader :loaded_specs
 
+    ##
+    # GemDependencyAPI object, which is set when .use_gemdeps is called.
+    # This contains all the information from the Gemfile.
+
+    attr_reader :gemdeps
+
     ##
     # Register a Gem::Specification for default gem.
     #
@@ -1196,6 +1214,7 @@ module Gem
   autoload :DependencyList,     'rubygems/dependency_list'
   autoload :DependencyResolver, 'rubygems/resolver'
   autoload :Installer,          'rubygems/installer'
+  autoload :Licenses,           'rubygems/util/licenses'
   autoload :PathSupport,        'rubygems/path_support'
   autoload :Platform,           'rubygems/platform'
   autoload :RequestSet,         'rubygems/request_set'
@@ -1242,4 +1261,3 @@ require 'rubygems/core_ext/kernel_gem'
 require 'rubygems/core_ext/kernel_require'
 
 Gem.use_gemdeps
-