ruby-changes:65449

https://git.ruby-lang.org/ruby.git/commit/?id=38f8b8d070

From 38f8b8d070aaac02f1d048b5d9947b2e58401e2b Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@r...>
Date: Tue, 2 Mar 2021 20:36:40 +0900
Subject: Merge RubyGems-3.2.10 and Bundler-2.2.10

---
 lib/bundler/definition.rb                         |  74 ++++--
 lib/bundler/dsl.rb                                |  63 +++--
 lib/bundler/feature_flag.rb                       |   1 -
 lib/bundler/inline.rb                             |   1 +
 lib/bundler/lockfile_parser.rb                    |  20 +-
 lib/bundler/man/bundle-config.1                   |  14 +-
 lib/bundler/man/bundle-config.1.ronn              |  23 +-
 lib/bundler/plugin.rb                             |   1 +
 lib/bundler/plugin/installer.rb                   |  17 +-
 lib/bundler/resolver.rb                           |  66 +++---
 lib/bundler/settings.rb                           |   1 -
 lib/bundler/source/rubygems.rb                    |  11 +-
 lib/bundler/source_list.rb                        |  53 +++--
 lib/bundler/version.rb                            |   2 +-
 lib/rubygems.rb                                   |   2 +-
 lib/rubygems/command.rb                           |   1 +
 lib/rubygems/specification.rb                     |   3 +
 spec/bundler/bundler/dsl_spec.rb                  |  15 +-
 spec/bundler/bundler/plugin_spec.rb               |   1 +
 spec/bundler/bundler/source_list_spec.rb          |  21 +-
 spec/bundler/commands/exec_spec.rb                |   3 +-
 spec/bundler/commands/lock_spec.rb                |  45 ++++
 spec/bundler/commands/post_bundle_message_spec.rb |  11 +-
 spec/bundler/install/gemfile/gemspec_spec.rb      |  15 +-
 spec/bundler/install/gemfile/platform_spec.rb     |  25 +-
 spec/bundler/install/gemfile/sources_spec.rb      | 271 ++++++++++++++--------
 spec/bundler/install/gems/flex_spec.rb            |  32 +--
 spec/bundler/lock/lockfile_spec.rb                |  35 +--
 spec/bundler/other/major_deprecation_spec.rb      | 104 ++++++---
 spec/bundler/resolver/platform_spec.rb            |  17 ++
 spec/bundler/runtime/platform_spec.rb             |  83 +++++++
 spec/bundler/support/indexes.rb                   |   2 +-
 test/rubygems/test_gem.rb                         |  10 +-
 33 files changed, 618 insertions(+), 425 deletions(-)

diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index 3c25149..9178f01 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -106,6 +106,19 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L106
         @locked_platforms = []
       end
 
+      @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @disable_multisource = !Bundler.frozen_bundle? || @locked_gem_sources.none? {|s| s.remotes.size > 1 }
+
+      unless @disable_multisource
+        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. " \
+          "You should regenerate your lockfile in a non frozen environment."
+
+        Bundler::SharedHelpers.major_deprecation 2, msg
+
+        @sources.allow_multisource!
+        @locked_gem_sources.each(&:allow_multisource!)
+      end
+
       @unlock[:gems] ||= []
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,6 +158,14 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L158
       end
     end
 
+    def disable_multisource?
+      @disable_multisource
+    end
+
+    def allow_multisource!
+      @disable_multisource = false
+    end
+
     def resolve_with_cache!
       raise "Specs already loaded" if @specs
       sources.cached!
@@ -264,7 +285,7 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L285
           # Run a resolve against the locally available gems
           Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
           expanded_dependencies = expand_dependencies(dependencies + metadata_dependencies, @remote)
-          Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
+          Resolver.resolve(expanded_dependencies, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
         end
       end
     end
@@ -530,6 +551,9 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L551
     attr_reader :sources
     private :sources
 
+    attr_reader :locked_gem_sources
+    private :locked_gem_sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
     end
@@ -654,21 +678,20 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L678
     end
 
     def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
+      return false if disable_multisource?
 
-      changes = false
+      return false if locked_gem_sources.empty?
 
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
       # Get the RubyGems remotes from the Gemfile
       actual_remotes = sources.rubygems_remotes
+      return false if actual_remotes.empty?
+
+      changes = false
 
       # If there is a RubyGems source in both
-      if !locked_gem_sources.empty? && !actual_remotes.empty?
-        locked_gem_sources.each do |locked_gem|
-          # Merge the remotes from the Gemfile into the Gemfile.lock
-          changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
-        end
+      locked_gem_sources.each do |locked_gem|
+        # Merge the remotes from the Gemfile into the Gemfile.lock
+        changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
       end
 
       changes
@@ -893,30 +916,18 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L916
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
-      default = sources.default_source
-      source_requirements = { :default => default }
-      default = nil unless Bundler.feature_flag.disable_multisource?
-      dependencies.each do |dep|
-        next unless source = dep.source || default
-        source_requirements[dep.name] = source
-      end
+      source_requirements = { :default => sources.default_source }.merge(dependency_source_requirements)
       metadata_dependencies.each do |dep|
         source_requirements[dep.name] = sources.metadata_source
       end
+      source_requirements[:global] = index unless disable_multisource?
       source_requirements[:default_bundler] = source_requirements["bundler"] || source_requirements[:default]
       source_requirements["bundler"] = sources.metadata_source # needs to come last to override
       source_requirements
     end
 
     def pinned_spec_names(skip = nil)
-      pinned_names = []
-      default = Bundler.feature_flag.disable_multisource? && sources.default_source
-      @dependencies.each do |dep|
-        next unless dep_source = dep.source || default
-        next if dep_source == skip
-        pinned_names << dep.name
-      end
-      pinned_names
+      dependency_source_requirements.reject {|_, source| source == skip }.keys
     end
 
     def requested_groups
@@ -973,5 +984,18 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L984
 
       Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
     end
+
+    def dependency_source_requirements
+      @dependency_source_requirements ||= begin
+        source_requirements = {}
+        default = disable_multisource? && sources.default_source
+        dependencies.each do |dep|
+          dep_source = dep.source || default
+          next unless dep_source
+          source_requirements[dep.name] = dep_source
+        end
+        source_requirements
+      end
+    end
   end
 end
diff --git a/lib/bundler/dsl.rb b/lib/bundler/dsl.rb
index 1cc7908..ef5aaf6 100644
--- a/lib/bundler/dsl.rb
+++ b/lib/bundler/dsl.rb
@@ -24,6 +24,9 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/dsl.rb#L24
     def initialize
       @source               = nil
       @sources              = SourceList.new
+
+      @global_rubygems_sources = []
+
       @git_sources          = {}
       @dependencies         = []
       @groups               = []
@@ -45,6 +48,7 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/dsl.rb#L48
       @gemfiles << expanded_gemfile_path
       contents ||= Bundler.read_file(@gemfile.to_s)
       instance_eval(contents.dup.tap{|x| x.untaint if RUBY_VERSION < "2.7" }, gemfile.to_s, 1)
+      check_primary_source_safety
     rescue Exception => e # rubocop:disable Lint/RescueException
       message = "There was an error " \
         "#{e.is_a?(GemfileEvalError) ? "evaluating" : "parsing"} " \
@@ -164,8 +168,7 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/dsl.rb#L168
       elsif block_given?
         with_source(@sources.add_rubygems_source("remotes" => source), &blk)
       else
-        check_primary_source_safety(@sources)
-        @sources.global_rubygems_source = source
+        @global_rubygems_sources << source
       end
     end
 
@@ -183,24 +186,14 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/dsl.rb#L186
     end
 
     def path(path, options = {}, &blk)
-      unless block_given?
-        msg = "You can no longer spe (... truncated)

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/