sinatra 1.4.6 → 2.0.0

data/Rakefile

@@ -3,22 +3,13 @@ require 'rake/testtask'
 require 'fileutils'
 require 'date'
 
-# CI Reporter is only needed for the CI
-begin
-  require 'ci/reporter/rake/test_unit'
-rescue LoadError
-end
-
 task :default => :test
 task :spec => :test
 
 CLEAN.include "**/*.rbc"
 
 def source_version
-  @source_version ||= begin
-    load './lib/sinatra/version.rb'
-    Sinatra::VERSION
-  end
+  @source_version ||= File.read(File.expand_path("../VERSION", __FILE__)).strip
 end
 
 def prev_feature
@@ -61,7 +52,8 @@ namespace :test do
   desc 'Measures test coverage'
   task :coverage do
     rm_f "coverage"
-    sh "rcov -Ilib test/*_test.rb"
+    ENV['COVERAGE'] = '1'
+    Rake::Task['test'].invoke
   end
 end
 
@@ -95,9 +87,9 @@ end
 
 # Thanks in announcement ===============================================
 
-team = ["Ryan Tomayko", "Blake Mizerany", "Simon Rozet", "Konstantin Haase"]
+team = ["Ryan Tomayko", "Blake Mizerany", "Simon Rozet", "Konstantin Haase", "Zachary Scott"]
 desc "list of contributors"
-task :thanks, [:release,:backports] do |t, a|
+task :thanks, ['release:all', :backports] do |t, a|
   a.with_defaults :release => "#{prev_version}..HEAD",
     :backports => "#{prev_feature}.0..#{prev_feature}.x"
   included = `git log --format=format:"%aN\t%s" #{a.release}`.lines.map { |l| l.force_encoding('binary') }
@@ -146,54 +138,85 @@ end
 # PACKAGING ============================================================
 
 if defined?(Gem)
-  # Load the gemspec using the same limitations as github
-  def spec
-    require 'rubygems' unless defined? Gem::Specification
-    @spec ||= eval(File.read('sinatra.gemspec'))
+  GEMS_AND_ROOT_DIRECTORIES = {
+    "sinatra" => ".",
+    "sinatra-contrib" => "./sinatra-contrib",
+    "rack-protection" => "./rack-protection"
+  }
+
+  def package(gem, ext='')
+    "pkg/#{gem}-#{source_version}" + ext
   end
 
-  def package(ext='')
-    "pkg/sinatra-#{spec.version}" + ext
-  end
+  directory 'pkg/'
+  CLOBBER.include('pkg')
 
-  desc 'Build packages'
-  task :package => %w[.gem .tar.gz].map {|e| package(e)}
+  GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+    file package(gem, '.gem') => ["pkg/", "#{directory + '/' + gem}.gemspec"] do |f|
+      sh "cd #{directory} && gem build #{gem}.gemspec"
+      mv directory + "/" + File.basename(f.name), f.name
+    end
 
-  desc 'Build and install as local gem'
-  task :install => package('.gem') do
-    sh "gem install #{package('.gem')}"
+    file package(gem, '.tar.gz') => ["pkg/"] do |f|
+      sh <<-SH
+        git archive \
+          --prefix=#{gem}-#{source_version}/ \
+          --format=tar \
+          HEAD -- #{directory} | gzip > #{f.name}
+      SH
+    end
   end
 
-  directory 'pkg/'
-  CLOBBER.include('pkg')
+  namespace :package do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Build #{gem} packages"
+      task gem => %w[.gem .tar.gz].map { |e| package(gem, e) }
+    end
 
-  file package('.gem') => %w[pkg/ sinatra.gemspec] + spec.files do |f|
-    sh "gem build sinatra.gemspec"
-    mv File.basename(f.name), f.name
+    desc "Build all packages"
+    task :all => GEMS_AND_ROOT_DIRECTORIES.keys
   end
 
-  file package('.tar.gz') => %w[pkg/] + spec.files do |f|
-    sh <<-SH
-      git archive \
-        --prefix=sinatra-#{source_version}/ \
-        --format=tar \
-        HEAD | gzip > #{f.name}
-    SH
+  namespace :install do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Build and install #{gem} as local gem"
+      task gem => package(gem, '.gem') do
+        sh "gem install #{package(gem, '.gem')}"
+      end
+    end
+
+    desc "Build and install all of the gems as local gems"
+    task :all => GEMS_AND_ROOT_DIRECTORIES.keys
   end
 
-  task 'release' => ['test', package('.gem')] do
-    if File.binread("CHANGES") =~ /= \d\.\d\.\d . not yet released$/i
-      fail 'please update changes first' unless %x{git symbolic-ref HEAD} == "refs/heads/prerelease\n"
+  namespace :release do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Release #{gem} as a package"
+      task gem => "package:#{gem}" do
+        sh <<-SH
+          gem install #{package(gem, '.gem')} --local &&
+          gem push #{package(gem, '.gem')}
+        SH
+      end
+    end
+
+    desc "Commits the version to github repository"
+    task :commit_version do
+      sh <<-SH
+        sed -i "s/.*VERSION.*/  VERSION = '#{source_version}'/" lib/sinatra/version.rb
+        sed -i "s/.*VERSION.*/    VERSION = '#{source_version}'/" sinatra-contrib/lib/sinatra/contrib/version.rb
+        sed -i "s/.*VERSION.*/    VERSION = '#{source_version}'/" rack-protection/lib/rack/protection/version.rb
+      SH
+
+      sh <<-SH
+        git commit --allow-empty -a -m '#{source_version} release'  &&
+        git tag -s v#{source_version} -m '#{source_version} release'  &&
+        git push && (git push origin || true) &&
+        git push --tags && (git push origin --tags || true)
+      SH
     end
 
-    sh <<-SH
-      gem install #{package('.gem')} --local &&
-      gem push #{package('.gem')}  &&
-      git commit --allow-empty -a -m '#{source_version} release'  &&
-      git tag -s v#{source_version} -m '#{source_version} release'  &&
-      git tag -s #{source_version} -m '#{source_version} release'  &&
-      git push && (git push sinatra || true) &&
-      git push --tags && (git push sinatra --tags || true)
-    SH
+    desc "Release all gems as packages"
+    task :all => [:test, :commit_version] + GEMS_AND_ROOT_DIRECTORIES.keys
   end
 end

data/SECURITY.md

@@ -0,0 +1,35 @@
+# Reporting a security bug
+
+All security bugs in Sinatra should be reported to the core team through our private mailing list [sinatra-security@googlegroups.com](https://groups.google.com/group/sinatra-security). Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.
+
+After the initial reply to your report the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every five days, in reality this is more likely to be every 24-48 hours.
+
+If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past five days there are a few steps you can take:
+
+* Contact the current security coordinator [Zachary Scott](mailto:zzak@ruby-lang.org) directly
+
+## Disclosure Policy
+
+Sinatra has a 5 step disclosure policy, that is upheld to the best of our ability.
+
+1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.
+2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.
+3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.
+4. A suggested embargo date for this vulnerability is chosen and distros@openwall is notified. This notification will include patches for all versions still under support and a contact address for packagers who need advice back-porting patches to older versions.
+5. On the embargo date, the [mailing list][mailing-list] and [security list][security-list] are sent a copy of the announcement. The changes are pushed to the public repository and new gems released to rubygems.
+
+Typically the embargo date will be set 72 hours from the time vendor-sec is first notified, however this may vary depending on the severity of the bug or difficulty in applying a fix.
+
+This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
+
+## Security Updates
+
+Security updates will be posted on the [mailing list][mailing-list] and [security list][security-list].
+
+## Comments on this Policy
+
+If you have any suggestions to improve this policy, please send an email the core team at [sinatrarb@googlegroups.com](https://groups.google.com/group/sinatrarb).
+
+
+[mailing-list]: http://groups.google.com/group/sinatrarb/topics
+[security-list]: http://groups.google.com/group/sinatra-security/topics