https://git.ruby-lang.org/ruby.git/commit/?id=0476ce0370

From 0476ce0370c1ee56de690d43c15d5e8d7893dedd Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@r...>
Date: Wed, 10 Mar 2021 12:08:20 +0900
Subject: Merge RubyGems-3.2.14 and Bundler-2.2.14

---
 lib/bundler/compact_index_client/updater.rb        |   2 +-
 lib/bundler/definition.rb                          |  22 +-
 lib/bundler/dsl.rb                                 |   9 +-
 lib/bundler/installer/parallel_installer.rb        |  14 +-
 lib/bundler/lockfile_parser.rb                     |  18 +-
 lib/bundler/plugin/api/source.rb                   |   7 +
 lib/bundler/source.rb                              |   6 +
 lib/bundler/source/metadata.rb                     |   4 -
 lib/bundler/source/rubygems.rb                     |  24 +-
 lib/bundler/source_list.rb                         |  18 +-
 lib/bundler/spec_set.rb                            |   2 +
 lib/bundler/version.rb                             |   2 +-
 lib/rubygems.rb                                    |   2 +-
 lib/rubygems/platform.rb                           |  10 +-
 lib/rubygems/remote_fetcher.rb                     |  11 +-
 .../bundler/compact_index_client/updater_spec.rb   |  21 +
 spec/bundler/bundler/source_list_spec.rb           |  21 +-
 spec/bundler/commands/lock_spec.rb                 |   2 +-
 spec/bundler/install/deploy_spec.rb                |  20 +-
 spec/bundler/install/gemfile/sources_spec.rb       | 506 ++++++++++++++++-----
 spec/bundler/install/gems/flex_spec.rb             |  32 +-
 spec/bundler/install/gems/resolving_spec.rb        |  45 ++
 spec/bundler/install/gems/sudo_spec.rb             |  17 +-
 spec/bundler/lock/lockfile_spec.rb                 |  35 +-
 spec/bundler/other/major_deprecation_spec.rb       |  44 +-
 .../realworld/fixtures/warbler/Gemfile.lock        |   5 +-
 spec/bundler/spec_helper.rb                        |   2 +
 spec/bundler/support/builders.rb                   |  44 +-
 spec/bundler/support/helpers.rb                    |   2 +-
 spec/bundler/support/matchers.rb                   |  51 ++-
 test/rubygems/test_gem_platform.rb                 |  29 --
 test/rubygems/test_gem_remote_fetcher.rb           |  38 ++
 32 files changed, 705 insertions(+), 360 deletions(-)

diff --git a/lib/bundler/compact_index_client/updater.rb b/lib/bundler/compact_index_client/updater.rb
index 7959e5c..9e0180f 100644
--- a/lib/bundler/compact_index_client/updater.rb
+++ b/lib/bundler/compact_index_client/updater.rb
@@ -54,7 +54,7 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/compact_index_client/updater.rb#L54
             if response.is_a?(Net::HTTPPartialContent) && local_temp_path.size.nonzero?
               local_temp_path.open("a") {|f| f << slice_body(content, 1..-1) }
             else
-              local_temp_path.open("w") {|f| f << content }
+              local_temp_path.open("wb") {|f| f << content }
             end
           end
 
diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index a09d661..686721c 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -106,6 +106,17 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L106
         @locked_platforms = []
       end
 
+      @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @disable_multisource = @locked_gem_sources.all?(&:disable_multisource?)
+
+      unless @disable_multisource
+        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. You should run `bundle update` or generate your lockfile from scratch."
+
+        Bundler::SharedHelpers.major_deprecation 2, msg
+
+        @sources.merged_gem_lockfile_sections!
+      end
+
       @unlock[:gems] ||= []
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,6 +156,10 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L156
       end
     end
 
+    def disable_multisource?
+      @disable_multisource
+    end
+
     def resolve_with_cache!
       raise "Specs already loaded" if @specs
       sources.cached!
@@ -530,6 +545,9 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L545
     attr_reader :sources
     private :sources
 
+    attr_reader :locked_gem_sources
+    private :locked_gem_sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
     end
@@ -654,10 +672,8 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/definition.rb#L672
     end
 
     def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
+      return false if disable_multisource?
 
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
       return false if locked_gem_sources.empty?
 
       # Get the RubyGems remotes from the Gemfile
diff --git a/lib/bundler/dsl.rb b/lib/bundler/dsl.rb
index 23fba99..313d1a9 100644
--- a/lib/bundler/dsl.rb
+++ b/lib/bundler/dsl.rb
@@ -460,19 +460,16 @@ repo_name ||= user_name https://github.com/ruby/ruby/blob/trunk/lib/bundler/dsl.rb#L460
         @sources.add_rubygems_remote(source)
       end
 
-      if Bundler.feature_flag.disable_multisource?
+      if Bundler.feature_flag.bundler_3_mode?
         msg = "This Gemfile contains multiple primary sources. " \
           "Each source after the first must include a block to indicate which gems " \
-          "should come from that source. To downgrade this error to a warning, run " \
-          "`bundle config unset disable_multisource`"
+          "should come from that source"
         raise GemfileEvalError, msg
       else
         Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
           "Using `source` more than once without a block is a security risk, and " \
           "may result in installing unexpected gems. To resolve this warning, use " \
-          "a block to indicate which gems should come from the secondary source. " \
-          "To upgrade this warning to an error, run `bundle config set --local " \
-          "disable_multisource true`."
+          "a block to indicate which gems should come from the secondary source."
       end
     end
 
diff --git a/lib/bundler/installer/parallel_installer.rb b/lib/bundler/installer/parallel_installer.rb
index a6d1de2..c3bf584 100644
--- a/lib/bundler/installer/parallel_installer.rb
+++ b/lib/bundler/installer/parallel_installer.rb
@@ -27,13 +27,8 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/installer/parallel_installer.rb#L27
         state == :failed
       end
 
-      def installation_attempted?
-        installed? || failed?
-      end
-
-      # Only true when spec in neither installed nor already enqueued
       def ready_to_enqueue?
-        !enqueued? && !installation_attempted?
+        state == :none
       end
 
       def has_post_install_message?
@@ -93,6 +88,11 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/installer/parallel_installer.rb#L88
     def call
       check_for_corrupt_lockfile
 
+      if @rake
+        do_install(@rake, 0)
+        Gem::Specification.reset
+      end
+
       if @size > 1
         install_with_worker
       else
@@ -217,8 +217,6 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/installer/parallel_installer.rb#L217
     # are installed.
     def enqueue_specs
       @specs.select(&:ready_to_enqueue?).each do |spec|
-        next if @rake && !@rake.installed? && spec.name != @rake.name
-
         if spec.dependencies_installed? @specs
           spec.state = :enqueued
           worker_pool.enq spec
diff --git a/lib/bundler/lockfile_parser.rb b/lib/bundler/lockfile_parser.rb
index 058d353..f87faff 100644
--- a/lib/bundler/lockfile_parser.rb
+++ b/lib/bundler/lockfile_parser.rb
@@ -131,18 +131,8 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/lockfile_parser.rb#L131
             @sources << @current_source
           end
         when GEM
-          source_remotes = Array(@opts["remote"])
-
-          if source_remotes.size == 1
-            @opts["remotes"] = @opts.delete("remote")
-            @current_source = TYPES[@type].from_lock(@opts)
-          else
-            source_remotes.each do |url|
-              rubygems_aggregate.add_remote(url)
-            end
-            @current_source = rubygems_aggregate
-          end
-
+          @opts["remotes"] = Array(@opts.delete("remote")).reverse
+          @current_source = TYPES[@type].from_lock(@opts)
           @sources << @current_source
         when PLUGIN
           @current_source = Plugin.source_from_lock(@opts)
@@ -245,9 +235,5 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/lockfile_parser.rb#L235
     def parse_ruby(line)
       @ruby_version = line.strip
     end
-
-    def rubygems_aggregate
-      @rubygems_aggregate ||= Source::Rubygems.new
-    end
   end
 end
diff --git a/lib/bundler/plugin/api/source.rb b/lib/bundler/plugin/api/source.rb
index e1f0826..d70a16f 100644
--- a/lib/bundler/plugin/api/source.rb
+++ b/lib/bundler/plugin/api/source.rb
@@ -140,6 +140,13 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/plugin/api/source.rb#L140
           end
         end
 
+        # Set internal representation to fetch the gems/specs locally.
+        #
+        # When this is called, the source should try to fetch the specs and
+        # install from the local system.
+        def local!
+        end
+
         # Set internal representation to fetch the gems/specs from remote.
         #
         # When this is called, the source should try to fetch the specs and
diff --git a/lib/bundler/source.rb b/lib/bundler/source.r (... truncated)

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/