| Age | Commit message (Collapse) | Author |
|---|
|
Prior to this patch, if I ran:
ruby setup.rb --destdir /foo
Then Bundler files would be written into /foo/foo, because destdir was
being prepended, even though `bundler_spec.bin_dir` already included
destdir.
https://github.com/rubygems/rubygems/commit/9e857ffb52
|
|
https://github.com/rubygems/rubygems/commit/f328ef6f77
|
|
https://github.com/rubygems/rubygems/commit/b3e985799e
|
|
This fixes the following test error testing against OpenSSL 3.x:
~~~
2) Failure:
TestGemRequest#test_verify_certificate_extra_message [/builddir/build/BUILD/ruby-3.0.2/test/rubygems/test_gem_request.rb:358]:
<"ERROR: SSL verification error at depth 0: invalid CA certificate (24)\n" +
"ERROR: Certificate is an invalid CA certificate\n"> expected but was
<"ERROR: SSL verification error at depth 0: invalid CA certificate (79)\n" +
"ERROR: Certificate is an invalid CA certificate\n">.
~~~
Where the root cause is this OpenSSL commit:
https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
It seems that OpenSSL upstream considers the constant value just an
implementation detail and therefore this changes the test case to
follow the suite.
https://github.com/rubygems/rubygems/commit/8acf8e95dc
|
|
|
|
|
|
|
|
key algorithms
https://github.com/rubygems/rubygems/commit/967876f15d
Co-Authored-By: Frederik Dudzik <frederik.dudzik@shopify.com>
|
|
OpenSSL includes what we need.
https://github.com/rubygems/rubygems/commit/955f3b72ca
|
|
https://github.com/rubygems/rubygems/commit/f5e408f83d
|
|
Now `$LOADED_FEATURES` list is being maintained by `setup` and
`teardown` and, only libaries under the temporary directory will
be removed. As `save_loaded_features` removes the rest libraries
other than this test directory, ordinary libraries loaded from
files under rubygems also removed, and often causes constant
redefinition warnings.
https://github.com/rubygems/rubygems/commit/9e1f92aafd
|
|
If we explicitly disallow the creation of symlinks that point to files
outside of the destination directory, we can avoid any other safety
checks while creating directories, because we can be sure they will
always fall under the destination directory as well.
https://github.com/rubygems/rubygems/commit/555692b8de
|
|
https://github.com/rubygems/rubygems/commit/1e363dbbcb
|
|
https://github.com/rubygems/rubygems/commit/9180b390aa
|
|
https://github.com/rubygems/rubygems/commit/90c1919f94
|
|
description
7890c98 matched the start of each line, whereas this matches the start
of the entire string.
https://github.com/rubygems/rubygems/commit/432de7b819
|
|
helper
https://github.com/rubygems/rubygems/commit/798a93a98c
|
|
Do not change the password of the input parameter source during
anonymization, by using the proper helper instead of changing the
original uri directly.
https://github.com/rubygems/rubygems/commit/eaa2dd8a97
|
|
Implement deep cloning for `Gem::Uri` class to fix a bug where redacting
credentials modifies the URI string in place instead of returning a
modified copy.
https://github.com/rubygems/rubygems/commit/eafb5a279b
|
|
Gem::Request class
https://github.com/rubygems/rubygems/commit/e8e7c2078f
|
|
It doesn't make much sense to just forbid certain words in descriptions.
https://github.com/rubygems/rubygems/commit/7890c98415
|
|
This allows easy differentiation between ABI incompatible platforms like MSWIN64 and MSVCRT-based MINGW32.
This also implicates a distinct rubygem platform which is also "x64-mingw-ucrt".
Although the term "mingw32" is the OS-part for 64 bit systems as well, the "32" is misleading and confusing for many users.
Therefore the new platform string drops the "32" from the OS part to just "mingw".
This conforms to the common practice of windows platform testing per RUBY_PLATFORM=~/mswin|mingw/ .
Notes:
Merged: https://github.com/ruby/ruby/pull/4599
|
|
`Gem::Uri` class
The new class is a wrapper on top of an URI. And then, when you want
credentials redacted, you call `#redacted` that returns a copy of itself,
but with credentials redacted.
https://github.com/rubygems/rubygems/commit/9581c2740a
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
We will be passing string to this class so there is no need to be defensive about it.
https://github.com/rubygems/rubygems/commit/30bd52a977
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/c3bb52eb5c
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
its initialize method
https://github.com/rubygems/rubygems/commit/21dcdd2dc5
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/dba130cd80
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
`Gem::PrintableUri#valid_uri?`
https://github.com/rubygems/rubygems/commit/a5177709c9
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
`build` method
The `initialize` method is already doing a lot and by adding the `Gem::PrintableUri` to redact sensitive information, things are getting complicated and hard to read here. For the start, I have refactored the `initialize` method into a class method called `build`.
https://github.com/rubygems/rubygems/commit/4312e8fdf5
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
The `@uri` variable could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it when logging on verbose mode.
https://github.com/rubygems/rubygems/commit/f566787211
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
`Gem::Commands::InstallCommand` class
The `x.source.uri` could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it.
https://github.com/rubygems/rubygems/commit/8755ee0aaa
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
be used on outputs
We need to redact URI credential in several places and copy pasting the code into each part of it is not ideal. This class is responsible for parsing URI strings and redacting credential from it. Also, it will handle URI object in the same manner. We will be reusing this class whenever we need to print/display a URI to users.
URI with the following format will be redacted:
- Token: `http://my-secure-token@example.com` => `http://REDACTED@example.com`
- Username & Password: `http://my-username:my-secure-password@example.com` => `http://my-username:REDACTED@example.com`
- x-oauth-basic: `http://my-secure-token:x-oauth-basic@example.com` => `http://REDACTED:x-oauth-basic@example.com`
https://github.com/rubygems/rubygems/commit/f1e45d3a89
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/1ea73df161
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/e3d150d822
Co-authored-by: David Rodríguez <deivid.rodriguez@riseup.net>
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
No longer used since
https://github.com/rubygems/rubygems/commit/b7f6270b9e5e15591cd679f60fa8f43e6763f3f5.
https://github.com/rubygems/rubygems/commit/76803894a0
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/81dc685d20
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
They should properly configure `GEM_PATH` instead.
https://github.com/rubygems/rubygems/commit/3bd9ae33ca
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
We think it's unlikely that `rubygems/defaults/operating_system` could be shipped with a SyntaxError so StandardError could be better choice to prevent "false positives" errors.
https://github.com/rubygems/rubygems/commit/1f73e784dd
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
For errors that could happened while loading `rubygems/defaults/operating_system`
https://github.com/rubygems/rubygems/commit/6e1e2141f8
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
operating_system.rb
truffleruby does not raise any error when requiring `rubygems`.
https://github.com/rubygems/rubygems/commit/21e2fcd0b2
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
rubygems/defaults/operating_system file
When loading `rubygems/defaults/operating_system`
- we want to keep it silent if the raised exception is a LoadError
- we want to print a message in other cases and ask users to report the issue to their OS support.
Ruby 3 comes with special error handling for loading `rubygems` and it will show a warning when LoadError exception raised for requiring 'rubygem'.
Because of that, we decided to leave the LoadError scenario as it is.
Reference: https://github.com/ruby/ruby/blob/d1998d8767affe58be0bd09ec536dae9198a7fbd/gem_prelude.rb#L1-L5
https://github.com/rubygems/rubygems/commit/0a97e12fe1
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/82960c262f
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/4028cbc408
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/91dca11112
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
The previous behavior was to automatically require `bundler/setup`
everytime `rubygems` was required, which I think was too much.
https://github.com/rubygems/rubygems/commit/b25379a295
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
When I read, I thought the assertion was incorrect. It's doing the right
thing, though.
https://github.com/rubygems/rubygems/commit/e72c27367a
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
https://github.com/rubygems/rubygems/commit/c7c00c280f
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
It doesn't really add much, in my opinion. We want to be helpful, but
also concise when possible.
https://github.com/rubygems/rubygems/commit/9d56009cf7
Notes:
Merged: https://github.com/ruby/ruby/pull/4789
|
|
Mitigate the security risk:
https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
https://github.com/rubygems/rubygems/commit/141c2f4388
|
|
After reading [this blog
post](https://blog.rubygems.org/2011/08/31/shaving-the-yaml-yak.html),
published almost 10 years ago already, my understanding is that this
problem could come up in two ways:
* Rubygems.org serving corrupted gemspecs". As far as I understand this
was fixed in rubygems.org a lot time ago, since
https://github.com/rubygems/rubygems.org/pull/331.
* Clients having a ten years old gemspec cache with some of these bad
gemspecs. In this case, there's no easy solution but I think ten years
is enough and rebuilding the cache should do the trick.
So, I think it's time we remove this.
https://github.com/rubygems/rubygems/commit/afcb15d556
|
