ruby.git/lib/rubygems/package.rb, branch v3_4_9 The Ruby Programming Language [rubygems/rubygems] Remove `Gem::Specification#mark_version` 2024-05-03T15:12:55+00:00 David Rodriguez deivid.rodriguez@riseup.net 2024-02-05T19:19:40+00:00 281df1e495eeb8533b963c63a14c614fcab97859 This gets in the middle if we ever start allowing to build as if using a different RubyGems version than the one being run. This could be useful to make `gem rebuild` a little more usable, and it's already done by Bundler specs which already make this method a noop when they need this. I'm not sure forcefully setting this, even if user explicitly specified something else is helpful. Since this could potentially prevent gems explicitly setting a constant RubyGems version from building, I changed the error of incorrect RubyGems version from a hard error to a warning, since it will start happening in those cases if we stop overwriting the version. https://github.com/rubygems/rubygems/commit/45676af80d 
This gets in the middle if we ever start allowing to build as if using a
different RubyGems version than the one being run.

This could be useful to make `gem rebuild` a little more usable, and
it's already done by Bundler specs which already make this method a noop
when they need this.

I'm not sure forcefully setting this, even if user explicitly specified
something else is helpful.

Since this could potentially prevent gems explicitly setting a constant
RubyGems version from building, I changed the error of incorrect
RubyGems version from a hard error to a warning, since it will start
happening in those cases if we stop overwriting the version.

https://github.com/rubygems/rubygems/commit/45676af80d
[rubygems/rubygems] Update lib/rubygems/package.rb 2024-04-30T15:34:49+00:00 Samuel Giddins segiddins@segiddins.me 2024-04-28T19:26:22+00:00 d7ba0fec492823f5191a34be5fe4b8e0b5641f07 https://github.com/rubygems/rubygems/commit/c4e75b9f74 
https://github.com/rubygems/rubygems/commit/c4e75b9f74
[rubygems/rubygems] Add a limit to the size of the metadata and checksums files in a gem package. 2024-04-30T15:34:48+00:00 Samuel Giddins segiddins@segiddins.me 2024-04-11T07:05:42+00:00 d950609ec709c7c4dc48603b9b2d88f840a520fb This is to prevent a malicious gem from causing a denial of service by including a very large metadata or checksums file, which is then read into memory in its entirety just by opening the gem package. This is guaranteed to limit the amount of memory needed, since gzips (which use deflate streams for compression) have a maximum compression ratio of 1032:1, so the uncompressed size of the metadata or checksums file will be at most 1032 times the size of the (limited) amount of data read. This prevents a gem from causing 500GB of memory to be allocated to read a 500MB metadata file. https://github.com/rubygems/rubygems/commit/a596e3c5ec 
This is to prevent a malicious gem from causing a denial of service by
including a very large metadata or checksums file,
which is then read into memory in its entirety just by opening the gem package.

This is guaranteed to limit the amount of memory needed, since
gzips (which use deflate streams for compression) have a maximum compression
ratio of 1032:1, so the uncompressed size of the metadata or checksums file
will be at most 1032 times the size of the (limited) amount of data read.

This prevents a gem from causing 500GB of memory to be allocated
to read a 500MB metadata file.

https://github.com/rubygems/rubygems/commit/a596e3c5ec
[rubygems/rubygems] Fix circular require warning 2024-04-29T09:04:33+00:00 David Rodríguez deivid.rodriguez@riseup.net 2024-04-26T08:44:13+00:00 53571de8e9605c7a373b0ffc9f94167cf898f568 https://github.com/rubygems/rubygems/commit/241d0aafcd 
https://github.com/rubygems/rubygems/commit/241d0aafcd
Allow FormatError to take either String or Gem for source 2024-03-28T15:54:33+00:00 Jake Zimmerman zimmerman.jake@gmail.com 2024-03-25T22:53:53+00:00 97b2cc34359968459a6eba2ac166f3650adf47be Most of the calls to `FormatError.new` pass `@gem` for the second argument, which has a `path` method. But in one case—on package.rb:691 in `verify_gz`, the `source` argument is a `String`. So if there's ever a GZip decode error when attempting to read the contents of the `data.tar.gz` file, instead of reporting the underlying GZip error (which might be something like "unexpected end of file"), we would report instead a NoMethodError coming from package.rb ``` Exception while verifying sorbet-0.5.11301.gem ERROR: While executing gem ... (NoMethodError) undefined method `path' for "data.tar.gz":String @path = source.path ^^^^^ ``` There are two ways to fix this: 1. Make `FormatError#initialize` aware of the fact that `source` might sometimes be a `String` 2. Make the call to `FormatError.new` in `verify_gz` pass `@gem` instead of `entry.full_name`. I've chosen 1 because I think it's more useful to see "unexpected end of file in data.tar.gz" instead of "unexpected end of file in sorbet-0.5.11301.gem." The end of file **is actually** in data.tar.gz, not in the gem file itself, which was decoded successfully. 
Most of the calls to `FormatError.new` pass `@gem` for the second argument, which has a `path` method.

But in one case—on package.rb:691 in `verify_gz`, the `source` argument is a `String`.

So if there's ever a GZip decode error when attempting to read the contents of the `data.tar.gz` file, instead of reporting the underlying GZip error (which might be something like "unexpected end of file"), we would report instead a NoMethodError coming from package.rb

```
Exception while verifying sorbet-0.5.11301.gem
ERROR:  While executing gem ... (NoMethodError)
    undefined method `path' for "data.tar.gz":String

        @path = source.path
                      ^^^^^
```

There are two ways to fix this:

1. Make `FormatError#initialize` aware of the fact that `source` might sometimes be a `String`
2. Make the call to `FormatError.new` in `verify_gz` pass `@gem` instead of `entry.full_name`.

I've chosen 1 because I think it's more useful to see "unexpected end of file in data.tar.gz" instead of "unexpected end of file in sorbet-0.5.11301.gem." The end of file **is actually** in data.tar.gz, not in the gem file itself, which was decoded successfully.
[rubygems/rubygems] Respect global umask when writing regular files 2024-03-22T13:15:15+00:00 David Rodriguez deivid.rodriguez@riseup.net 2024-03-18T12:26:36+00:00 8ef923dc35515e438ebd9ad135c80e4309956214 https://github.com/rubygems/rubygems/commit/fd5cb7396f 
https://github.com/rubygems/rubygems/commit/fd5cb7396f
Revert "Ensure File.open applies default umask on gem extract" 2024-01-24T05:10:05+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2024-01-24T05:10:05+00:00 270ad763594023b87a09027e52deee561ecd3b62 This reverts commit 01f9766aa05182a7bbdc914a5dcd8a36ebade861. 
This reverts commit 01f9766aa05182a7bbdc914a5dcd8a36ebade861.
Ensure File.open applies default umask on gem extract 2024-01-24T04:50:16+00:00 Martin Emde martin.emde@gmail.com 2023-12-17T21:22:38+00:00 01f9766aa05182a7bbdc914a5dcd8a36ebade861 






Merge RubyGems-3.5.2 and Bundler-2.5.2
2023-12-21T22:24:04+00:00

Hiroshi SHIBATA
hsbt@ruby-lang.org

2023-12-21T22:01:12+00:00

82496f2b389278a569fa7680ee6faa55a97410d7












[rubygems/rubygems] Fewer allocations in gem installation
2023-12-11T23:14:58+00:00

Samuel Giddins
segiddins@segiddins.me

2023-09-19T01:51:15+00:00

505715ddf17e004d184c0b71afb40a31e2e8c98e

For now, on a small rails app I have hanging around:

```
==> memprof.after.txt <==
Total allocated: 872.51 MB (465330 objects)
Total retained:  40.48 kB (326 objects)

==> memprof.before.txt <==
Total allocated: 890.79 MB (1494026 objects)
Total retained:  40.40 kB (328 objects)
```

Not a huge difference in memory usage, but it's a drastic improvement
in total number of allocations.

Additionally, this will pay huge dividends once
https://github.com/ruby/zlib/pull/61 is merged, as it will allow us to
completely avoid allocations in the repeated calls to readpartial,
which currently accounts for most of the memory usage shown above.

https://github.com/rubygems/rubygems/commit/f78d45d927





For now, on a small rails app I have hanging around:

```
==> memprof.after.txt <==
Total allocated: 872.51 MB (465330 objects)
Total retained:  40.48 kB (326 objects)

==> memprof.before.txt <==
Total allocated: 890.79 MB (1494026 objects)
Total retained:  40.40 kB (328 objects)
```

Not a huge difference in memory usage, but it's a drastic improvement
in total number of allocations.

Additionally, this will pay huge dividends once
https://github.com/ruby/zlib/pull/61 is merged, as it will allow us to
completely avoid allocations in the repeated calls to readpartial,
which currently accounts for most of the memory usage shown above.

https://github.com/rubygems/rubygems/commit/f78d45d927