=== 2.0.10 / 2013-09-24
Security fixes:
* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
backtracking in Gem::Version validation. See CVE-2013-4363 for full details
including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
1.8.23.2 (for Ruby 1.9.3).
=== 2.0.9 / 2013-09-13
Bug fixes:
* Gem fetch now fetches the newest (not oldest) gem when --version is given.
Issue #643 by Brian Shirai.
* Fixed credential creation for `gem push` when `--host` is not given. Pull
request #622 by Arthur Nogueira Neves
This includes a fix for CVE-2013-4287 in rubygems.
=== 2.0.8 / 2013-09-09
Security fixes:
* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
backtracking in Gem::Version validation. See CVE-2013-4287 for full details
including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and
1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.
Bug fixes:
* Fixed Gem.clear_paths when Security is defined at top-level. Pull request
#625 by elarkin
=== 2.0.7 / 2013-08-15
* Extensions may now be built in parallel (therefore gems may be installed in
parallel). Bug #607 by Hemant Kumar.
* Changed broken link to RubyGems Bookshelf to point to RubyGems guides. Ruby
pull request #369 by 謝致邦.
* Fixed various test failures due to platform differences or poor tests.
Patches by Yui Naruse and Koichi Sasada.
* Fixed documentation for Kernel#require.
=== 2.0.6 / 2013-07-24
Bug fixes:
* Fixed the `--no-install` and `-I` options to `gem list` and friends. Bug
#593 by Blargel.
* Fixed crash when installing gems with extensions under the `-V` flag. Bug
#601 by Nick Hoffman.
* Fixed race condition retrieving HTTP connections in Gem::Request on JRuby.
Bug #597 by Hemant Kumar.
* Fixed building extensions on ruby 1.9.3 under mingw. Bug #594 by jonforums,
Bug #599 by Chris Riesbeck
* Restored default of remote search to `gem search`.
=== 2.0.5 / 2013-07-11
Bug fixes:
* Fixed building of extensions that run ruby in their makefiles. Bug #589 by
Zachary Salzbank.
=== 2.0.4 / 2013-07-09
Bug fixes:
* Fixed error caused by gem install not finding the right platform for your
platform. Bug #576 by John Anderson
* Fixed pushing gems with the default host. Bug #495 by Utkarsh Kukreti
* Improved unhelpful error message from `gem owner --remove`. Bug #488 by
Steve Klabnik
* Fixed typo in `gem spec` help. Pull request #563 by oooooooo
* Fixed creation of build_info with --install-dir. Bug #457 by Vít Ondruch.
* RubyGems converts non-string dependency names to strings now. Bug #505 by
Terence Lee
* Outdated prerelease versions are now listed in `gem outdated`.
* RubyGems now only calls fsync() on the specification when installing, not
every file from the gem. This improves the performance of gem installation
on some systems. Pull Request #556 by Grzesiek Kolodziejczyk
* Removed surprise search term anchoring in `gem search` to restore 1.8-like
search behavior while still defaulting to --remote. Pull request #562 by
Ben Bleything
* Fixed handling of DESTDIR when building extensions. Pull request #573 by
Akinori MUSHA
* Fixed documentation of `gem pristine` defaults (--all is not a default).
Pull request #577 by Shannon Skipper
* Fixed a windows extension-building test failure. Pull request #575 by
Hiroshi Shirosaki
* Fixed issue with `gem update` where it would attempt to use a Version
instead of a Requirement to find the latest gem. Fixes#570 by Nick Cox.
* RubyGems now ignores an empty but set RUBYGEMS_HOST environment variable.
Based on pull request #558 by Robin Dupret.
* Removed duplicate creation of gem subdirectories in
Gem::DependencyInstaller. Pull Request #456 by Vít Ondruch
* RubyGems now works with Ruby built with `--with-ruby-version=''`. Pull
Request #455 by Vít Ondruch
* Fixed race condition when two threads require the same gem. Ruby bug report
#8374 by Joel VanderWerf
* Cleaned up siteconf between extension build and extension install. Pull
request #587 by Dominic Cleal
* Fix deprecation warnings when converting gemspecs to yaml. Ruby commit
r41148 by Yui Naruse
=== 1.8.25/ 2013-01-24
* 6 bug fixes:
* Added 11627 to setup bin_file location to protect against errors.
Fixes#328 by ConradIrwin
* Specification#ruby_code didn't handle Requirement with multiple
* Fix error on creating a Version object with a frozen string.
* Fix incremental index updates
* Fix missing load_yaml in YAML-related requirement.rb code.
* Manually backport encoding-aware YAML gemspec
=== 1.8.23 / 2012-04-19
This release increases the security used when RubyGems is talking to
an https server. If you use a custom RubyGems server over SSL, this
release will cause RubyGems to no longer connect unless your SSL cert
is globally valid.
You can configure SSL certificate usage in RubyGems through the
:ssl_ca_cert and :ssl_verify_mode options in ~/.gemrc and /etc/gemrc.
The recommended way is to set :ssl_ca_cert to the CA certificate for
your server or a certificate bundle containing your CA certification.
You may also set :ssl_verify_mode to 0 to completely disable SSL
certificate checks, but this is not recommended.
* 2 security fixes:
* Disallow redirects from https to http
* Turn on verification of server SSL certs
* 1 minor feature:
* Add --clear-sources to fetch
* 2 bug fixes:
* Use File.identical? to check if two files are the same.
* Fixed init_with warning when using psych
=== 1.8.22 / 2012-04-13
* 4 bug fixes:
* Workaround for psych/syck YAML date parsing issue
* Don't trust the encoding of ARGV. Fixes#307
* Quiet default warnings about missing spec variables
* Read a binary file properly (windows fix)
=== 1.8.21 / 2012-03-22
* 2 bug fixes:
* Add workaround for buggy yaml output from 1.9.2
* Force 1.9.1 to remove it's prelude code. Fixes#305
=== 1.8.20 / 2012-03-21
* 4 bug fixes:
* Add --force to `gem build` to skip validation. Fixes#297
* Gracefully deal with YAML::PrivateType objects in Marshal'd gemspecs
* Treat the source as a proper url base. Fixes#304
* Warn when updating the specs cache fails. Fixes#300
=== 1.8.19 / 2012-03-14
* 3 bug fixes:
* Handle loading psych vs syck properly. Fixes#298
* Make sure Date objects don't leak in via Marshal
* Perform Date => Time coercion on yaml loading. Fixes#266
=== 1.8.18 / 2012-03-11
* 4 bug fixes:
* Use Psych API to emit more compatible YAML
* Download and write inside `gem fetch` directly. Fixes#289
* Honor sysconfdir on 1.8. Fixes#291
* Search everywhere for a spec for `gem spec`. Fixes#288
* Fix Gem.all_load_path. Fixes#171
=== 1.8.17 / 2012-02-17
* 2 minor enhancements:
* Add MacRuby to the list of special cases for platforms (ferrous26)
* Add a default for where to install rubygems itself
* 3 bug fixes:
* Fixed gem loading issue caused by dependencies not resolving.
* Fixed umask error when stdlib is required and unresolved dependencies exist.
* Shebang munging would only take one arg after the cmd
* Define SUCKAGE better, ie only MRI 1.9.2
* Propagate env-shebang to the pristine command if set for install.
=== 1.8.16 / 2012-02-12
* 3 bug fixes:
* Fix gem specification loading when encoding is not UTF-8. #146
* Allow group writable if umask allows it already.
* Uniquify the spec list based on directory order priority
=== 1.8.15 / 2012-01-06
* 1 bug fix:
* Don't eager load yaml, it creates a bad loop. Fixes#256
=== 1.8.14 / 2012-01-05
* 2 bug fixes:
* Ignore old/bad cache data in Version
* Make sure our YAML workarounds are loaded properly. Fixes#250.
=== 1.8.13 / 2011-12-21
* 1 bug fix:
* Check loaded_specs properly when trying to satisfy a dep
* 2 minor enhancements:
* Remove using #loaded_path? for performance
* Remove Zlib workaround for Windows build.
=== 1.8.10 / 2011-08-25
RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded. See
https://github.com/rubygems/rubygems/pull/165 for details.
* 5 bug fixes:
* RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
and %q to prevent code injection. Issue #165 by Postmodern
* RubyGems attempt to activate the psych gem now to obtain bugfixes from
psych.
* Gem.dir has been restored to the front of Gem.path. Fixes remaining
problem with Issue #115
* Fixed Syck DefaultKey infecting ruby-format specifications.
* `gem uninstall a b` no longer stops if gem "a" is not installed.
Now latest ruby19-base package comes with gem supporting newer format,
so no need to keep older.
Shouold be fix build problem of newer rails3 related packages with
ruby18-base.
Bump PKGREVISION.
o pkgsrc changes:
* Add patches to keep output of specification sub-command as before.
* Make sure to 'yaml is loaded in Gem::Specification::from_yaml().
=== 1.3.7 / 2010-05-13
NOTE:
http://rubygems.org is now the default source for downloading gems.
You may have sources set via ~/.gemrc, so you should replace
http://gems.rubyforge.org with http://rubygems.orghttp://gems.rubyforge.org will continue to work for the forseeable future.
New features:
* `gem` commands
* `gem install` and `gem fetch` now report alternate platforms when a
matching one couldn't be found.
* `gem contents` --prefix is now the default as specified in --help. Bug
#27211 by Mamoru Tasaka.
* `gem fetch` can fetch of old versions again. Bug #27960 by Eric Hankins.
* `gem query` and friends output now lists platforms. Bug #27856 by Greg
Hazel.
* `gem server` now allows specification of multiple gem dirs for
documentation. Bug #27573 by Yuki Sonoda.
* `gem unpack` can unpack gems again. Bug #27872 by Timothy Jones.
* `gem unpack` now unpacks remote gems.
* --user-install is no longer the default. If you really liked it, see
Gem::ConfigFile to learn how to set it by default. (This change was made
in 1.3.6)
* RubyGems now has platform support for IronRuby. Patch #27951 by Will Green.
Bug fixes:
* Require rubygems/custom_require if --disable-gem was set. Bug #27700 by
Roger Pack.
* RubyGems now protects against exceptions being raised by plugins.
* rubygems/builder now requires user_interaction. Ruby Bug #1040 by Phillip
Toland.
* Gem::Dependency support #version_requirements= with a warning. Fix for old
Rails versions. Bug #27868 by Wei Jen Lu.
* Gem::PackageTask depends on the package dir like the other rake package
tasks so dependencies can be hooked up correctly.
=== 1.3.6 / 2010-02-17
New features:
* `gem` commands
* Added `gem push` and `gem owner` for interacting with modern/Gemcutter
sources
* `gem dep` now supports --prerelease.
* `gem fetch` now supports --prerelease.
* `gem server` now supports --bind. Patch #27357 by Bruno Michel.
* `gem rdoc` no longer overwrites built documentation. Use --overwrite
force rebuilding. Patch #25982 by Akinori MUSHA.
* Captial letters are now allowed in prerelease versions.
Bug fixes:
* Development deps are no longer added to rubygems-update gem so older
versions can update sucessfully.
* Installer bugs:
* Prerelease gems can now depend on non-prerelease gems.
* Development dependencies are ignored unless explicitly needed. Bug #27608
by Roger Pack.
* `gem` commands
* `gem which` now fails if no paths were found. Adapted patch #27681 by
Caio Chassot.
* `gem server` no longer has invalid markup. Bug #27045 by Eric Young.
* `gem list` and friends show both prerelease and regular gems when
--prerelease --all is given
* Gem::Format no longer crashes on empty files. Bug #27292 by Ian Ragsdale.
* Gem::GemPathSearcher handles nil require_paths. Patch #27334 by Roger Pack.
* Gem::RemoteFetcher no longer copies the file if it is where we want it.
Patch #27409 by Jakub Stastny.
Deprecation Notices:
* lib/rubygems/timer.rb has been removed.
* Gem::Dependency#version_requirements is deprecated and will be removed on or
after August 2010.
* Bulk index update is no longer supported.
* Gem::manage_gems was removed in 1.3.3.
* Time::today was removed in 1.3.3.
* Add LICENSE.
* Adjust new ruby packages' framework.
* Command name is gem${RUBY_VER} == gem18 now and add ALTERNATIVES.
* Add comments to patches.
* Overhalt --install_root option.
* Avoid access HOME when --install_root is enabled.
* honor PKG_SYSCONFDIR.
Bump PKGREVISION.
Changes:
* Fix use of prerelease gems.
* Gem.bin_path no longer escapes path with spaces. Bug #25935 and #26458.
* Bulk index update is no longer supported (the code currently
remains, but not the tests)
New features since 1.3.1:
* RubyGems now loads plugins from rubygems_plugin.rb in installed gems.
This can be used to add commands (See Gem::CommandManager) or add
install/uninstall hooks (See Gem::Installer and Gem::Uninstaller).
* Gem::Version now understands prerelease versions using letters. (eg.
'1.2.1.b') Thanks to Josh Susser, Alex Vollmer and Phil Hagelberg.
* RubyGems now includes a Rake task for creating gems which replaces rake's
Rake::GemPackageTask. See Gem::PackageTask.
* Gem::find_files now returns paths in $LOAD_PATH.
* Added Gem::promote_load_path for use with Gem::find_files
* Added Gem::bin_path to make finding executables easier. Patch #24114 by
James Tucker.
* Various improvements to build arguments for installing gems.
* `gem contents` added --all and --no-prefix.
* Gem::Specification
* #validate strips directories and errors on not-files.
* #description no longer removes newlines.
* #name must be a String.
* FIXME and TODO are no longer allowed in various fields.
* Added support for a license attribute. Feature #11041 (partial).
* Removed Gem::Specification::list, too much process growth. Bug #23668 by
Steve Purcell.
* `gem generate_index`
* Can now generate an RSS feed.
* Modern indicies can now be updated incrementally.
* Legacy indicies can be updated separately from modern.
* `gem server` allows port names (from /etc/services) with --port.
* `gem server` now has search that jumps to RDoc. Patch #22959 by Vladimir
Dobriakov.
* `gem spec` can retrieve single fields from a spec (like `gem spec rake
authors`).
* Gem::Specification#has_rdoc= is deprecated and ignored (defaults to true)
* RDoc is now generated regardless of Gem::Specification#has_rdoc?
New features since 1.2.0:
* RubyGems doesn't print LOCAL/REMOTE titles for `gem query` and friends if
stdout is not a TTY, except with --both.
* Added Gem.find_files, allows a gem to discover features provided by other
gems.
* Added pre/post (un)install hooks for packagers of RubyGems. (Not for gems
themselves).
* RubyGems now installs gems into ~/.gem if GEM_HOME is not writable. Use
--no-user-install command-line switch to disable this behavior.
* Fetching specs for update now uses If-Modified-Since requests.
* RubyGems now updates the ri cache when the rdoc gem is installed and
documentation is generated.
Release 1.2.0 adds new features and fixes some bugs.
New features:
* RubyGems no longer performs bulk updates and instead only fetches the gemspec
files it needs. Alternate sources will need to upgrade to RubyGems 1.2 to
allow RubyGems to take advantage of the new metadata updater. If a pre 1.2
remote source is in the sources list, RubyGems will revert to the bulk update
code for compatibility.
* RubyGems now has runtime and development dependency types. Use
#add_development_dependency and #add_runtime_dependency. All typeless
dependencies are considered to be runtime dependencies.
* RubyGems will now require rubygems/defaults/operating_system.rb and
rubygems/defaults/#{RBX_ENGINE}.rb if they exist. This allows packagers and
ruby implementers to add custom behavior to RubyGems via these files. (If
the RubyGems API is insufficient, please suggest improvements via the
RubyGems list.)
* /etc/gemrc (and windows equivalent) for global settings
* setup.rb now handles --vendor and --destdir for packagers
* `gem stale` command that lists gems by last access time
Bugs Fixed:
* File modes from gems are now honored, patch #19737
* Marshal Gem::Specification objects from the future can now be loaded.
* A trailing / is now added to remote sources when missing, bug #20134
* Gems with legacy platforms will now be correctly uninstalled, patch #19877
* `gem install --no-wrappers` followed by `gem install --wrappers` no longer
overwrites executables
* `gem pristine` now forces reinstallation of gems, bug #20387
* RubyGems gracefully handles ^C while loading .gemspec files from disk, bug
#20523
* Paths are expanded in more places, bug #19317, bug #19896
* Gem::DependencyInstaller resets installed gems every install, bug #19444
* Gem.default_path is now honored if GEM_PATH is not set, patch #19502
Other Changes Include:
* setup.rb
* stub files created by RubyGems 0.7.x and older are no longer removed. When
upgrading from these ancient versions, upgrade to 1.1.x first to clean up
stubs.
* RDoc is no longer required until necessary, patch #20414
* `gem server`
* Now completely matches the output of `gem generate_index` and
has correct content types
* Refreshes from source directories for every hit. The server will no longer
need to be restarted after installing gems.
* `gem query --details` and friends now display author, homepage, rubyforge url
and installed location
* `gem install` without -i no longer reinstalls dependencies if they are in
GEM_PATH but not in GEM_HOME
* Gem::RemoteFetcher now performs persistent connections for HEAD requests,
bug #7973
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
* Gem.prefix now returns non-nil only when RubyGems was installed outside
sitelibdir or libdir.
* The `gem server` gem list now correctly links to gem details.
* `gem update --system` now passes --no-format-executable to setup.rb.
* Gem::SourceIndex#refresh! now works with multiple gem repositories.
* Downloaded gems now go into --install-dir's cache directory.
* Various fixes to downloading gem metadata.
* `gem install --force` now ignores network errors too.
* `gem pristine` now rebuilds extensions.
* `gem update --system` now works on virgin Apple ruby.
* Gem::RemoteFetcher handles Errno::ECONNABORTED.
+ Port patches to allow gems to be installed into an "installion root"
from 1.0.1nb2.
+ Rename the --build-root option to --install-root, which more accurately
reflects the purpose of the option.
+ Update rubygem.mk to work with rubygems-1.1.0.
+ Require 1.1.0 as the minimum rubygems version for the build.
+ Remove GEM_FORMAT and special code to extract the gemspec file
from a gem archive -- `gem spec' can now do it correctly by itself.
+ Rename various *buildroot* targets to *install-root* to match the
name of the `gem' option.
* RubyGems now uses persistent connections on index updates and only
updates from a latest index by default, cutting candidate gems for
updates to roughly 1/4 (at present). Index updates are much faster
now.
* `gem list -r` may only show the latest version of a gem, add --all to
see all gems.
* `gem spec` now extracts specifications from .gem files.
* `gem query --installed` to aid automation of checking for gems.
This update has been tested with the 3 packages in pkgsrc that install
using the ``gem'' command:
devel/rubyforge
misc/ruby-gem_plugin
www/mongrel
This update has also been tested with the 129 packages in my local
tree that install using the ``gem'' command.
Manually check that the installation actually succeeds or exit with an
error so that the pkgsrc make process halts with the proper error code.
Suggestion for change by <seb> in private email.