ruby-changes:42981
From: nobu <ko1@a...>
Date: Wed, 18 May 2016 16:04:59 +0900 (JST)
Subject: [ruby-changes:42981] nobu:r55055 (trunk): downloader.rb: disable verify if rubygems is old
nobu 2016-05-18 16:04:55 +0900 (Wed, 18 May 2016) New Revision: 55055 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55055 Log: downloader.rb: disable verify if rubygems is old * tool/downloader.rb (Downloader::RubyGems.download): verify gems only if RubyGems is 2.4 or later. old RubyGems fails to verify almost all of bundled gems. Modified files: trunk/ChangeLog trunk/tool/downloader.rb Index: tool/downloader.rb =================================================================== --- tool/downloader.rb (revision 55054) +++ tool/downloader.rb (revision 55055) @@ -57,27 +57,27 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L57 def self.download(name, dir = nil, since = true, options = {}) require 'rubygems' require 'rubygems/package' + verify = options.delete(:verify) {Gem::VERSION >= "2.4."} options[:ssl_ca_cert] = Dir.glob(File.expand_path("../lib/rubygems/ssl_certs/**/*.pem", File.dirname(__FILE__))) file = under(dir, name) super("https://rubygems.org/downloads/#{name}", file, nil, since, options) or return false + return true unless verify policy = Gem::Security::LowSecurity (policy = policy.dup).ui = Gem::SilentUI.new if policy.respond_to?(:'ui=') pkg = Gem::Package.new(file) pkg.security_policy = policy begin + $stdout.puts "verifying #{name}" pkg.verify rescue Gem::Security::Exception => e - $stderr.puts e.message + $stderr.puts "#{name}: #{e.message}" File.unlink(file) false else true end end - - def self.verify(pkg) - end end Gems = RubyGems @@ -134,6 +134,7 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L134 # download 'http://www.unicode.org/Public/UCD/latest/ucd/UnicodeData.txt', # 'UnicodeData.txt', 'enc/unicode/data' def self.download(url, name, dir = nil, since = true, options = {}) + options.delete(:verify) file = under(dir, name) if since.nil? and File.exist?(file) if $VERBOSE @@ -194,6 +195,10 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L195 raise "failed to download #{name}\n#{e.message}: #{url}" end + def self.verify(file) + true + end + def self.under(dir, name) dir ? File.join(dir, File.basename(name)) : name end @@ -203,6 +208,7 @@ Downloader.https = https.freeze https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L208 if $0 == __FILE__ since = true + options = {} until ARGV.empty? case ARGV[0] when '-d' @@ -217,6 +223,8 @@ if $0 == __FILE__ https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L223 since = nil when '-a' since = false + when '-V' + options[:verify] = true when /\A-/ abort "#{$0}: unknown option #{ARGV[0]}" else @@ -233,10 +241,10 @@ if $0 == __FILE__ https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L241 ARGV.shift ARGV.each do |name| name = "#{prefix}/#{File.basename(name)}" if prefix - dl.download(name, destdir, since) + dl.download(name, destdir, since, options) end else abort "usage: #{$0} url name" unless ARGV.size == 2 - Downloader.download(ARGV[0], ARGV[1], destdir, since) + Downloader.download(ARGV[0], ARGV[1], destdir, since, options) end end Index: ChangeLog =================================================================== --- ChangeLog (revision 55054) +++ ChangeLog (revision 55055) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed May 18 16:04:54 2016 Nobuyoshi Nakada <nobu@r...> + + * tool/downloader.rb (Downloader::RubyGems.download): verify gems + only if RubyGems is 2.4 or later. old RubyGems fails to verify + almost all of bundled gems. + Wed May 18 14:52:38 2016 Nobuyoshi Nakada <nobu@r...> * string.c (rb_str_modify_expand): check integer overflow. -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/