ruby.git/lib/bundler/rubygems_gem_installer.rb, branch ruby_3_3 The Ruby Programming Language Merge RubyGems-3.5.19 and Bundler-2.5.19 2024-09-25T17:56:17+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2024-09-25T07:54:19+00:00 3894841182c32de231b3998502bf1a9dba7cdb4f 






Update RubyGems 3.5.16 and Bundler 2.5.16 for Ruby 3.3 (#11252)
2024-07-30T16:05:54+00:00

Hiroshi SHIBATA
hsbt@ruby-lang.org

2024-07-30T16:05:54+00:00

f85c7deacc25738bd83ba182370c283ba82b61d4

* Merge RubyGems-3.5.12 and Bundler-2.5.12

* Merge RubyGems-3.5.13 and Bundler-2.5.13

* Merge RubyGems-3.5.14 and Bundler-2.5.14

* Merge RubyGems-3.5.15 and Bundler-2.5.15

* Merge RubyGems-3.5.16 and Bundler-2.5.16




* Merge RubyGems-3.5.12 and Bundler-2.5.12

* Merge RubyGems-3.5.13 and Bundler-2.5.13

* Merge RubyGems-3.5.14 and Bundler-2.5.14

* Merge RubyGems-3.5.15 and Bundler-2.5.15

* Merge RubyGems-3.5.16 and Bundler-2.5.16






[rubygems/rubygems] Use modern hashes consistently
2023-12-07T22:29:33+00:00

David Rodríguez
deivid.rodriguez@riseup.net

2023-12-07T21:10:33+00:00

2755cb1b2fbc4a5f08ca56345b5945bd452da74e

https://github.com/rubygems/rubygems/commit/bb66253f2c





https://github.com/rubygems/rubygems/commit/bb66253f2c







[rubygems/rubygems] Converts Bundler lockfile checksum validation to opt-in only
2023-12-05T21:09:53+00:00

Martin Emde
martin.emde@gmail.com

2023-12-01T22:20:51+00:00

5f0ea3f590f8983669fe478bc9eace6880353b84

Looks for the CHECKSUMS section in the lockfile, activating the feature
only if the section exists. Without a CHECKSUMS section, Bundler will
continue as normal, validating checksums when gems are installed while
checksums from the compact index are present.

https://github.com/rubygems/rubygems/commit/2353cc93a4





Looks for the CHECKSUMS section in the lockfile, activating the feature
only if the section exists. Without a CHECKSUMS section, Bundler will
continue as normal, validating checksums when gems are installed while
checksums from the compact index are present.

https://github.com/rubygems/rubygems/commit/2353cc93a4







[rubygems/rubygems] Better error when having an insecure install folder
2023-11-08T00:04:28+00:00

David Rodríguez
deivid.rodriguez@riseup.net

2023-10-03T12:37:44+00:00

a131ea39b7b9c34304dfbf8112581c49ce9ff827

https://github.com/rubygems/rubygems/commit/e41156e272





https://github.com/rubygems/rubygems/commit/e41156e272







[rubygems/rubygems] Don't show bug report template when GEM_HOME has no writable bit
2023-11-08T00:04:28+00:00

David Rodríguez
deivid.rodriguez@riseup.net

2023-10-26T16:44:20+00:00

7f7a7f13ededda5c91d84c3493dc6ef3cec53d1a

Instead, don't check that at all and proceed. If something fails to be
written inside GEM_HOME, we'll eventually fail with a proper permissions
error.

In addition to that, the writable bit in GEM_HOME is not even reliable,
because only the immediate parent is actually checked when writing. For
example,

```
$ mkdir -p foo/bar
$ chmod -w foo
$ touch foo/bar/baz # writes without issue
```

https://github.com/rubygems/rubygems/commit/4bced7ac73





Instead, don't check that at all and proceed. If something fails to be
written inside GEM_HOME, we'll eventually fail with a proper permissions
error.

In addition to that, the writable bit in GEM_HOME is not even reliable,
because only the immediate parent is actually checked when writing. For
example,

```
$ mkdir -p foo/bar
$ chmod -w foo
$ touch foo/bar/baz # writes without issue
```

https://github.com/rubygems/rubygems/commit/4bced7ac73







[rubygems/rubygems] Improve errors and register checksums reliably
2023-10-23T04:59:01+00:00

Martin Emde
martin.emde@gmail.com

2023-09-01T22:15:49+00:00

c667de72ff9de195e1cab4b1937973e841ff89ae

Improve error reporting for checksums, raises a new error class.

Solve for multi-source checksum errors.

Add CHECKSUMS to tool/bundler/(dev|standard|rubocop)26_gems.rb

https://github.com/rubygems/rubygems/commit/26ceee0e76

Co-authored-by: Samuel Giddins <segiddins@segiddins.me>





Improve error reporting for checksums, raises a new error class.

Solve for multi-source checksum errors.

Add CHECKSUMS to tool/bundler/(dev|standard|rubocop)26_gems.rb

https://github.com/rubygems/rubygems/commit/26ceee0e76

Co-authored-by: Samuel Giddins <segiddins@segiddins.me>







[rubygems/rubygems] Refactor Checksum classes and methods to reduce
2023-10-23T04:59:01+00:00

Martin Emde
martinemde@users.noreply.github.com

2023-08-30T22:15:52+00:00

92f23a48e3bb7555ca99fc49e15b250a70f9d086

code.
(https://github.com/rubygems/rubygems/pull/6917)

https://github.com/rubygems/rubygems/commit/2238bdaadc





code.
(https://github.com/rubygems/rubygems/pull/6917)

https://github.com/rubygems/rubygems/commit/2238bdaadc







[rubygems/rubygems] Refactor to checksums stored via source
2023-10-23T04:59:01+00:00

Samuel Giddins
segiddins@segiddins.me

2023-08-09T20:45:56+00:00

c5fd94073ff2e22b6eea29c242c7e4a12ed7c865

This gets the specs passing, and handles the fact that we expect
checkums to be pinned only to a particular source

This also avoids reading in .gem files during lockfile generation,
instead allowing us to query the source for each resolved gem to grab
the checksum

Finally, this opens up a route to having user-stored checksum databases,
similar to how other package managers do this!

Add checksums to dev lockfiles

Handle full name conflicts from different original_platforms when adding checksums to store from compact index

Specs passing on Bundler 3

https://github.com/rubygems/rubygems/commit/86c7084e1c





This gets the specs passing, and handles the fact that we expect
checkums to be pinned only to a particular source

This also avoids reading in .gem files during lockfile generation,
instead allowing us to query the source for each resolved gem to grab
the checksum

Finally, this opens up a route to having user-stored checksum databases,
similar to how other package managers do this!

Add checksums to dev lockfiles

Handle full name conflicts from different original_platforms when adding checksums to store from compact index

Specs passing on Bundler 3

https://github.com/rubygems/rubygems/commit/86c7084e1c







[rubygems/rubygems] Use the server checksum, then calculate from gem on disk if possible
2023-10-23T04:59:01+00:00

Mercedes Bernard
mercedesrbernard@gmail.com

2023-02-10T19:34:30+00:00

69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46

1. Use the checksum provided by the server if provided: provides security
knowing if the gem you downloaded matches the gem on the server

2. Calculate the checksum from the gem on disk: provides security knowing
if the gem has changed between installs

3. In some cases, neither is possible in which case we don't put anything
in the checksum and we maintain functionality as it is today

Add the checksums to specs in the index if we already have them

Prior to checksums, we didn't lose any information when overwriting specs
in the index with stubs. But now when we overwrite EndpointSpecifications
or RemoteSpecifications with more generic specs, we could lose checksum
info. This manually sets checksum info so we keep it in the index.

https://github.com/rubygems/rubygems/commit/de00a4f153





1. Use the checksum provided by the server if provided: provides security
knowing if the gem you downloaded matches the gem on the server

2. Calculate the checksum from the gem on disk: provides security knowing
if the gem has changed between installs

3. In some cases, neither is possible in which case we don't put anything
in the checksum and we maintain functionality as it is today

Add the checksums to specs in the index if we already have them

Prior to checksums, we didn't lose any information when overwriting specs
in the index with stubs. But now when we overwrite EndpointSpecifications
or RemoteSpecifications with more generic specs, we could lose checksum
info. This manually sets checksum info so we keep it in the index.

https://github.com/rubygems/rubygems/commit/de00a4f153