Deprecated: Function get_magic_quotes_gpc() is deprecated in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 99
Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 619
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 832
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839 RubyGems Blog2025-10-13T02:38:41+00:00http://blog.rubygems.org/Fred, the rubygems robotrubygems-developers@rubyforge.org3.7.2 Released2025-09-09T00:00:00+00:00http://blog.rubygems.org/2025/09/09/3.7.2-released<p>RubyGems 3.7.2 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>### Enhancements:</em></p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem sources --prepend</code> and <code class="language-plaintext highlighter-rouge">--append</code> allow finer grained control of
sources. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8901">#8901</a> by martinemde</li>
<li>Improve <code class="language-plaintext highlighter-rouge">gem sources --remove</code> output. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8909">#8909</a> by
deivid-rodriguez</li>
<li>Make <code class="language-plaintext highlighter-rouge">gem sources</code> output more clear. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8938">#8938</a> by
deivid-rodriguez</li>
<li>Use IMDSv2 for S3 instance credentials. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7709">#7709</a> by
folbricht-stripe</li>
<li>Installs bundler 2.7.2 as a default gem.</li>
</ul>
<p><em>### Bug fixes:</em></p>
<ul>
<li>Fix “did you mean” suggestions for unknown commands. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8948">#8948</a> by
deivid-rodriguez</li>
<li>Fix trailing slashes not considered by <code class="language-plaintext highlighter-rouge">gem sources --remove</code>. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8939">#8939</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.7.2.tgz<br />
efece01225a532f4b52cf8764d20a00e0d29ed6f85b33d9302df4896a90fa5ab</li>
<li>rubygems-3.7.2.zip<br />
90dcd1be275d85a3aac31fbdf5842999d2d9345496bc4bba7518346294fa2b6e</li>
<li>rubygems-update-3.7.2.gem<br />
79dba0a6e377ab0b52cd526479753904b6ffaff1f8717b472c5792a8950fe060</li>
</ul>
How RubyGems.org Protects Our Community’s Critical OSS Infrastructure2025-08-25T00:00:00+00:00http://blog.rubygems.org/2025/08/25/rubygems-security-response<p>Recently, Socket.dev published <a href="https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign">research</a> highlighting malicious gems
designed to steal social media credentials. We wanted to use this as an
opportunity to share more about how RubyGems.org security operates, how
we proactively handled this incident (and others), and the work our team
is doing each day to keep the ecosystem safe.</p>
<h1 id="how-we-detect-malicious-gems">How We Detect Malicious Gems</h1>
<p><strong>RubyGems.org security uses a proactive and multi-layered approach:</strong></p>
<p><strong>1. Automated detection:</strong> Every gem upload is analyzed using both
static and dynamic code analysis, including behavioral checks and
metadata review. Much of this capability comes from Mend.io’s
supply chain security tooling (originally built by our own Maciej
Mensfeld, a maintainer on the RubyGems team).</p>
<p><strong>2. Risk scoring:</strong> Each package is given a score. Higher-risk gems
are escalated for manual review by a member of our security team.</p>
<p><strong>3. Retroactive scanning:</strong> As detection techniques improve, older
packages are automatically rescanned, which allows us to catch
threats that may have slipped through in the past. (This is how we
found the threat actor that Socket.dev later investigated.)</p>
<p><strong>4. External sources:</strong> We sometimes receive alerts from vulnerability
databases, industry partners, and cross-registry collaborations,
which help us identify patterns across ecosystems.</p>
<p>Through steps 1 - 3, our team detects the majority (roughly 70-80%) of
malicious packages before they are ever reported to us or the public.</p>
<h1 id="what-happens-when-we-flag-a-gem">What Happens When We Flag a Gem</h1>
<p><strong>Once a gem is flagged, we:</strong></p>
<p><strong>1. Verify:</strong> A RubyGems security engineer reviews the code to confirm
malicious intent (about 95% of flagged packages prove to be
legitimate).</p>
<p><strong>2. Double-check:</strong> When there’s any doubt, we seek a second opinion
within the team.</p>
<p><strong>3. Remove:</strong> Confirmed malicious gems are removed via a standardized
process in our admin panel.</p>
<p><strong>4. Document:</strong> Every action is logged with reasoning for
traceability.</p>
<p><strong>5. Protect further:</strong> In some cases, we preemptively block suspicious
gem names (for example, ones mimicking company internals) to
prevent possible abuse.</p>
<h1 id="this-incident">This Incident</h1>
<p><strong>This is the timeline of the actions our team took concerning the
incident reported by Socket.dev:</strong></p>
<ul>
<li>
<p><strong>July 20, 2025 –</strong> Our systems flagged suspicious gems, and the
team confirmed malicious credential-stealing behavior. We would
like to specifically credit RubyGems maintainer Maciej Mensfeld
for this.</p>
</li>
<li>
<p><strong>July 23–28 –</strong> We removed nearly all of the affected packages
and terminated the associated accounts. We would like to
acknowledge again Maciej Mensfeld for his security work here, as
well as Josef Šimánek, who provided a second opinion and helped
with package removal.</p>
</li>
<li>
<p><strong>August 7 –</strong> Socket.dev published their report and notified us of
16 additional gems from related accounts, which we also removed.</p>
</li>
</ul>
<p>In total, we removed all malicious packages from this threat actor,
including two not covered in the original report.</p>
<p>Socket.dev has also <a href="https://socket.dev/blog/follow-up-on-malicious-ruby-gems-campaign">published an updated accounting</a> of this incident
after talking directly with our team and clarifying key details about
our response.</p>
<p><strong>It’s also important to note:</strong> this campaign involved a small number
of gems. Widely used and trusted packages were not affected.</p>
<h1 id="community-reporting--collaboration">Community Reporting & Collaboration</h1>
<p>We welcome and encourage researchers and community members to work with
us by reporting issues through these channels:</p>
<ul>
<li>
<p><strong>Email:</strong> You can also reach us at
<a href="mailto:security@rubygems.org">security@rubygems.org</a>.</p>
</li>
<li>
<p><strong>Slack:</strong> Join the <a href="https://join.slack.com/t/bundler/shared_invite/zt-1rrsuuv3m-OmXKWQf8K6iSla4~F1DBjQ">Bundler
Slack</a>
to connect with the RubyGems.org team and community of committers
and developers.</p>
</li>
</ul>
<p>Once we receive reports, we acknowledge them, review them quickly, and
follow up with the person who made the report. We are grateful for every
contribution that helps keep RubyGems and the Ruby ecosystem secure.</p>
<h1 id="the-reality-of-supply-chain-security">The Reality of Supply Chain Security</h1>
<p>RubyGems.org is smaller than ecosystems like
<a href="https://github.com/npm">npm</a> but malicious activity is
still a serious threat. On average, we remove about one malicious or
spam package per week, though that number can spike higher.</p>
<p>This work is resource-intensive. Most of our efforts are currently
supported by sponsors, including <a href="http://mend.io">Mend.io</a>
and <a href="https://alpha-omega.dev/">Alpha-Omega</a>, but a
significant portion of time comes from contributions by volunteer
maintainers. Many of these maintainers have personally dedicated over a
decade to this critical work, driven by their passion and commitment to
keeping the Ruby ecosystem secure.</p>
<p><strong>If your company depends on RubyGems.org, consider supporting its
maintenance and security directly through our <a href="https://rubycentral.org/news/rubygems-org-funding-model-a-new-path-for-community-led-growth/">RubyGems Supporter
Program</a>.</strong>
Community funding enables us to continue to invest in the people,
infrastructure, and security work that keep RubyGems safe and keep
RubyGems.org a community-led service.</p>
<h1 id="in-closing">In Closing</h1>
<p><strong>This recent incident shows our security systems working as intended:</strong>
threats were detected, removed, and contained before they could cause
widespread harm.</p>
<p>Security in open source will always be a shared effort. We want to thank
Socket.dev for their research, as well as the broader community for
continuing to report issues.</p>
<p>You are welcome to reach out to us through the above channels if you
have any additional questions.</p>
<p><em>RubyGems Security Team</em></p>
July 2025 RubyGems Updates2025-08-21T00:00:00+00:00http://blog.rubygems.org/2025/08/21/july-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in July.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>In July, we shipped <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#270-2025-07-16"><strong>Bundler 2.7.0</strong></a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#370--2025-07-16"><strong>RubyGems 3.7.0</strong></a>, marking a major milestone in our roadmap toward Bundler 4. These releases introduce the new <code class="language-plaintext highlighter-rouge">simulate_version</code> setting, making it easier for developers to test breaking changes early and share feedback. We also continued work on long-requested improvements across RubyGems and Bundler, including experimental support for prebuilt binaries.</p>
<p><strong>Bundler 2.7.0 and RubyGems 3.7.0 are out!</strong></p>
<ul>
<li>This release marks a major milestone in the roadmap toward Bundler 4. With <code class="language-plaintext highlighter-rouge">bundle config simulate_version 4</code>, users can now try out upcoming breaking changes in Bundler 4 ahead of time, helping gather feedback and ease the eventual transition.</li>
<li>Although the releases were mostly complete last month, we took additional time to carefully review and tag unreleased changes so our tooling could generate a clean and informative changelog. We also <a href="https://www.notion.so/December-2024-Newsletter-150d7bddd38780988929f2d399093288?pvs=21">published a blog post</a> summarizing the highlights of the release, and the release was mentioned in <a href="https://rubyweekly.com/issues/759">Ruby Weekly</a> and <a href="https://www.reddit.com/r/ruby/comments/1m22l57/bundler_bundler_v27_last_release_before_bundler_4/">Reddit</a>.</li>
<li>As part of the post-release cycle, we addressed some reported issues and community feedback:
<ul>
<li>The planned change to install gems in a <code class="language-plaintext highlighter-rouge">.bundle</code> folder per application (instead of globally) has been <a href="https://github.com/rubygems/rubygems/pull/8867"><strong>delayed</strong></a>, pending resolution of known issues. We still hope to ship this in Bundler 4.</li>
<li>The deprecation of <code class="language-plaintext highlighter-rouge">bundle install --force</code> has been <a href="https://github.com/rubygems/rubygems/pull/8843"><strong>reverted</strong></a>, following user feedback.</li>
</ul>
</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8861"><strong>Improvements in Bundler CLI documentation</strong></a></p>
<ul>
<li>We noticed that some CLI commands and flags were not properly documented, making them harder for users to discover. Thanks to a <a href="https://github.com/rubygems/rubygems/pull/8861">contribution</a> by <a href="https://github.com/Edouard-Chin">@Edouard-Chin</a>, we now have a CI check that ensures new commands and flags are reflected in the official documentation.</li>
<li>The implementation introspects Thor commands and flags used by Bundler and verifies they are included in the man pages, making the CLI more consistent and discoverable.</li>
</ul>
<p><strong>Gems with Prebuilt Binaries</strong></p>
<ul>
<li>After months of groundwork and iteration, experimental support for Python-style “wheels” has landed in RubyGems, thanks to <a href="https://github.com/segiddins">@segiddins</a>.</li>
<li>This work introduces a new compatibility model for gems with native extensions, using <code class="language-plaintext highlighter-rouge">tag sets</code> (inspired by Python) to represent which platforms a gem can run on. This solves long-standing limitations in the legacy <code class="language-plaintext highlighter-rouge">Gem::Platform</code> system, which struggled to represent both “what can run” and “what’s running now” in a backward-compatible format.</li>
<li>The feature is still under active development and review, and a formal RFC is coming soon. Support in Bundler will follow before this ships more broadly.</li>
</ul>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, <a href="https://rubygems.org/">RubyGems.org</a> continued to scale and improve its services with the support of our infrastructure donors: <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong>RubyGems.org Organizations launches in private beta</strong></p>
<ul>
<li><a href="https://guides.rubygems.org/organizations/getting-started/">Organizations</a> is one of the longest-standing feature requests for <a href="https://rubygems.org/">RubyGems.org</a>. It allows teams and companies to better manage ownership and permissions across multiple gems under a shared namespace.</li>
<li>We’ve launched the feature in <strong>private beta</strong>, and are currently collecting feedback from early users. We plan to open it up to more teams in the coming weeks. More information will be shared in an upcoming blog post.</li>
</ul>
<h2 id="thank-you"><strong>Thank you</strong></h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/dgonzdev">@dgonzdev</a> Dgonzdev</li>
<li><a href="https://github.com/rye-stripe">@rye-stripe</a> Peteris Rudzusiks</li>
<li><a href="https://github.com/djbender">@djbender</a> Derek Bender</li>
<li><a href="https://github.com/roberthopman">@roberthopman</a> Robert Hopman</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/hlascelles">@hlascelles</a> Harry Lascelles</li>
<li><a href="https://github.com/Edouard-chin">@Edouard-chin</a> Edouard Chin</li>
<li><a href="https://github.com/rhenium">@rhenium</a> Kazuki Yamaguchi</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/mghaught">@mghaught</a> Marty Haught</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/landongrindheim">@landongrindheim</a> Landon Grindheim</li>
<li><a href="https://github.com/A-Mitch">@a-mitch</a> Alex Mitchell</li>
<li><a href="https://github.com/qrush">@qrush</a> Nick Quaranto</li>
<li><a href="https://github.com/spikex">@spikex</a> Spike Ilacqua</li>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
<li><a href="https://github.com/jeffwidman">@jeffwidman</a> Jeff Widman</li>
<li><a href="https://github.com/mullermp">@mullermp</a> Matt Muller</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Update on Malicious Gems Removal2025-08-08T00:00:00+00:00http://blog.rubygems.org/2025/08/08/malicious-gems-removal<p>We are aware of <a href="https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign">a recent report about malicious gems</a> that were targeting social media credentials. <strong>Our team first detected this activity on July 20th and began removing the affected gems immediately through our regular security processes.</strong></p>
<p>We want to reassure the Ruby community that this issue has already been taken care of and is no longer an active threat. <strong>It involved a small number of gems from bad actors and does <em>not</em> impact widely used or trusted packages.</strong></p>
<p>Security is part of our daily operations. We remove suspicious gems regularly, typically before issues are reported by third parties (our systems detect 70-80% of the gems we ultimately remove). While we don’t announce every action we take, our monitoring systems are working as intended, and our security team is always actively working to protect the RubyGems ecosystem.</p>
<p>For transparency, we would like to add more context from our team to the existing reporting, and will be publishing a more detailed breakdown of this incident next week, including information on how we typically handle threats like these.</p>
<p><strong>In the meantime, we encourage developers to:</strong></p>
<ul>
<li>Always be cautious when using newly published or low-download gems.</li>
<li>Check the gem’s author and repository links.</li>
<li>Report anything suspicious to our team by emailing <a href="mailto:security@rubygems.org">security@rubygems.org</a>.</li>
</ul>
<p>You can also reach out to our team with questions or concerns by joining the <a href="https://slack.bundler.io/">Bundler Slack.</a></p>
June 2025 RubyGems Updates2025-07-23T00:00:00+00:00http://blog.rubygems.org/2025/07/23/june-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in June.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>In June, we introduced a new <strong>Bundler 4 mode</strong> for early feedback and continued work on the upcoming <strong>Bundler 2.7.0</strong> and <strong>RubyGems 3.7.0</strong> releases. These changes reflect our ongoing focus on flexibility, modernization, and improving developer workflows.</p>
<p><a href="https://github.com/rubygems/rubygems/pull/8780"><strong>Bundler 4 mode is now available</strong></a></p>
<ul>
<li>We’ve launched a user-facing simulation mode that lets you preview Bundler 4 behavior before its final release. This feature allows developers to test upcoming breaking changes, provide feedback, and participate in shaping the final version. You can now opt in by configuring:</li>
</ul>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bundle config simulate_version 4
</code></pre></div></div>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/v1753257129/image4_taci7s.png" alt="bundle simulate_version" /></p>
<ul>
<li>Initially, we tried overriding the <code class="language-plaintext highlighter-rouge">Bundler::VERSION</code> constant, but this proved unreliable due to side effects like misrepresenting versions in lockfiles. After significant refactoring across specs and core logic, we isolated version-specific behaviors into the <code class="language-plaintext highlighter-rouge">Bundler::FeatureFlag</code> class.</li>
<li>The result is a cleaner and more robust approach where Bundler behaves as if it’s version 4, without changing the actual version.</li>
<li>Why Bundler 4 and not 3? We’re matching version numbers between Bundler and RubyGems to simplify releases and reduce confusion.</li>
</ul>
<p><strong>Upcoming Bundler 2.7.0 and RubyGems 3.7.0 releases:</strong></p>
<ul>
<li>This year we’re committed to releasing major versions of Bundler and RubyGems, and this is special. The last major Bundler release was <code class="language-plaintext highlighter-rouge">2.0.0</code> in 2019, but that version only dropped support for old versions of Ruby and delayed all breaking changes to a future major release. So effectively, the last “real” major Bundler release was <code class="language-plaintext highlighter-rouge">1.0.0</code> back in 2010! For RubyGems, the last major release was <code class="language-plaintext highlighter-rouge">3.0.0</code> in 2018.</li>
<li>To make transitioning easier and get more community consensus with breaking changes, we will be releasing mid-year minor releases—including an easy way to try future Bundler 4 (see update above).</li>
</ul>
<p><strong>Gems with prebuilt binaries</strong></p>
<ul>
<li>We <a href="https://github.com/rubygems/rubygems/pull/8703">finished refactoring</a> <code class="language-plaintext highlighter-rouge">Gem::Platform</code> matching logic from Bundler into RubyGems. This work will enable sharing code for platform matching between Bundler & RubyGems in preparation for wheel support hitting both projects simultaneously.</li>
<li>We have already used this refactor to <a href="https://github.com/rubygems/rubygems/pull/8751">improve platform</a> selection in the RubyGems CLI, picking the best platform gem that matches the running platform.</li>
<li>Our lead security engineer Samuel Giddins spent the majority of the month prototyping ways to encode the new platform information for wheels into existing platform strings in a backwards compatible way.</li>
<li>As a part of this prototyping work, Samuel researched the translation of Python’s platform tags into the Ruby ecosystem. He found that RubyGems, unlike <code class="language-plaintext highlighter-rouge">CPython</code>, won’t need a separate ABI tag (the binary level contract between compiled code) from the Ruby tag, since Ruby implementations tend not to have stable ABIs.</li>
<li>Expect a PR demonstrating wheels to hit in the coming month.</li>
</ul>
<h1 id="rubygemsorg-news">RubyGems.org News</h1>
<p>This month, <a href="https://rubygems.org/">RubyGems.org</a> continued to scale and improve its services with the support of our infrastructure sponsors: <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p>June 2025 was another high-traffic month on RubyGems.org, serving over 4.08 billion gem downloads, a slight increase over May’s 4.06 billion. We served 221 million downloads on our busiest day this month.</p>
<p><strong>Ruby usage stats</strong></p>
<ul>
<li>Ruby 3.4 adoption continues to climb steadily. In June, it accounted for 10.93% of all gem downloads — up from 9.3% in May — showing strong momentum just six months after release.</li>
<li>Ruby 3.2 still leads with 33.84%, meanwhile, Ruby 3.1, which reached EOL in March, dropped further to 10.15%.</li>
<li>Would you like to get more insight into <a href="http://rubygems.org/">RubyGems.org</a> stats? Feel free to explore <a href="https://clickhouse.com/blog/announcing-ruby-gem-analytics-powered-by-clickhouse">RubyGems.org ClickHouse public dataset</a>.</li>
</ul>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong><em>PostgreSQL 14 upgrade</em></strong></p>
<ul>
<li>We have started updating <a href="http://rubygems.org/">RubyGems.org</a> PostgreSQL, and are currently testing it in a staging environment. PostgreSQL is the main source of truth for <a href="http://rubygems.org/">RubyGems.org</a> and the currently in use PostgreSQL 13 is slowly reaching EOL. We aim to upgrade to PostgreSQL 17 by the end of the summer.</li>
<li>We will be using the approach explained in <a href="https://github.com/rubygems/pg-major-update/">pg major update</a>, which has been successfully used in previous upgrades, to achieve zero-downtime. A separate blog post with more details on the process is forthcoming.</li>
</ul>
<h2 id="interesting-ruby-news"><strong>Interesting Ruby News</strong></h2>
<p>This is where we highlight exciting updates made to Ruby project.</p>
<p><strong>Experimental namespacing progress:</strong></p>
<ul>
<li><a href="https://bugs.ruby-lang.org/projects/ruby-master/issues?fields%5B%5D=issue_tags&fields%5B%5D=status_id&operators%5Bissue_tags%5D=%3D&operators%5Bstatus_id%5D=o&set_filter=1&values%5Bissue_tags%5D%5B%5D=namespace&values%5Bstatus_id%5D%5B%5D=">A lot of activity</a> continues around the experimental Namespace feature (<a href="https://blog.rubygems.org/2025/06/16/may-rubygems-updates.html#interesting-ruby-news">see May 2025 newsletter</a>) as numerous bugs and refinements are being addressed. Quality-of-life improvements are also starting to land, like <a href="https://bugs.ruby-lang.org/issues/21365"><code class="language-plaintext highlighter-rouge">Namespace#eval</code></a>, which simplifies testing and experimentation inside a given namespace.</li>
</ul>
<p><strong><code class="language-plaintext highlighter-rouge">Array#join (Enumerable#join_map)</code>proposal:</strong></p>
<ul>
<li>There’s growing momentum behind making joining transformed collections, a common Ruby pattern, more ergonomic. A <a href="https://bugs.ruby-lang.org/issues/21455">new proposal for Array#join with a block</a> and the related <a href="https://bugs.ruby-lang.org/issues/21386">Enumerable#join_map</a> aim to make expressions like: <code class="language-plaintext highlighter-rouge">users.map(&:name).join(", ")</code> more elegant and expressive, by writing: <code class="language-plaintext highlighter-rouge">users.join_map(", ", &:name)</code>.</li>
<li>If accepted, this could be a small but meaningful step making Ruby simpler and more readable. If this improvement matters to you, consider sharing your thoughts on the <a href="https://bugs.ruby-lang.org/issues/21455">Ruby bug tracker for Array#join</a> or <a href="https://bugs.ruby-lang.org/issues/21386">Enumerable#join_map</a>. Community feedback often helps shape which proposals move forward.</li>
</ul>
<p><strong>New gems spotlight</strong></p>
<ul>
<li>June brought a few interesting new gems into the ecosystem. AWS released a fresh batch of SDK components like <code class="language-plaintext highlighter-rouge">aws-sdk-evs</code>, <code class="language-plaintext highlighter-rouge">aws-sdk-mpa</code>, and <code class="language-plaintext highlighter-rouge">aws-sdk-aiops</code>, which topped the download charts for new gems.</li>
<li>Alongside those, two standout gems deserve a mention:
<ul>
<li><a href="https://github.com/hackico-ai/ruby-hati-command"><code class="language-plaintext highlighter-rouge">hati-command</code></a> (<a href="https://www.linkedin.com/posts/mariya-giy_the-hati-command-gem-ive-been-working-on-activity-7343420184830820353-P59V">release announcement</a>) – a small gem to help structure service objects around a clear success/failure contract, encouraging clean, expressive business logic.</li>
<li><a href="https://github.com/bit4bit/llmed"><code class="language-plaintext highlighter-rouge">llmed</code></a> (by <a href="https://github.com/bit4bit">Jovany Leandro G.C</a>)– a no-code-friendly gem that lets you build LLM-powered applications with just Markdown blocks. AI tooling is gaining traction in the Ruby world, and <code class="language-plaintext highlighter-rouge">llmed</code> is an exciting example of what’s possible.</li>
</ul>
</li>
<li>We encourage you to check them out and maybe even build something fun and share it with the community.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/larouxn">@larouxn</a> Nicholas La Roux</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/rwstauner">@rwstauner</a> Randy Stauner</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/tangrufus">@tangrufus</a> Tang Rufus</li>
<li><a href="https://github.com/antoinem">@antoinem</a> Antoine Marguerie</li>
<li><a href="https://github.com/joshuay03">@joshuay03</a> Joshua Young</li>
<li><a href="https://github.com/thomasmarshall">@thomasmarshall</a> Thomas Marshall</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/landongrindheim">@landongrindheim</a> Landon Grindheim</li>
<li><a href="https://github.com/MSP-Greg">@MSP-Greg</a> MSP-Greg</li>
<li><a href="https://github.com/Earlopain">@Earlopain</a> Earlopain</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/mghaught">@mghaught</a> Marty Haught</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/landongrindheim">@landongrindheim</a> Landon Grindheim</li>
<li><a href="https://github.com/iox">@iox</a> Ignacio Huerta</li>
<li><a href="https://github.com/yykamei">@yykamei</a> Yutaka Kamei</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.7.1 Released2025-07-21T00:00:00+00:00http://blog.rubygems.org/2025/07/21/3.7.1-released<p>RubyGems 3.7.1 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>### Enhancements:</em></p>
<ul>
<li>Fix regression in presence of RVM gems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8854">#8854</a> by
deivid-rodriguez</li>
<li>Restore parsing “–” as an unknown platform rather than crashing. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8846">#8846</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.7.1 as a default gem.</li>
</ul>
<p><em>### Documentation:</em></p>
<ul>
<li>Use mailto link in Code of Conduct. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8849">#8849</a> by
deivid-rodriguez</li>
<li>Update Code of Conduct email to conduct@rubygems.org. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8848">#8848</a> by indirect</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.7.1.tgz<br />
750c8c771180d41ed2358344e5461edee83158c0a81b779969a1339961bc1163</li>
<li>rubygems-3.7.1.zip<br />
cafa2e6f9737786b856360a24cf972cc7da4b612c71d3f36e5888cc65d03b977</li>
<li>rubygems-update-3.7.1.gem<br />
4e4931ff55006d1bc1bdffe1df005c23d614bfa6844abd91cde2b935ef8fa088</li>
</ul>
3.7.0 Released2025-07-16T00:00:00+00:00http://blog.rubygems.org/2025/07/16/3.7.0-released<p>RubyGems 3.7.0 includes security, breaking changes, enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>### Security:</em></p>
<ul>
<li>Update vendored resolv to 0.6.2. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8831">#8831</a> by hsbt</li>
</ul>
<p><em>### Breaking changes:</em></p>
<ul>
<li>Stop generating binstubs with support for RubyGems before 2.6.2. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8833">#8833</a> by
deivid-rodriguez</li>
<li>Drop support for Ruby 3.1. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8634">#8634</a> by segiddins</li>
</ul>
<p><em>### Enhancements:</em></p>
<ul>
<li>Update SPDX license list as of 2025-07-01. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8829">#8829</a> by
github-actions[bot]</li>
<li>Add <code class="language-plaintext highlighter-rouge">push_rubygem</code> as a default scope for <code class="language-plaintext highlighter-rouge">gem signin</code> command. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8672">#8672</a> by hsbt</li>
<li>Update bundled tls certs. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8731">#8731</a> by segiddins</li>
<li>Install the best matching gem for the current platform in <code class="language-plaintext highlighter-rouge">gem install</code>.
Pull request <a href="https://github.com/rubygems/rubygems/pull/8751">#8751</a> by
segiddins</li>
<li>Move most of <code class="language-plaintext highlighter-rouge">Bundler::GemHelpers</code> to <code class="language-plaintext highlighter-rouge">Gem::Platform</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8703">#8703</a> by segiddins</li>
<li>Ensure that <code class="language-plaintext highlighter-rouge">Gem::Platform</code> parses strings to a fix point. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8584">#8584</a> by segiddins</li>
<li>Installs bundler 2.7.0 as a default gem.</li>
</ul>
<p><em>### Bug fixes:</em></p>
<ul>
<li>Fix signing HEAD and date formatting in S3 signer. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8763">#8763</a> by rye-stripe</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--bindir <foo></code> flag to gem install failing when <code class="language-plaintext highlighter-rouge"><foo></code> is not in
the default GEM_HOME and its parent directory does not exist yet. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8783">#8783</a> by larouxn</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install</code> sometimes compiling the wrong source files. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8764">#8764</a> by
deivid-rodriguez</li>
<li>Workaround rust extension compilation when <code class="language-plaintext highlighter-rouge">ccache</code> or <code class="language-plaintext highlighter-rouge">sccache</code> are
used. Pull request <a href="https://github.com/rubygems/rubygems/pull/8521">#8521</a>
by hsbt</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem pristine</code> not recompiling extensions sometimes. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8757">#8757</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--prerelease</code> flag to <code class="language-plaintext highlighter-rouge">gem install</code> sometimes not respected. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8648">#8648</a> by ntl</li>
</ul>
<p><em>### Documentation:</em></p>
<ul>
<li>Fix incorrect UPGRADING link in README.md. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8838">#8838</a> by djbender</li>
<li>Add a root CONTRIBUTING.md file. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8822">#8822</a> by
deivid-rodriguez</li>
<li>Add a SECURITY.md file. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8812">#8812</a> by
deivid-rodriguez</li>
<li>Fix heading ranks in documentation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8711">#8711</a> by antoinem</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.7.0.tgz<br />
531e98e9db8c93e1686a5986edecde309f72e30a93511e3a642b56e5fd351fc2</li>
<li>rubygems-3.7.0.zip<br />
238d9de755af6bd102a70f67cbd453eea6e948a228489606b55b50d574919dbb</li>
<li>rubygems-update-3.7.0.gem<br />
34d86edd3fc0f921ad46c1d0eeec49e591ae903290ce1a59db17f9343da9ba22</li>
</ul>
RubyGems.org Policies Now Live2025-07-08T00:00:00+00:00http://blog.rubygems.org/2025/07/08/policies-live<p>We’re excited to announce that the new policies for <a href="https://rubygems.org/">RubyGems.org</a> are now live! These policies—<a href="https://rubygems.org/policies/terms-of-service">Terms of Service</a>, <a href="https://rubygems.org/policies/privacy">Privacy Notice</a>, <a href="https://rubygems.org/policies/acceptable-use">Acceptable Use Policy</a>, and <a href="https://rubygems.org/policies/copyright">Copyright Policy</a>—help bring clarity and transparency to how RubyGems.org operates and how we protect the platform and its users.</p>
<p>Originally introduced for community review in March, these policies officially took effect on <strong>June 30, 2025</strong>. We appreciate the thoughtful feedback submitted during the preview period via email and Slack—your input helped refine these documents to better serve the needs of the Ruby community.</p>
<p>To ensure all users are informed and aligned with these updates, <strong>returning users will now see a banner prompting them to review and accept the new policies</strong> upon logging in.</p>
<p>We invite everyone to <a href="https://rubygems.org/policies">read the finalized policies</a> and continue to share feedback. Thank you for being a part of this effort to keep the Ruby ecosystem safe, respectful, and open to all.</p>
May 2025 RubyGems Updates2025-06-16T00:00:00+00:00http://blog.rubygems.org/2025/06/16/may-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in May.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In May, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#369--2025-05-13">3.6.9</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#269-may-13-2025">2.6.9</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems.</p>
<p>Notable improvements include <a href="https://github.com/rubygems/rubygems/pull/8665">fixing the <code class="language-plaintext highlighter-rouge">doctor</code> command’s parsing of <code class="language-plaintext highlighter-rouge">otool</code> output</a>, <a href="https://github.com/rubygems/rubygems/pull/8624">adding SSL troubleshooting to <code class="language-plaintext highlighter-rouge">bundle doctor</code></a>, <a href="https://github.com/rubygems/rubygems/pull/8663">printing WebAuthn authentication links on a separate line for easier access</a>, <a href="https://github.com/rubygems/rubygems/pull/8673">adding an <code class="language-plaintext highlighter-rouge">mtime</code> argument to <code class="language-plaintext highlighter-rouge">Gem::Package::TarWriter#add_file</code></a>, and <a href="https://github.com/rubygems/rubygems/pull/8644">removing the unnecessary <code class="language-plaintext highlighter-rouge">shellwords</code> autoload</a>.</p>
<p>We also made substantial progress on the upcoming Bundler 4 release. We’re planning to introduce an environment variable or CLI flag that lets users opt in to upcoming functionality and share feedback ahead of the final release.</p>
<p>Another important accomplishment from the team this month includes:</p>
<p><strong>Improved support for precompiled binaries</strong></p>
<ul>
<li>This month, we laid foundational work toward bringing Python-style wheels to RubyGems, with the goal of enhancing the experience of both using and producing gems with native extensions.</li>
<li>Following several rounds of community feedback, the focus has shifted toward a broader vision: combining compatibility tags, sigstore attestations, and common platform build workflows (with SLSA, trusted publishing, etc.) to streamline how precompiled gems are distributed and consumed.</li>
<li>We’re actively incorporating the feedback we’ve received and will be sharing updated, concrete proposals for these improvements soon.</li>
</ul>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in May was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a> and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p><a href="http://rubygems.org/">RubyGems.org</a> served 4.06 billion gems in May 2025 — up from 2.87 billion in May 2024. The busiest day was Wednesday, May 14th, with a record-breaking 193 million downloads, while the quietest was Saturday, May 31st, with 36 million. Star of the Month goes to <a href="https://rubygems.org/gems/gitlab-crystalball/">gitlab-crystalbal</a> (a gem inspired by a <a href="https://tenderlovemaking.com/2015/02/13/predicting-test-failues.html">Predicting Test Failures</a> post by top Ruby and Rails contributor <a href="https://rubygems.org/profiles/tenderlove">tenderlove</a>, revived by <a href="https://gitlab.com/">GitLab</a>), a new gem published on May 8th, which has already reaching 785,000 downloads in its debut month!</p>
<p><strong>Ruby Usage Stats 2024-2025</strong></p>
<table>
<thead>
<tr>
<th>Ruby Version</th>
<th>May 2025</th>
<th>April 2025</th>
<th>May 2024</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>3.4</strong></td>
<td>9.30%</td>
<td>8.12%</td>
<td>0.00%</td>
<td>New release (Dec 2024)</td>
</tr>
<tr>
<td><strong>3.3</strong></td>
<td>24.25%</td>
<td>23.46%</td>
<td>11.47%</td>
<td>Trending</td>
</tr>
<tr>
<td><strong>3.2</strong></td>
<td>33.10%</td>
<td>33.11%</td>
<td>24.14%</td>
<td>Peak usage</td>
</tr>
<tr>
<td><strong>3.1</strong></td>
<td>14.52%</td>
<td>15.76%</td>
<td>25.30%</td>
<td>EOL: Mar 31, 2025</td>
</tr>
<tr>
<td><strong>3.0</strong></td>
<td>3.48%</td>
<td>4.00%</td>
<td>9.92%</td>
<td>EOL: Apr 23, 2024</td>
</tr>
<tr>
<td><strong>2.7</strong></td>
<td>8.25%</td>
<td>8.66%</td>
<td>15.78%</td>
<td>EOL: Mar 2023</td>
</tr>
<tr>
<td><strong>2.6</strong></td>
<td>2.91%</td>
<td>2.84%</td>
<td>6.23%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.5</strong></td>
<td>1.74%</td>
<td>1.70%</td>
<td>2.56%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.4</strong></td>
<td>0.43%</td>
<td>0.40%</td>
<td>0.98%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.3</strong></td>
<td>0.41%</td>
<td>0.43%</td>
<td>0.72%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.2</strong></td>
<td>0.04%</td>
<td>0.04%</td>
<td>0.07%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.1</strong></td>
<td>0.12%</td>
<td>0.11%</td>
<td>0.09%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>2.0</strong></td>
<td>0.07%</td>
<td>0.07%</td>
<td>0.16%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>1.9</strong></td>
<td>0.02%</td>
<td>0.02%</td>
<td>0.03%</td>
<td>EOL</td>
</tr>
<tr>
<td><strong>1.8</strong></td>
<td>0.002%</td>
<td>0.002%</td>
<td>0.004%</td>
<td>EOL</td>
</tr>
<tr>
<td><em>(unknown)</em></td>
<td>1.21%</td>
<td>1.10%</td>
<td>2.42%</td>
<td>Missing user agent info</td>
</tr>
</tbody>
</table>
<p>Ruby version usage continues to trend steadily toward modern releases. In May 2025, Ruby 3.3 became trending, growing to 24.25%, while Ruby 3.4, released in December 2024, jumped to 9.3% adoption in just five months. Ruby 3.2 held stable at 33%, but its share may begin declining soon as newer versions take over. Meanwhile, Ruby 3.1, which reached end-of-life on March 31, 2025, dropped from 25.3% a year ago to 14.5%. Ruby 3.0, already EOL since April 2024, continues to decline (now 3.5%), and older Ruby 2.x versions are steadily fading as the ecosystem moves forward.</p>
<p><em>Note: These numbers represent all downloads in given month, not only downloads of Bundler gem as in previous monthly summary.</em></p>
<h2 id="interesting-ruby-news">Interesting Ruby News</h2>
<p>This is where we highlight exciting updates made to Ruby infrastructure projects that support our RubyGems work.</p>
<p><strong>Experimental namespacing lands in Ruby Master</strong></p>
<ul>
<li>A new experimental namespacing feature has been introduced in Ruby master, allowing the creation of virtual top-level namespaces.</li>
<li>This enables applications to <code class="language-plaintext highlighter-rouge">require</code> or <code class="language-plaintext highlighter-rouge">load</code> libraries in isolation from the global namespace—including <code class="language-plaintext highlighter-rouge">.rb</code> files and native extensions. Dependencies loaded within a namespace remain confined to it.</li>
<li>Currently Ruby has only one global shared namespace. The proposed namespacing feature will help avoid name conflicts between libraries that define the same modules or classes, and prevent unintended sharing of global objects.</li>
<li>The feature is fully compatible with libraries that use relative name resolution and opens the door for safer, more modular Ruby applications.</li>
</ul>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># app1.rb</span>
<span class="no">PORT</span> <span class="o">=</span> <span class="mi">2048</span>
<span class="k">class</span> <span class="nc">App</span>
<span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">port</span> <span class="o">=</span> <span class="o">::</span><span class="no">PORT</span>
<span class="k">end</span>
</code></pre></div></div>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># app2.rb</span>
<span class="no">PORT</span> <span class="o">=</span> <span class="mi">4096</span>
<span class="k">class</span> <span class="nc">App</span>
<span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">port</span> <span class="o">=</span> <span class="o">::</span><span class="no">PORT</span>
<span class="k">end</span>
</code></pre></div></div>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># main.rb</span>
<span class="n">app1</span> <span class="o">=</span> <span class="no">Namespace</span><span class="p">.</span><span class="nf">new</span>
<span class="n">app1</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="s1">'/app1.rb'</span><span class="p">)</span>
<span class="n">app2</span> <span class="o">=</span> <span class="no">Namespace</span><span class="p">.</span><span class="nf">new</span>
<span class="n">app2</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="s1">'/app2.rb'</span><span class="p">)</span>
<span class="nb">puts</span> <span class="n">app1</span><span class="o">::</span><span class="no">App</span><span class="p">.</span><span class="nf">port</span> <span class="c1"># => 2048</span>
<span class="nb">puts</span> <span class="n">app2</span><span class="o">::</span><span class="no">App</span><span class="p">.</span><span class="nf">port</span> <span class="c1"># => 4096</span>
<span class="nb">puts</span> <span class="k">defined?</span><span class="p">(</span><span class="no">PORT</span><span class="p">)</span> <span class="c1"># => nl</span>
</code></pre></div></div>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/jbampton">@jbampton</a> John Bampton</li>
<li><a href="https://github.com/larouxn">@larouxn</a> Nicholas La Roux</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/matthewhively">@matthewhively</a> Matthew Hively</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/ntkme">@ntkme</a> なつき</li>
<li><a href="https://github.com/ntl">@ntl</a> Nathan Ladd</li>
<li><a href="https://github.com/rwstauner">@rwstauner</a> Randy Stauner</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/tangrufus">@tangrufus</a> Tang Rufus</li>
<li><a href="https://github.com/thatrobotdev">@thatrobotdev</a> James Kerrane</li>
<li><a href="https://github.com/unasuke">@unasuke</a> Yusuke Nakamura</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/antoinem">@antoinem</a> Antoine Marguerie</li>
<li><a href="https://github.com/woodruffw">@woodruffw</a> William Woodruff</li>
<li><a href="https://github.com/mperham">@mperham</a> Mike Perham</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/mghaught">@mghaught</a> Marty Haught</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
April 2025 RubyGems Updates2025-05-20T00:00:00+00:00http://blog.rubygems.org/2025/05/20/april-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in April.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In April, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#367--2025-04-03"><strong>3.6.7</strong></a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#368--2025-04-13"><strong>3.6.8</strong></a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#267-april-3-2025"><strong>2.6.7</strong></a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#268-april-13-2025"><strong>2.6.8</strong></a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems.</p>
<p>Notable improvements include <a href="https://github.com/rubygems/rubygems/pull/8568">defaulting to a <code class="language-plaintext highlighter-rouge">SOURCE_DATE_EPOCH</code> of <code class="language-plaintext highlighter-rouge">315619200</code></a> to simplify reproducible builds, <a href="https://github.com/rubygems/rubygems/pull/8569">sorting gemspec metadata fields</a> to support consistent build outputs, <a href="https://github.com/rubygems/rubygems/pull/8594">fixing a crash when the compact index API only listed versions</a>, and <a href="https://github.com/rubygems/rubygems/pull/8565">speeding up <code class="language-plaintext highlighter-rouge">Gem::Version#<=></code> comparisons by 20–50%</a> when version lengths differ.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong>Progress on gems with precompiled binaries</strong></p>
<ul>
<li>Following community interest and questions about the initial <strong>“wheels” proposal</strong>, We opened a <a href="https://github.com/rubygems/rubygems/discussions/8645">GitHub discussion</a> to gather feedback and facilitate conversation. We also invited input from members of the <strong>OpenSSF Securing Software Repositories Working Group</strong> to help align Ruby’s approach with best practices from other language ecosystems.</li>
<li>We are now focused on collecting this <strong>feedback into a concrete list of features</strong> that will make it easier to use and develop gems with precompiled binaries, guiding the future of RubyGems in this space.</li>
</ul>
<p><strong>Development of a Bundler 4 roadmap</strong></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems/issues/8650">The Bundler 4 roadmap has been drafted</a>, aiming to consolidate over a decade of unreleased improvements and breaking changes into a major release.</li>
<li>The plan is to review and discuss all pending changes, allow users to opt-in and provide feedback, and prepare for a big release in December. This marks an important step toward modernizing Bundler while giving the community a clear path forward.</li>
</ul>
<p><strong><code class="language-plaintext highlighter-rouge">bundle doctor</code> now troubleshoots SSL issues</strong></p>
<ul>
<li>The <code class="language-plaintext highlighter-rouge">bundle doctor</code> command <a href="https://github.com/rubygems/rubygems/pull/8624">now includes a new <code class="language-plaintext highlighter-rouge">--ssl</code> flag</a> to help users diagnose SSL-related issues. This improvement brings the functionality of the previously separate <a href="https://github.com/rubygems/ruby-ssl-check">ruby-ssl-check script</a> directly into Bundler, making it easier to maintain and more accessible to users.</li>
<li>Thanks to <a href="https://github.com/Edouard-chin">@Edouard-chin</a> for contributing this enhancement by porting the script and integrating it into <code class="language-plaintext highlighter-rouge">bundle doctor</code>.</li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/v1747763260/unnamed_kp477m.png" alt="bundle doctor SSL diagnosis output (successful!)" /></p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in April was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a> and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p><strong>April 2025 RubyGems stats</strong></p>
<p>In April 2025, RubyGems.org recorded over <strong>4.15 billion total gem downloads</strong>, a <strong>51% increase</strong> from 2.74 billion in April 2024. This marks the first time in history that monthly gem downloads surpassed the <strong>4 billion mark</strong>, highlighting the continued momentum and growing impact of the Ruby ecosystem. Thanks to all of our partners and sponsors helping this to happen!</p>
<p>Looking at Bundler gem downloads trends, usage data shows a clear shift towards modern Ruby versions:</p>
<ul>
<li><strong>Ruby 3.4</strong>, released in December 2024, already accounts for <strong>13.1%</strong> of Bundler downloads.</li>
<li><strong>Ruby 3.3</strong> rose from <strong>10.4% to 27.9%</strong>, making it the most widely used version.</li>
<li><strong>Ruby 3.2</strong> declined from <strong>28.1% to 21.8%</strong>, while <strong>Ruby 3.1,</strong> which reached EOL in March 2025, fell from <strong>24.8% to 14.1%</strong>.</li>
<li><strong>Ruby 2.7</strong>, EOL since March 2023, dropped from <strong>20.4% to 16.1%</strong>.</li>
<li>Older versions (2.6 and below) continued their gradual decline.</li>
</ul>
<p>These trends reflect a strong migration toward actively maintained, supported Ruby versions. Analytics were powered by <strong><a href="https://clickhouse.com/">ClickHouse</a></strong>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong>Progress update on organizations</strong></p>
<ul>
<li>Work has resumed on the long-anticipated <strong>Organizations feature</strong> in RubyGems.org, led by <a href="https://github.com/colby-swandale">Colby Swandale</a>. After identifying the remaining functionality a few months ago, we’ve now secured budget to complete the work.</li>
<li>The feature is currently being demoed to a small group of beta testers, with plans to open it to the broader community in the future. We’re looking forward to gathering feedback once Organizations becomes publicly available.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/Edouard-chin">@Edouard-chin</a> Edouard Chin</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/jeremyevans">@jeremyevans</a> Jeremy Evans</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/mperham">@mperham</a> Mike Perham</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/thatrobotdev">@thatrobotdev</a> James Kerrane</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/skipkayhil">@skipkayhil</a> Hartley McGuire</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/gingerwizard">@gingerwizard</a> Dale McDiarmid</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/marcoroth">@marcoroth</a> Marco Roth</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.6.9 Released2025-05-13T00:00:00+00:00http://blog.rubygems.org/2025/05/13/3.6.9-released<p>RubyGems 3.6.9 includes enhancements, performance and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add mtime to Gem::Package::TarWriter#add_file argument. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8673">#8673</a> by unasuke</li>
<li>Print webauthn authentication link as a separate line to make it easier
to visit. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8663">#8663</a> by mperham</li>
<li>Remove shellwords autoload. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8644">#8644</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.6.9 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Avoid unnecessary splat allocation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8640">#8640</a> by jeremyevans</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix typo in Changelog for 3.6.0 / 2024-12-16. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8638">#8638</a> by thatrobotdev</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.9.tgz<br />
ffdd46c6adbecb9dac561cc003666406efd2ed93ca21b5fcc47062025007209d</li>
<li>rubygems-3.6.9.zip<br />
e0eb0fac9daa831f779d17b066d84d4484a85f54b5ae55fbf43694057dc7da2f</li>
<li>rubygems-update-3.6.9.gem<br />
42af98d115989aaf3e30d35f615f24da68a7902f9e642dad969981f446c90873</li>
</ul>
March 2025 RubyGems Updates2025-04-25T00:00:00+00:00http://blog.rubygems.org/2025/04/25/march-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in March.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In March, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#366--2025-03-13"><strong>3.6.6</strong></a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#266-march-13-2025"><strong>2.6.6</strong></a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include fixing an <a href="https://github.com/rubygems/rubygems/pull/5578"><code class="language-plaintext highlighter-rouge">ENAMETOOLONG</code> error when creating the compact index cache</a>, showing clearer errors when writing a <a href="https://github.com/rubygems/rubygems/pull/5920">lockfile on a read-only filesystem</a>, <em>**</em>and updating <a href="https://github.com/rubygems/rubygems/pull/8520"><code class="language-plaintext highlighter-rouge">bundle doctor</code> to not report issues about unwritable files</a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong>Improving reproducible gem builds</strong></p>
<ul>
<li>The RubyGems team implemented changes to make gem builds more reproducible based on recommendations from <a href="https://github.com/giacomobenedetti">Giacomo Benedetti</a> and <a href="https://github.com/enck">William Enck</a>.</li>
<li>Their suggestions included <a href="https://github.com/rubygems/rubygems/pull/8568">setting a default <code class="language-plaintext highlighter-rouge">SOURCE_DATE_EPOCH</code> value of <code class="language-plaintext highlighter-rouge">315619200</code></a> and <a href="https://github.com/rubygems/rubygems/pull/8569">sorting metadata values in gemspecs</a>. These updates improve compatibility with tools like Debian’s <em>reprotest</em>, making it easier to verify that gem builds are consistent across environments.</li>
<li>This work was inspired by the paper <a href="https://www.cs.cmu.edu/~ckaestne/pdf/icse25_rb.pdf?utm_source=chatgpt.com"><em>An Empirical Study on Reproducible Packaging in Open-Source Ecosystems</em></a>, which will be presented at the <a href="https://conf.researchr.org/home/icse-2025">2025 International Conference on Software Engineering.</a></li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_600,h_300/v1745614708/image_fwcmz0.png" alt="*Building RubyGems itself is trivially reproducible now without needing to specify SOURCE_DATE_EPOCH*" /></p>
<p><em>Building RubyGems itself is trivially reproducible now without needing to specify SOURCE_DATE_EPOCH</em></p>
<p><strong>Resolver performance improvements</strong></p>
<ul>
<li>We’ve made significant performance improvements to Bundler’s dependency resolution, thanks to recent contributions from <a href="https://github.com/skipkayhil">Hartley McGuire</a>.</li>
<li>Initial changes focused on <a href="https://github.com/rubygems/rubygems/pull/8559">reducing object allocations in methods like <code class="language-plaintext highlighter-rouge">Gem::Version#<=></code> and <code class="language-plaintext highlighter-rouge">Bundler::Candidate#<=></code></a>. Further optimizations targeted the resolution algorithm itself, including improvements to the <a href="https://github.com/jhawthorn/pub_grub/pull/37"><strong><code class="language-plaintext highlighter-rouge">pub_grub</code></strong> resolver</a>.</li>
<li>As a result, Hartley reported a 60% speedup in <code class="language-plaintext highlighter-rouge">bundle update</code> time in his app after applying all patches. Huge thanks to Hartley for his contributions, and to <a href="https://github.com/jhawthorn">John Hawthorn</a> for maintaining <code class="language-plaintext highlighter-rouge">pub_grub</code> and helping refine its API to support these enhancements.</li>
</ul>
<p><strong>Wheels for RubyGems</strong></p>
<ul>
<li>Progress continues on bringing a prototype for precompiled binary packages<strong>,</strong> or “wheels” to RubyGems. <a href="https://github.com/segiddins">Samuel Giddins</a> has defined a naming scheme for package files and finalized the set of identifying tags needed to support this across the Ruby ecosystem.</li>
<li>Next steps include advocating within the Ruby community to help shift perceptions around precompiled binaries, and helping Rubyists understand that precompiled packages are actually <strong>more secure</strong> (no code execution at install time) and <strong>more ergonomic</strong> for users (no build tools or compilation delays). An RFC is also forthcoming.</li>
</ul>
<p><strong>Compact index cache now handles long path names</strong></p>
<ul>
<li>Bundler now better handles long path names in the <em>**</em>compact index cache, addressing an issue that could raise <a href="https://github.com/rubygems/rubygems/pull/5578"><strong>“Filename too long”</strong> errors</a>—especially when using private servers like <em>JFrog Artifactory</em>.</li>
<li>The fix was long delayed due to persistent CI failures, which were eventually traced to a <a href="https://bugs.ruby-lang.org/issues/21177"><strong>Ruby on Windows bug</strong></a> that has since been resolved.</li>
<li>As part of the debugging process, we also improved our test reliability by removing the use of <code class="language-plaintext highlighter-rouge">FileUtils.rm_rf</code> in Bundler specs, as it silently fails on cleanup errors and made diagnosing the issue harder. This change will help prevent similar issues in the future.</li>
</ul>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in March was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a> and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong>Ecosystem data for Clickgems</strong></p>
<ul>
<li><a href="https://github.com/mghaught">Marty</a> collaborated with the <a href="https://clickhouse.com/"><strong>ClickHouse</strong></a> team to finalize details for our partnership on <em>Clickgems</em>, the Ruby equivalent of the popular <a href="https://clickpy.clickhouse.com/">ClickPy</a> site, <a href="https://clickhouse.com/blog/announcing-ruby-gem-analytics-powered-by-clickhouse">which officially launched last week!</a></li>
<li><a href="https://github.com/segiddins">Samuel Giddins</a> led the effort to push RubyGems ecosystem data into ClickHouse, which now includes daily download totals and the latest public database dumps from RubyGems.org. Work is underway to roll out granular download data, made possible by retooling the <a href="https://github.com/rubytogether/kirby">Kirby</a> log parser to stream data directly from the RubyGems.org CDN.</li>
<li>This new level of insight will help the Ruby community better understand package usage trends and support maintainers in making more informed decisions, especially around platform support.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5595"><strong>Database performance investigation after brief DoS</strong></a></p>
<ul>
<li>A brief Denial of Service (DoS) incident targeting RubyGems.org prompted an investigation into web pages with heavy database queries.</li>
<li>While no specific culprit was found, the incident served as a reminder of the need for strong visibility into database performance when operating a web system at scale.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/devsheva">@devsheva</a> Mateo Sheshi</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/saraid">@saraid</a> Michael Chui</li>
<li><a href="https://github.com/cllns">@cllns</a> Sean Collins</li>
<li><a href="https://github.com/taralbass">@taralbass</a> Tara Bass</li>
<li><a href="https://github.com/mbclu">@mbclu</a> Mitch Clutter</li>
<li><a href="https://github.com/jacobat">@jacobat</a> Jacob Atzen</li>
<li><a href="https://github.com/skipkayhil">@skipkayhil</a> Hartley McGuire</li>
<li><a href="https://github.com/rwstauner">@rwstauner</a> Randy Stauner</li>
<li><a href="https://github.com/ioquatix">@ioquatix</a> Samuel Williams</li>
<li><a href="https://github.com/giacomobenedetti">@giacomobenedetti</a> Giacomo Benedetti</li>
<li><a href="https://github.com/olleolleolle">@olleolleolle</a> Olle Jonsson</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/wooly">@wooly</a> Steve Bell</li>
<li><a href="https://github.com/mghaught">@mghaught</a> Marty Haught</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.6.8 Released2025-04-13T00:00:00+00:00http://blog.rubygems.org/2025/04/13/3.6.8-released<p>RubyGems 3.6.8 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.6.8 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.8.tgz<br />
da5340b42ba3ddc5ede4a6b948ffa5b409d48cb119e2937e27e4c0b13bf9c390</li>
<li>rubygems-3.6.8.zip<br />
4de1a7664390de3d4b35e3180671d664081b2534467c128ac169ef1437be61c4</li>
<li>rubygems-update-3.6.8.gem<br />
9fce1aa05ac09f5945cf1bfb00b6f6c5a468b5296226151e639f6e22f1efef50</li>
</ul>
3.6.7 Released2025-04-03T00:00:00+00:00http://blog.rubygems.org/2025/04/03/3.6.7-released<p>RubyGems 3.6.7 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Sorting files in metadata for build reproducibility. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8569">#8569</a> by
giacomobenedetti</li>
<li>Default to a SOURCE_DATE_EPOCH of 315619200, to simplify reproducible
builds. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8568">#8568</a> by duckinator</li>
<li>Let <code class="language-plaintext highlighter-rouge">gem exec</code> raise an error in ambiguous cases. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8573">#8573</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.6.7 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Speed up Version#<=> ~20-50% when lengths differ. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8565">#8565</a> by skipkayhil</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.7.tgz<br />
d23cfe2724cf84120d3a5059c7c0eed3a062f8b6e581f9b7bf01a3c447fa2f37</li>
<li>rubygems-3.6.7.zip<br />
766da4a3eb4950a4acb72b3db064feb3be7d34f3093a67747cf8e9f1efcd9dab</li>
<li>rubygems-update-3.6.7.gem<br />
8da96fd169fd6e45ac4e2784554a70ae3fda092fa6ccb0518f5fc875ccb9e53c</li>
</ul>
Introducing New Policies for RubyGems.org2025-03-20T00:00:00+00:00http://blog.rubygems.org/2025/03/20/introducing-new-policies<p>We’re pleased to introduce several key policies for RubyGems.org for community review. These include a <a href="https://rubygems.org/policies/terms-of-service">Terms of Service</a>, <a href="https://rubygems.org/policies/privacy">Privacy Notice</a>, <a href="https://rubygems.org/policies/acceptable-use">Acceptable Use Policy</a>, and <a href="https://rubygems.org/policies/copyright">Copyright Policy</a>. While these policies align with how RubyGems has always operated, the absence of formal documentation created ambiguity around acceptable use. These new policies provide clarity and transparency regarding our operations, how we protect user data, and our commitment to maintaining a safe and respectful environment for all RubyGems users.</p>
<h3 id="terms-of-service"><a href="https://rubygems.org/policies/terms-of-service">Terms of Service</a></h3>
<p>The Terms of Service define the rules and guidelines for using RubyGems.org. They cover everything from account responsibilities to intellectual property rights, ensuring a fair and consistent experience for all users.</p>
<h3 id="privacy-notice"><a href="https://rubygems.org/policies/privacy">Privacy Notice</a></h3>
<p>Our Privacy Notice outlines how we collect, use, and safeguard your personal information. We’re committed to protecting your data and ensuring compliance with applicable privacy laws.</p>
<h3 id="acceptable-use-policy"><a href="https://rubygems.org/policies/acceptable-use">Acceptable Use Policy</a></h3>
<p>The Acceptable Use Policy sets clear expectations for behavior on our platform. It prohibits activities that could harm the service or other users, such as abuse, spam, or malicious actions.</p>
<h3 id="copyright-policy"><a href="https://rubygems.org/policies/copyright">Copyright Policy</a></h3>
<p>Our Copyright Policy outlines the rules and procedures for handling copyright-related issues so that we ensure intellectual property rights are respected.</p>
<p>These policies aim to improve transparency around our handling of user data and to guide how we will respond to situations where we may be required to take action to ensure a secure and trustworthy ecosystem for everyone.</p>
<p>We encourage all users to review these policies. We are seeking feedback on these policies for the next 30 days. You can provide feedback through <a href="mailto:legal@rubycentral.org">legal@rubycentral.org</a> email or the <a href="https://rubycentralcommunity.slack.com/archives/C08J92C73N1">#oss-program-ruby-central</a> channel in the Ruby Central Community Slack. After the 30-day comment period, we’ll review feedback and finalize the policies with a target effective date of May 20th, 2025. Together, we can continue to build and contribute to a vibrant, safe, and secure Ruby community.</p>
<p>Thank you for being a part of our journey!</p>
February 2025 RubyGems Updates2025-03-19T00:00:00+00:00http://blog.rubygems.org/2025/03/19/february-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In February, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#364--2025-02-17">3.6.4</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#365--2025-02-20">3.6.5</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#264-february-17-2025">2.6.4</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#265-february-20-2025">2.6.5</a><a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#263-january-16-2025">.</a> These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include removing <a href="https://github.com/rubygems/rubygems/pull/8507"><code class="language-plaintext highlighter-rouge">gem server</code> from <code class="language-plaintext highlighter-rouge">gem help</code> to streamline command output</a>, raising a <a href="https://github.com/rubygems/rubygems/pull/8449">clearer error message when RubyGems fails to activate a dependency</a>, ensuring Bundler correctly <a href="https://github.com/rubygems/rubygems/pull/8428">considers gems under <code class="language-plaintext highlighter-rouge">platform: :windows</code></a> in the Gemfile when running on Windows with ARM architecture, and fixing a resolver issue caused by <a href="https://github.com/rubygems/rubygems/pull/8503">incorrectly defined version ranges</a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong>Upgrading Kubernetes cluster to v1.32 and our OpenSearch cluster to v2.17</strong></p>
<ul>
<li>We regularly update our infrastructure systems to ensure we’re taking advantage of the latest software features and security patches. This upgrade was scheduled and performed seamlessly without impacting users.</li>
</ul>
<p><strong>Developing wheels for RubyGems</strong></p>
<ul>
<li>A proposal is in progress to introduce <strong>“wheels” for RubyGems</strong>, improving the gem build process until every gem ships precompiled binaries.</li>
<li>This is better for security as it eliminates the need to execute code during installation. It’s also a huge improvement for the gem install experience thanks to removing the need for build tools, avoiding compilation errors, and reducing installation time. An outline of the project goals has been published at <a href="https://traveling.engineer/posts/goals-for-binary-gems/">traveling.engineer</a>, and implementation sketches are in the works.</li>
</ul>
<p><strong>Resolution improvements in Bundler</strong></p>
<ul>
<li>A release of Ruby 3.4.2 introduced incorrect gemspec dependencies for <code class="language-plaintext highlighter-rouge">net-smtp</code>, leading to multiple bug reports. To prevent similar issues in the future, Bundler now attempts to automatically <a href="https://github.com/rubygems/rubygems/pull/8483">fix incorrect dependencies in the lockfile</a> whenever possible. When auto-fixing is not possible (e.g., in frozen mode), Bundler now provides clearer error messages to help users resolve the issue.</li>
<li>Depfu reported cases where Bundler 2.6 was unexpectedly downgrading dependencies. This was fixed by ensuring <a href="https://github.com/rubygems/rubygems/pull/8491">Bundler properly respects locked versions</a> and re-adds necessary lower bound requirements.</li>
<li>Investigating these issues also led to fixing the <a href="https://github.com/rubygems/rubygems/pull/8503">only known issue in our resolver engine (pub_grub)</a>, improving Bundler’s dependency resolution logic.</li>
</ul>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in February was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a> and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong>Fixed API key role creation for Buildkite</strong></p>
<ul>
<li>A system test was added to fix an issue where creating an <a href="https://github.com/rubygems/rubygems.org/pull/5434">API Key Role for Buildkite incorrectly assigned a GitHub Actions principal</a> instead of the correct Buildkite principal. This happened because the form defaulted to GitHub OIDC settings, hiding the principal input and preventing users from changing it.</li>
<li>The fix removes the unnecessary principal assignment, allowing the correct value to be set automatically for GitHub Actions and Buildkite, ensuring smoother API Key Role creation.</li>
</ul>
<h2 id="rubygems-ecosystem-news"><strong>RubyGems Ecosystem News</strong></h2>
<p>This is where we highlight exciting updates made to Ruby infrastructure projects that support our RubyGems work.</p>
<h3 id="sigstore">Sigstore</h3>
<p><strong>sigstore-ruby</strong></p>
<ul>
<li>The <strong>sigstore-ruby</strong> client is nearly ready for its <strong>0.3.0 release</strong>, bringing <strong>improved spec compliance</strong> and <strong>JRuby support</strong>.</li>
<li>Adding JRuby support was particularly challenging, as it required the reimplementation of certain cryptographic operations using Java security APIs instead of relying on the <code class="language-plaintext highlighter-rouge">jruby-openssl</code> gem.</li>
<li>You can read more about the development of sigstore-ruby in <a href="https://traveling.engineer/posts/2024-in-review/?ref=rubycentral.org#sigstore-ruby">Sam’s 2024 year in review</a>.</li>
</ul>
<p><strong>Ecosystem adoption</strong></p>
<ul>
<li>A tracker has been launched to monitor sigstore adoption among the most popular gems: <a href="https://segiddins.github.io/are-we-attested-yet/">Are We Attested Yet?</a></li>
<li>Currently, 20 of the top gems are shipping attestations, and efforts are ongoing to help more maintainers integrate sigstore signing into their release workflows.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/johnnyshields">@johnnyshields</a> Johnny Shields</li>
<li><a href="https://github.com/Edouard-chin">@edouard-chin</a> Edouard Chin</li>
<li><a href="https://github.com/y-yagi">@y-yagi</a> Y Yagi</li>
<li><a href="https://github.com/saraid">@saraid</a> Michael Chui</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/yob">@yob</a> James Healy</li>
<li><a href="https://github.com/kachick">@kachick</a> Kenichi Kamiya</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.6.6 Released2025-03-13T00:00:00+00:00http://blog.rubygems.org/2025/03/13/3.6.6-released<p>RubyGems 3.6.6 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Update vendored uri to 1.0.3. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8534">#8534</a> by hsbt</li>
<li>Installs bundler 2.6.6 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem rdoc</code> not working with newer versions of rdoc when not
installed as default gems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8549">#8549</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.6.tgz<br />
b4642fe16598fb93d40d6bcde9f69250debc0f13238cad410a7505c0cf740dad</li>
<li>rubygems-3.6.6.zip<br />
d84d4146cb98a4b51b5401bd940192e8bd7804419726d736bc624ce20d83553f</li>
<li>rubygems-update-3.6.6.gem<br />
e3004ad1ebcd52481ed5f67029c5b859b5e24a21deb7465b45969c2fc789eeb7</li>
</ul>
Dealing with (Hypothetical) Sham Packages2025-02-20T00:00:00+00:00http://blog.rubygems.org/2025/02/20/dealing-with-sham-packages<p>Please pardon a blog post that is a bit different from the standard RubyGems release announcement.</p>
<p>Today, I’m going to spin you a tale about the impact malicious software packages have on application developers.</p>
<hr />
<p>I want you to close your eyes, take a deep breath, and imagine the following (completely hypothetical, with <em>absolutely</em> no resemblance to real life) scenario.</p>
<p>Your company ships a web application written in your favorite language, Sham. Doing your best to stay productive and avoid re-implementing wheels of various shapes and sizes, you use packages for Sham, which, of course, are called Swindles. Your company is responsible, and uses all the fancy tooling to manage your Swindles, including a dependency manager that outputs lockfiles, Dependabot to automate version upgrades, and a code review process before anything makes its way into trunk.</p>
<p>If that describes you, congratulations—your application is already in the top 10% in terms of security preparedness. And now you think you’re ready to handle any sort of supply chain attack the world might send your way because you’re following the technical best practices that the Sham ecosystem has been bugging you to adopt for the past decade.</p>
<p>Now, unbeknownst to you, a Swindle that you, and probably hundreds of thousands of other Sham shops, depend upon has published a new release. And, of course, since this is a blog about software security, that release is <em>malicious</em>.</p>
<p>This is where a lot of fancy security advice blog posts stop. So often, we focus only on <em>preventing</em> this situation from occurring in the first place. But the reality is that bad actors are <em>always</em> going to be able to slip a bad package into the “software supply chain” (aka GitHub & package repositories), and it’s important to account for that inevitability.</p>
<p>So, we have a bad package that has made its way into the main Swindle repository—but what happens next? Forget about how <strong>I</strong> might respond as the Swindle ecosystem security lead. Maybe I’m on vacation (that sure sounds nice). How do <strong>you</strong>, an engineer shipping an important Sham app to production, respond? How do you even know that you <em>need</em> to respond?</p>
<p>But one last diversion before we tackle those big questions, just to raise the stakes and make you go “oh no” a little bit more—as I mentioned, you’ve already done a great job adopting best practices for your app. You automated dependency updates. Can you see where this is going? An innocuous-looking Dependabot PR comes in, the linked release notes say a minor bug is fixed, and you hit merge after all your tests pass.</p>
<p><em>Take a minute to let that nightmare sink in.</em> We can skip over all the different types of bad you just inflicted on your development and production environments—secret exfiltration, data breach, remote code execution, persistent backdoors, bitcoin miners… the list is practically endless.</p>
<p>But life goes on, even after committing a vulnerability to your repository. Heck, at this point, you still don’t even know something bad happened! How are you even going to find out about it? If you’re lucky, someone else will figure out that the package is malicious. Maybe it slowed down an overly ambitious engineer’s laptop, so they dug into the updated code. Maybe it tripped some alarms in an automated code scanner that evaluates every new Swindle pushed to the registry. If so, hopefully that good Samaritan sounded the alarm in the <em>correct</em> way (responsible disclosure is a topic for a separate blog post).</p>
<p>If your company is important enough, you probably got a heads-up directly from the source—either the person who found the vulnerability or a legitimate maintainer of the compromised Swindle. For everyone else, you have to hope that a <a href="https://www.cve.org">CVE</a> is filed, accurately summarizing the vulnerability and affected package versions. Once a CVE is assigned, you might get a deluge of automated alerts—GitHub saying you depend upon a vulnerable Swindle version, an endpoint detection system saying a vulnerable version was found running in production, or an alert when installing from your <code class="language-plaintext highlighter-rouge">Swindlefile</code>. If that chain of notifications doesn’t happen, your best hope is that between the Sham language subreddit, security mailing list, and all the celebrity Shammers you follow on social, you hear about the big news <em>somehow</em>.</p>
<p>Once notified, you’ll determine if and how the vulnerability affects your application. If it targets a system that you simply don’t use, you got off easy. If not, you’ll grab a colleague and split up the two important parts of incident response: figuring out how the bad Swindle affects you and getting the vulnerable package off your premises. Time to <a href="https://outage.party/">revert and</a> roll back the dependency upgrade and continue monitoring systems to see just how severe this malicious Swindle really was.</p>
<p>Now that you’ve resolved the incident, closed the VULN ticket, and gotten a good night’s rest, it’s time to clean up the mess that Swindle made. If you’re adventurous and happy to go down a good rabbit hole (like yours truly), you’ll probably analyze the malicious Swindle to understand what made it malicious. You know, the fun part of security work. Depending on the sort of vulnerability that was introduced, you might let users know their data was maybe, potentially (lawyers can’t say whether it was or wasn’t) at risk. Finally, you’ll review logs to ensure nothing untoward actually happened, and 99.9% of the time, after rotating secrets and ticking all the boxes, you’ll get to move on,get back to building your great Sham application and forget about the Swindle that cost you your Saturday.</p>
<hr />
<p>Thank you for playing along with our hypothetical ecosystem of Sham and Swindles. While this scenario was entirely fictional, it is based upon countless incidents I’ve observed over the past few years. If you’d like to read a less fictional account of an ecosystem responding to a compromised package (from the package repository perspective), I can recommend my friends over at PyPi’s write-ups of the <a href="https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/">ultralytics attack</a> and <a href="https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection">how it could’ve been prevented</a>.</p>
3.6.5 Released2025-02-20T00:00:00+00:00http://blog.rubygems.org/2025/02/20/3.6.5-released<p>RubyGems 3.6.5 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.6.5 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Removed <code class="language-plaintext highlighter-rouge">gem server</code> from <code class="language-plaintext highlighter-rouge">gem help</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8507">#8507</a> by hsbt</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.5.tgz<br />
c20034de6a49479337edb6c543b0c7390544f6287d15b25750efa910ac2bf7c8</li>
<li>rubygems-3.6.5.zip<br />
6f055dccfd810316139bf8a83c5738d75965f083e17c740fa231f2a2669048c9</li>
<li>rubygems-update-3.6.5.gem<br />
1d6764fee1618a71a89932621ace8132e0cbb1374c1dd02337d15407108a9af4</li>
</ul>
3.6.4 Released2025-02-17T00:00:00+00:00http://blog.rubygems.org/2025/02/17/3.6.4-released<p>RubyGems 3.6.4 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Raise a simpler error when RubyGems fails to activate a dependency. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8449">#8449</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.6.4 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Allocate strings from Requirement match only once. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8245">#8245</a> by segiddins</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.4.tgz<br />
41b68f4e886e320f94d9d250717355cdb557e6e1aac3110116bdb93d0f21e6b9</li>
<li>rubygems-3.6.4.zip<br />
82a2b40513b140d0bd499cf3737e54c13e3a08033288ee18bf05551ba725cd2b</li>
<li>rubygems-update-3.6.4.gem<br />
fb7b2c951705784e553a8fb215b42c60716514ed511ead74331174b3aea09f86</li>
</ul>
January 2025 RubyGems Updates2025-02-16T00:00:00+00:00http://blog.rubygems.org/2025/02/16/january-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January.</p>
<h1 id="open-source-program-announcements">Open Source Program Announcements</h1>
<h3 id="our-security-engineer-in-residences-year-in-review">Our Security Engineer in Residence’s year in review</h3>
<p><a href="https://github.com/segiddins">Samuel Giddins</a> published a <a href="https://traveling.engineer/posts/2024-in-review/">review of his 2024 work</a> as Security Engineer in Residence at <a href="https://rubycentral.org/">Ruby Central</a>. It was a busy year with the <a href="https://www.sigstore.dev/">sigstore</a> work as the centerpiece. He finishes with an overview of what he’ll focus on in 2025.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In January, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#363--2025-01-16">3.6.3</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#263-january-16-2025">2.6.3.</a> These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include adding the <a href="https://github.com/rubygems/rubygems/pull/8375">credentials file path to <code class="language-plaintext highlighter-rouge">gem env</code></a>, preventing <a href="https://github.com/rubygems/rubygems/pull/8404">fallback to evaluating YAML <code class="language-plaintext highlighter-rouge">gemspecs</code> as Ruby code</a>, adding <a href="https://github.com/rubygems/rubygems/pull/8356">support for the Mise version manager file</a>, and including <a href="https://github.com/rubygems/rubygems/pull/8365">Ruby 3.5 in Gemfile DSL platform values</a> for better compatibility.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://bundler.io/docs.html"><strong>Improvements to the Bundler documentation site</strong></a></p>
<ul>
<li>The end-of-year Bundler release required documentation updates, but the process was challenging due to warnings, outdated dependencies, and minor issues. Additionally, longstanding problems (such as poor SEO and broken links caused by recent structural changes in the <a href="https://github.com/rubygems/rubygems">rubygems/rubygems</a> repository) needed attention.</li>
<li>To improve the site, we addressed build warnings, upgraded all dependencies, fixed broken links, and enhanced SEO to make the Bundler documentation easier to find and navigate.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8401"><strong>Improved “multi-Ruby” lockfile support</strong></a></p>
<ul>
<li>In Bundler 2.6 we implemented several changes to allow the same lockfile to be used across different Ruby versions, however, a minor issue was reported related to this functionality.</li>
<li>To address this, we introduced an additional update to minimize lockfile changes when switching between Ruby versions, reducing unnecessary modifications and improving stability.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8428"><strong>Bundler support for ARM architecture on Windows</strong></a></p>
<ul>
<li>Windows RubyInstaller2 added support for running Ruby on ARM architecture and we received a community contribution to enable Bundler compatibility. However, the existing Windows support code was somewhat cumbersome, making it difficult for the contributor to complete the implementation.</li>
<li>To resolve this, we reworked how <code class="language-plaintext highlighter-rouge">platform: :windows</code> is handled in the Gemfile, which was the primary blocker. We also refactored the logic to ensure that the <code class="language-plaintext highlighter-rouge">:windows</code> value can accommodate similar scenarios in the future.</li>
</ul>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in January was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a> and <a href="https://www.datadoghq.com/?ref=rubycentral.org">Datadog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5392"><strong>Fixed endless 5xx responses leading to pages</strong></a></p>
<ul>
<li>Rails returned response headers exceeding Nginx’s 4KB limit, triggering an <code class="language-plaintext highlighter-rouge">upstream sent too big header</code> error and causing persistent <strong>502 Bad Gateway</strong> responses. The issue stemmed from the <code class="language-plaintext highlighter-rouge">Redirector middleware</code>, which generated <strong>301 redirects</strong> with excessively long <strong>Location headers</strong>, particularly for <code class="language-plaintext highlighter-rouge">api.rubygems.org</code>. Debugging was further complicated by a logging issue that hid these errors.</li>
<li>We fixed the logging pipeline to correctly capture errors and updated the middleware to prevent oversized headers. This fix was tested and verified in staging, successfully resolving the 502 errors.</li>
</ul>
<p><strong>Upgraded to Ruby 3.4.1</strong></p>
<ul>
<li>We upgraded RubyGems.org to Ruby 3.4.1 to ensure compatibility with the latest Ruby version and take advantage of performance improvements and security updates.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5409"><strong>Removed the</strong> <strong><code class="language-plaintext highlighter-rouge">Forwarded</code> and <code class="language-plaintext highlighter-rouge">X-Forwarded-Host</code> headers</strong></a></p>
<ul>
<li>We removed the <code class="language-plaintext highlighter-rouge">Forwarded</code> and <code class="language-plaintext highlighter-rouge">X-Forwarded-Host</code> headers to enhance security and mitigate the risk of header spoofing attacks.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>A huge thank you to all the contributors to RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> this month! We deeply appreciate your support and dedication.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/soda92">@soda92</a> Maple</li>
<li><a href="https://github.com/kyanagi">@kyanagi</a> Kouhei Yanagita</li>
<li><a href="https://github.com/Vasfed">@Vasfed</a> Vasily Fedoseyev</li>
<li><a href="https://github.com/joshleblanc">@joshleblanc</a> Josh LeBlanc</li>
<li><a href="https://github.com/rykov">@rykov</a> Michael Rykov</li>
<li><a href="https://github.com/johnnyshields">@johnnyshields</a> Johnny Shields</li>
<li><a href="https://github.com/the-spectator">@the-spectator</a> Akshay Birajdar</li>
<li><a href="https://github.com/Edouard-chin">@edouard-chin</a> Edouard Chin</li>
<li><a href="https://github.com/ntkme">@ntkme</a> なつき</li>
<li><a href="https://github.com/larskanis">@larskanis</a> Lars Kanis</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/w-masahiro-ct">@w-masahiro-ct</a> Masahiro</li>
<li><a href="https://github.com/huacnlee">@huacnlee</a> Jason Lee</li>
<li><a href="https://github.com/gemmaro">@gemmaro</a> Gemmaro</li>
<li><a href="https://github.com/kairoaraujo">@kairoaraujo</a> Kairo Araujo</li>
<li><a href="https://github.com/adrianthedev">@adrianthedev</a> Adrian Marin</li>
<li><a href="https://github.com/MilaZhou22">@MilaZhou22</a> MilaZhou22</li>
<li><a href="https://github.com/skatkov">@skatkov</a> Stanislav (Stas) Katkov</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
December 2024 RubyGems Updates2025-01-24T00:00:00+00:00http://blog.rubygems.org/2025/01/24/december-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December. Although December was a slower month as the team enjoyed time off during the holiday season, but we’re happy to share the progress we made nonetheless. Read on for a report of the OSS work we did last month.</p>
<h2 id="monthly-update-changes">Monthly Update changes</h2>
<p>We’ll be cutting our reporting on the monthly RubyGems and RubyGems.org GitHub repo summary, in favor of quarterly and annual reports published separately by Ruby Central. These reports will allow us to provide a more expansive view into the volume and impact of our security work for the Ruby community.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In December, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#360--2024-12-16">3.6.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#361--2024-12-17">3.6.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#362--2024-12-23">3.6.2</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#260-december-16-2024">2.6.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#261-december-17-2024">2.6.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#262-december-23-2024">2.6.2</a> by mid-December, addressing and resolving identified regressions, and coordinating with the Ruby core team to ensure the new versions were integrated with Ruby ahead of its December 25th release. Ultimately, we shipped RubyGems 3.6.2 and Bundler 2.6.2 alongside Ruby 3.4, resolving several regressions from the initial releases.</p>
<p>The release of <a href="https://bundler.io/blog/2024/12/19/bundler-v2-6.html">Bundler 2.6</a> and <a href="https://blog.rubygems.org/2024/12/16/3.6.0-released.html">RubyGems 3.6</a> is the culmination of previous year’s work, particularly in regard to the lockfile checksum’s feature that we decided to delay and not ship with Bundler 2.5.</p>
<p>Other notable improvements include fixing an issue where <a href="https://github.com/rubygems/rubygems/pull/8321"><code class="language-plaintext highlighter-rouge">gem info</code> tagged some non-default gems as default</a>, adding <a href="https://github.com/rubygems/rubygems/pull/8239">a <code class="language-plaintext highlighter-rouge">--attestation</code> option to <code class="language-plaintext highlighter-rouge">gem push</code></a> for improved security, <a href="https://bundler.io/blog/2024/12/19/bundler-v2-6.html">introducing <code class="language-plaintext highlighter-rouge">bundle lock --add-checksums</code></a> to add checksums to existing lockfiles and <a href="https://github.com/rubygems/rubygems/pull/8205">fixing JRuby warnings when using <code class="language-plaintext highlighter-rouge">bundler/setup</code> with Ruby’s <code class="language-plaintext highlighter-rouge">-w</code> flag</a>.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in December was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">DataDog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5349"><strong>An update to RubyGems 3.6 and Bundler 2.6</strong></a></p>
<ul>
<li>This update includes the release of RubyGems 3.6 and Bundler 2.6, delivering enhancements and fixes to improve the overall developer experience.</li>
<li>Key changes address minor regressions and stability improvements introduced in previous versions.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5312"><strong>Expanded availability of the admin user create button</strong></a></p>
<ul>
<li>The admin user creation button is now displayed either in local environments or when user signups are disabled.</li>
<li>This update ensures admins can easily create new users under these specific conditions, improving usability and access control management.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5291"><strong>An update to<code class="language-plaintext highlighter-rouge">PasswordsControllerTest</code></strong> <strong>to use modern Rails IntegrationTest</strong></a></p>
<ul>
<li>During a review of a potential vulnerability report, which was deemed not an issue, test coverage for the <code class="language-plaintext highlighter-rouge">PasswordsController</code> was increased to ensure robustness.</li>
<li>Additionally, the tests were migrated to use the modern Rails <code class="language-plaintext highlighter-rouge">IntegrationTest</code> framework, replacing the older controller tests. This update aligns with current Rails recommendations and improves test reliability and maintainability.</li>
</ul>
<h2 id="rubygems-ecosystem-news"><strong>RubyGems Ecosystem News</strong></h2>
<p>This is where we highlight other exciting updates made to Ruby infrastructure projects that support our RubyGems work.</p>
<p><strong>Ruby Toolbox</strong></p>
<p><a href="https://github.com/rubytoolbox/rubytoolbox/pull/1524"><strong>Keeping the Ruby Toolbox Up to Date and Stable</strong></a>: to ensure Ruby Toolbox remains modern and stable, we’ve upgraded the application to Rails 8 and Ruby 3.4.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/soda92">@soda92</a> Maple</li>
<li><a href="https://github.com/st0012">@st0012</a> Stan Lo</li>
<li><a href="https://github.com/CamJN">@CamJN</a> Camden Narzt</li>
<li><a href="https://github.com/addersuk">@addersuk</a> Adam Leach</li>
<li><a href="https://github.com/djoooooe">@djoooooe</a> Josef Haider</li>
<li><a href="https://github.com/bquorning">@bquorning</a> Benjamin Quorning</li>
<li><a href="https://github.com/luizkowalski">@luizkowalski</a> Luiz Eduardo Kowalski</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/kou">@kou</a> Sutou Kouhei</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/Uaitt">@Uaitt</a> Lorenzo Zabot</li>
<li><a href="https://github.com/ozovalihasan">@ozovalihasan</a> Hasan Özovalı</li>
<li><a href="https://github.com/mehulkar">@mehulkar</a> Mehul Kar</li>
<li><a href="https://github.com/Kuanchiliao1">@Kuanchiliao1</a> Tony Liao</li>
<li><a href="https://github.com/yob">@yob</a> James Healy</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.6.3 Released2025-01-16T00:00:00+00:00http://blog.rubygems.org/2025/01/16/3.6.3-released<p>RubyGems 3.6.3 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add credentials file path to <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8375">#8375</a> by duckinator</li>
<li>Update SPDX license list as of 2024-12-30. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8387">#8387</a> by
github-actions[bot]</li>
<li>Installs bundler 2.6.3 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">@licenses</code> array unmarshalling. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8411">#8411</a> by rykov</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.3.tgz<br />
ed284c404da69a5fdb43c9d37b86e56f3c3f43a7bee85ac47cf2fb3a136f00ea</li>
<li>rubygems-3.6.3.zip<br />
703b862f72ec3728ddaa0cf148fb3c066aa67e510e819d00626b6509223e701d</li>
<li>rubygems-update-3.6.3.gem<br />
6a46f9876e0ed8b5d9d1bd789b0c3308490eb5e7d21d0571ab4ef2d64211bb4f</li>
</ul>
3.6.2 Released2024-12-23T00:00:00+00:00http://blog.rubygems.org/2024/12/23/3.6.2-released<p>RubyGems 3.6.2 includes security, enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security:</em></p>
<ul>
<li>Fix Gem::SafeMarshal buffer overrun when given lengths larger than fit
into a byte. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8305">#8305</a> by segiddins</li>
<li>Improve type checking in marshal_load methods. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8306">#8306</a> by segiddins</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Skip rdoc hooks and their tests on newer rdoc versions. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8340">#8340</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.6.2 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix serialized metadata including an empty <code class="language-plaintext highlighter-rouge">@original_platform</code>
attribute. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8355">#8355</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.2.tgz<br />
d2f4e760eef098608692bbd6eff30df2e221b4723549da70dabcba116dc39680</li>
<li>rubygems-3.6.2.zip<br />
ad213a8c5275ef61b3107d48f71cc61e93956a27eccbb0aaa631b5f35f08b47a</li>
<li>rubygems-update-3.6.2.gem<br />
f6822f349cc394abc86ba5699803d6d4edf99b6c6a022fa48a13aaf4c824347f</li>
</ul>
November 2024 RubyGems Updates2024-12-20T00:00:00+00:00http://blog.rubygems.org/2024/12/20/november-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in November.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In November, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3523--2024-11-05">3.5.23</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2523-november-5-2024">2.5.23</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include <a href="https://github.com/rubygems/rubygems/pull/6471">validating the user input encoding for gem CLI arguments</a> and ensuring the<code class="language-plaintext highlighter-rouge">--enable-load-relative</code> binstubs prolog works correctly <a href="https://github.com/rubygems/rubygems/pull/7872">when Ruby is not installed in the same directory as the binstub</a>. Additionally, we <a href="https://github.com/rubygems/rubygems/pull/7610">updated the <code class="language-plaintext highlighter-rouge">--ext=rust</code> option to support compiling native extensions from source</a> and <a href="https://github.com/rubygems/rubygems/pull/8148">resolved an issue where <code class="language-plaintext highlighter-rouge">bundle check</code></a> could sometimes lock gems under the wrong source.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong>Welcoming First-Time Contributors</strong></p>
<p>We’re thrilled to see an influx of new contributors and are focusing on making contributions seamless and enjoyable.</p>
<ul>
<li><a href="https://github.com/soda92"><strong>@soda92</strong></a>, a new Ruby enthusiast working on Windows, contributed extensively by:
<ul>
<li>Improving setup documentation for Windows developers.</li>
<li>Fixing broken links, unifying documentation, and enhancing the README to better explain what RubyGems is.</li>
<li>Adding debugging instructions for Windows, improving RSpec tests, and fixing a <code class="language-plaintext highlighter-rouge">bundle exec</code> issue on Windows.</li>
</ul>
</li>
<li><a href="https://github.com/andrew"><strong>@andrew</strong></a> enhanced <code class="language-plaintext highlighter-rouge">bundle fund</code> by creating its missing man page and extended his work to cover other missing man pages. He also added a spec to ensure all Bundler commands remain fully documented.</li>
<li><a href="https://github.com/jeromedalbert"><strong>@jeromedalbert</strong></a> has been a consistent contributor, helping with issue triaging, documentation, and bug fixes. Notably, he updated the CONTRIBUTING guide link, fixed issues with <code class="language-plaintext highlighter-rouge">bundle remove</code>, and added the spec for ensuring command documentation.</li>
<li><a href="https://github.com/marcoroth"><strong>@marcoroth</strong></a> and <a href="https://github.com/gemmaro"><strong>@gemmaro</strong></a> made their first contributions by improving the default output of <code class="language-plaintext highlighter-rouge">bundle gem</code>.</li>
</ul>
<p>We deeply appreciate the efforts of all contributors in making RubyGems and Bundler better for everyone! 🎉</p>
<p><strong>Auditing and Updating Vendored Dependencies to the Latest Versions</strong></p>
<ul>
<li>November and December are dedicated to thorough housekeeping to prepare for the final releases of RubyGems and Bundler. This includes updating all development and test dependencies, either via Dependabot PRs or manually, and ensuring compatibility with the latest Ruby patch levels, including Ruby 3.4. Daily CI against <code class="language-plaintext highlighter-rouge">ruby-head</code> has also been verified as green.</li>
<li>We also improved license management by fixing the weekly automated PR process for new SPDX licenses and updating the license list with the latest additions. These updates ensure a polished and reliable release for all users.</li>
</ul>
<p><strong>Bundler 2.6 and RubyGems 3.6 Coming Soon</strong></p>
<ul>
<li>The upcoming releases of Bundler 2.6 and RubyGems 3.6, set for early December, include significant improvements and new features. The checksums feature is now ready for beta release, with fixes based on early feedback. Resolution enhancements bring <a href="https://github.com/rubygems/rubygems/pull/8103">smarter auto-fixing of incorrect lockfiles</a>, <a href="https://github.com/rubygems/rubygems/pull/8269">better handling of git dependencies</a>, and <a href="https://github.com/rubygems/rubygems/pull/8281">improved conservativeness of <code class="language-plaintext highlighter-rouge">bundle install</code></a> . We’ve also <a href="https://github.com/rubygems/rubygems/pull/8296">reverted to the previous git gems cache format</a> to resolve adoption issues while retaining critical fixes.</li>
<li>Additional updates include <a href="https://github.com/rubygems/rubygems/pull/8251">improved lockfile support for users switching between stable and development Ruby versions</a>, security enhancements to <a href="https://github.com/rubygems/rubygems/pull/8222">better redact credentials</a> in <a href="https://github.com/rubygems/rubygems/pull/8283">Bundler outputs</a>, and <a href="https://github.com/rubygems/rubygems/pull/8248">performance improvements like parallelized <code class="language-plaintext highlighter-rouge">bundle install --local</code></a> and performance-focused RuboCop checks.</li>
</ul>
<p>In November, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-11-01%7D...master@%7B2024-11-31%7D">194 new commits</a> contributed by 18 authors. There were 3,441 additions and 1,360 deletions across 248 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in November was provided by <a href="https://aws.amazon.com/">AWS</a>, <a href="https://www.fastly.com/">Fastly</a>, and <a href="https://www.datadoghq.com/">DataDog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5201"><strong>Introducing Organizations on RubyGems.org</strong></a></p>
<ul>
<li>Organizations were added to <a href="http://rubygems.org/">RubyGems.org</a> to help teams and businesses manage gems and users under a single umbrella. The new <strong>Organization Onboarding</strong> feature simplifies migrating gems to an Organization by allowing users to provide organization details, select gems, and assign roles to users.</li>
<li>After confirming the details, the onboarding process automatically links gems to the Organization, creates Membership records, establishes the Organization, and removes outdated Ownership records, streamlining team and business gem management.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5250"><strong>Streamlined Profile Update Experience</strong></a></p>
<ul>
<li>We’ve improved the profile update workflow to prevent unnecessary frustration when a password is missing. Previously, if users updated their email but forgot to include their password, the page would reload, display an error, and require the email to be re-entered.</li>
<li>Now, when submitting the form without a password, the page will focus on the password field and display a prompt, allowing users to enter their password without losing any previously entered information.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5260"><strong>Improved Control for Yanked Gems</strong></a></p>
<ul>
<li>We’ve introduced updates to ensure gem owners retain access to critical controls even when all versions of a gem are yanked.</li>
<li>Owners can now manage ownerships, trusted publishers, and push new gem versions through a streamlined sidebar view. For non-owners, the adoption option will remain visible if it’s currently active. This enhancement helps maintain seamless management and transparency for gem owners.</li>
</ul>
<p>In November, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-11-01%7D...master@%7B2024-11-31%7D">78 new commits</a> contributed by 9 authors. There were 4,530 additions and 596 deletions across 173 files.</p>
<h2 id="rubygems-ecosystem">RubyGems Ecosystem</h2>
<p>Here we outline additional exciting updates made to other projects in the RubyGems Ecosystem.</p>
<h3 id="ruby-toolbox">Ruby Toolbox</h3>
<p><a href="https://github.com/rubytoolbox/rubytoolbox/pull/1461"><strong>Ruby Toolbox Frontend Stack Update</strong></a></p>
<ul>
<li>The Ruby Toolbox frontend now uses <code class="language-plaintext highlighter-rouge">vite-rails</code> for asset bundling, ensuring compatibility with Rails 8. This upgrade replaces the previous <code class="language-plaintext highlighter-rouge">Sprockets/Webpacker</code> setup.</li>
<li>During the migration, we resolved legacy JavaScript issues and replaced an outdated autocompleter library, streamlining and modernizing the frontend.</li>
</ul>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/samisalamiws">@samisalamiws</a> Samisalamiws</li>
<li><a href="https://github.com/timon">@timon</a> Artem Ignatyev</li>
<li><a href="https://github.com/soda92">@soda92</a> Maple</li>
<li><a href="https://github.com/andrew">@andrew</a> Andrew Nesbitt</li>
<li><a href="https://github.com/larskanis">@larskanis</a> Lars Kanis</li>
<li><a href="https://github.com/adam12">@adam12</a> Adam Daniels</li>
<li><a href="https://github.com/mame">@mame</a> Yusuke Endoh</li>
<li><a href="https://github.com/gemmaro">@gemmaro</a> Gemmaro</li>
<li><a href="https://github.com/djberube">@djberube</a> David J Berube</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/corsonknowles">@corsonknowles</a> Dave Corson-Knowles</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
<li><a href="https://github.com/marcoroth">@marcoroth</a> Marco Roth</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/kairoaraujo">@kairoaraujo</a> Kairo Araujo</li>
<li><a href="https://github.com/kinsomicrote">@kinsomicrote</a> Kingsley Chijioke</li>
<li><a href="https://github.com/jacklynhma">@jacklynhma</a> Jacklyn Ma</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.6.1 Released2024-12-17T00:00:00+00:00http://blog.rubygems.org/2024/12/17/3.6.1-released<p>RubyGems 3.6.1 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.6.1 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem info</code> tagging some non default gems as default. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8321">#8321</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix broken links. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8327">#8327</a> by st0012</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.1.tgz<br />
ac455588155a52a6ecd9aeb43f9fc3099c004838172401d4e8388724c52d22ef</li>
<li>rubygems-3.6.1.zip<br />
efe8b01f3cbbed533f4e791eda4bbd36e1165c95e478b7ca903ce27b47948760</li>
<li>rubygems-update-3.6.1.gem<br />
fae1597ff2d479939a81a4b9d57c39b4797c645917ba5fac79eae8ead188f5eb</li>
</ul>
3.6.0 Released2024-12-16T00:00:00+00:00http://blog.rubygems.org/2024/12/16/3.6.0-released<p>RubyGems 3.6.0 includes security, breaking changes, features, enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security:</em></p>
<ul>
<li>Stop storing executable names in ivars. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8307">#8307</a> by segiddins</li>
</ul>
<p><em>## Breaking changes:</em></p>
<ul>
<li>Drop ruby 3.0 support. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8091">#8091</a> by segiddins</li>
</ul>
<p><em>## Features:</em></p>
<ul>
<li>Add –attestation option to gem push. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8239">#8239</a> by segiddins</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Skip unresolved deps warning on <code class="language-plaintext highlighter-rouge">Gem::Specification.reset</code> on benign
cases. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8309">#8309</a> by
deivid-rodriguez</li>
<li>Let <code class="language-plaintext highlighter-rouge">gem install <name></code> suggest <code class="language-plaintext highlighter-rouge"><name>-ruby</code> and <code class="language-plaintext highlighter-rouge">ruby-<name></code> when
providing “did you mean” suggestions. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8197">#8197</a> by duckinator</li>
<li>Update SPDX license list as of 2024-08-19. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8233">#8233</a> by
github-actions[bot]</li>
<li>Add <code class="language-plaintext highlighter-rouge">--target-rbconfig</code> option to <code class="language-plaintext highlighter-rouge">gem install</code> and <code class="language-plaintext highlighter-rouge">gem update</code>
commands. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7628">#7628</a> by kateinoigakukun</li>
<li>Skip nil-value keys to make metadata reproducible. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7129">#7129</a> by nobu</li>
<li>Allow disabling installation of compiled extensions into lib through
<code class="language-plaintext highlighter-rouge">Gem.configuration.install_extension_in_lib</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6463">#6463</a> by hsbt</li>
<li>Installs bundler 2.6.0 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Set $0 to exe when running <code class="language-plaintext highlighter-rouge">gem exec</code> to fix name in CLI output. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8267">#8267</a> by adam12</li>
<li>Fix manifest in gem package using incorrect platform sometimes. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8202">#8202</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix missing single quote in git source example. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8303">#8303</a> by nobu</li>
<li>Update the <code class="language-plaintext highlighter-rouge">gem install</code> demo in README to use a gem that just works on
Windows. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8262">#8262</a> by soda92</li>
<li>Unify rubygems and bundler docs directory. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8159">#8159</a> by hsbt</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.6.0.tgz<br />
c07644e7ed67582634f2f2fe1b7e5d90f17fcded6e5f0de531fd6a50935f13cf</li>
<li>rubygems-3.6.0.zip<br />
4bfe93521152899cb017a460540588c69c2069855ea48ede2d595dab95f6435a</li>
<li>rubygems-update-3.6.0.gem<br />
ddcdb7fad79ff72acc4cbe41960c954505607ed5251afafb79f822a9d5c7c24a</li>
</ul>
RubyGems.org Completes First Security Audit With Trail of Bits2024-12-11T00:00:00+00:00http://blog.rubygems.org/2024/12/11/security-audit<p>At Ruby Central, ensuring the security of RubyGems.org—the central hub for Ruby packages—is one of our top priorities. With over 184 billion downloads, RubyGems.org is crucial to the Ruby ecosystem, supporting developers, businesses, and open source projects worldwide.</p>
<p>To strengthen this critical infrastructure, we recently collaborated with <a href="https://www.trailofbits.com/">Trail of Bits</a> on our first security audit of RubyGems.org.</p>
<p>Trail of Bits is a leading cybersecurity firm that helps organizations identify vulnerabilities, enhance defenses, and implement security best practices.</p>
<p>The audit was funded through a grant from the Alpha-Omega Project, a consortium backed by Microsoft, Google, and Amazon, dedicated to improving the security of open source projects.</p>
<h1 id="key-findings-from-trail-of-bits">Key findings from Trail of Bits</h1>
<p><strong>Our audit with Trail of Bits focused on:</strong></p>
<ol>
<li>The RubyGems.org Ruby on Rails application.</li>
<li>The infrastructure and configuration hosting the site and gems.</li>
</ol>
<p>These areas were chosen because they represent the highest potential for security risks.</p>
<p>Trail of Bits leveraged advanced tools like Semgrep for static analysis, Burp Suite Professional for dynamic testing, and Ruzzy for fuzzing critical components, ensuring a thorough and multi-layered audit.</p>
<p>The audit identified 33 issues, including seven medium-severity items and one high-severity item. <strong>Notably, most of these findings do not constitute actual security breaches. Our team has been addressing each finding and using these insights to bolster RubyGems.org’s security posture.</strong></p>
<h2 id="rubygemsorg-rails-app">RubyGems.org Rails app</h2>
<p>Trail of Bits reviewed the Rails application code extensively and found that, in general, the site is built securely. Many of the issues highlighted were minor adjustments, often related to default Rails configurations that could be made more secure.</p>
<p>For example, one notable finding involved a vulnerability in the email system, where fallback to unencrypted transmission could expose sensitive emails. The recommended fix was straightforward—replace enable_starttls_auto with enable_starttls to enforce strict TLS encryption.</p>
<p><strong>Overall, the audit gave us confidence in the security of the RubyGems.org app, along with actionable recommendations for further strengthening it.</strong></p>
<h2 id="rubygemsorg-infrastructure">RubyGems.org infrastructure</h2>
<p>On the infrastructure side, the audit revealed areas where RubyGems.org could align more closely with industry best practices, particularly regarding AWS configuration and access control. <strong>While no immediate threats were identified, the findings emphasized the importance of proactive improvements.</strong></p>
<p><strong>Findings included:</strong></p>
<ul>
<li>Overly permissive AWS IAM permissions.</li>
<li>Insufficient role separation and domain isolation.</li>
<li>A hybrid infrastructure management approach, mixing manual changes with infrastructure-as-code.</li>
</ul>
<p>These gaps could create vulnerabilities if left unaddressed, but Trail of Bits provided specific recommendations for us to mitigate risks. For example, they highlighted the need for better isolation between AWS accounts and more granular access control policies. These findings have already informed a project proposal we’re developing to modernize our infrastructure and automate resource management through tools like Terraform.</p>
<p>One of the most valuable outcomes on the infrastructure side was the clarity it brought in helping us better prioritize our efforts next year. Our team now has a roadmap for what improvements we need to make, how to implement them, and the expected impact on security.</p>
<h1 id="next-steps-for-rubygemsorg-security">Next steps for RubyGems.org security</h1>
<p><strong>We are using the audit’s findings to shape the next steps for security updates on RubyGems.org:</strong></p>
<ul>
<li><strong>Short-term:</strong> We’ve already implemented many small, immediate improvements, such as stricter TLS enforcement and better access controls.</li>
<li><strong>Longer-term:</strong> We are working to secure funding to bring in a DevOps expert on a fixed-term contract to help modernize our infrastructure. This specialist will help us strengthen RubyGems.org’s security and establish a better foundation for maintaining and scaling the platform moving forward.</li>
<li><strong>Sustainable practices:</strong> With guidance from Trail of Bits, we’re creating systems for continuous improvement, including regular security reviews and automation of critical processes.</li>
</ul>
<p>The audit reinforced that RubyGems.org is performing well given its age, scale, and relatively limited resources as an open source project. Now, with a clearer understanding of where to focus our efforts, we can work to make it even more secure and reliable for the countless developers and companies that depend on it.</p>
<h1 id="acknowledgements">Acknowledgements</h1>
<p>We would like to thank the Trail of Bits team for their analysis and recommendations. You can also read a detailed breakdown of the audit on the <a href="https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/">Trail of Bits blog</a>, which shares more information about their process and findings.</p>
<p>Additionally, we would like to acknowledge the <a href="https://alpha-omega.dev/">Alpha-Omega Project</a> for their support in funding this audit and other essential Ruby Central initiatives. The Alpha-Omega Project’s mission is to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. They aim to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly.</p>
<p>Together, we’re making RubyGems.org stronger, more secure, and more resilient as Ruby continues to grow into the future.</p>
October 2024 RubyGems Updates2024-11-20T00:00:00+00:00http://blog.rubygems.org/2024/11/20/october-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In October, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3521--2024-10-03">3.5.21</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3522--2024-10-16">3.5.22</a> along with Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2521-october-3-2024">2.5.21</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2522-october-16-2024">2.5.22</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include <a href="https://github.com/rubygems/rubygems/pull/8112">updates to the vendored <code class="language-plaintext highlighter-rouge">uri</code> and <code class="language-plaintext highlighter-rouge">net-http</code> libraries</a>, fixes to prevent <code class="language-plaintext highlighter-rouge">gem pristine etc</code> from <a href="https://github.com/rubygems/rubygems/pull/8117">resetting twice</a> and the removal of code that <a href="https://github.com/rubygems/rubygems/pull/8083">degraded the accuracy of <code class="language-plaintext highlighter-rouge">suggest_gems_from_name</code></a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://github.com/rubygems/rubygems/pull/8104"><strong>Improved Support for Shared GEM_HOMEs</strong></a></p>
<ul>
<li>Sharing <code class="language-plaintext highlighter-rouge">GEM_HOME</code> across environments, though common, often leads to complex errors tied to native library incompatibilities. These issues are challenging to diagnose and frequently reported by users. Our goal with this update was to reduce these reports, enhance user experience, and free maintainers to focus on other priorities.</li>
<li>Initially, we aimed to detect and clarify these errors, but their varied nature made precise messaging difficult. Further analysis showed that RubyGems and Bundler already handle such cases by ignoring improperly built extension gems, except when conflicts involved default gems. Recognizing this, we implemented a straightforward bug fix to resolve these edge cases.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8165"><strong>Enhanced Bundler Integration with RubyGems, Resolving <code class="language-plaintext highlighter-rouge">bundle exec</code> Edge Case</strong></a></p>
<ul>
<li>A reported issue involved <code class="language-plaintext highlighter-rouge">bundler</code> failing to run (with a final “r”), prompting a suggested fix. However, the affected code resided within Bundler’s monkeypatches applied during <code class="language-plaintext highlighter-rouge">bundle/setup</code> to RubyGems, which has long been a suboptimal approach. This presented an opportunity to improve Bundler’s integration with RubyGems, offering potential long-term maintenance benefits.</li>
<li>We resolved the issue by eliminating these monkeypatches entirely. This was achieved by correcting Bundler’s usage of the RubyGems API for setting gem specifications <code class="language-plaintext highlighter-rouge">Gem::Specification.all=</code>, which had previously overlooked default gems (including Bundler itself). Once corrected, the other monkeypatches were rendered unnecessary.</li>
<li>Beyond fixing this edge case, our goal is to gradually integrate Bundler with RubyGems using proper APIs, reducing technical debt and potentially paving the way for a unified library in the future.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8174"><strong>Improved Webauthn CLI Experience</strong></a></p>
<ul>
<li>Recent webauthn support for the CLI encountered issues when <code class="language-plaintext highlighter-rouge">gem push</code> or other commands required two authenticated requests, such as when an API key had invalid scopes or when signing in before using the gem CLI. This required obtaining or fixing the API key before completing the intended operation.</li>
<li>The issue arose from reusing the same OTP obtained through webauthn for both requests, which is not permitted. The solution was to perform two separate webauthn requests to generate distinct OTP codes.</li>
</ul>
<p>In October, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-10-01%7D...master@%7B2024-10-31%7D">166 new commits</a> contributed by 15 authors. There were 1,302 additions and 14,205 deletions across 529 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in October was provided by <a href="https://aws.amazon.com/">AWS</a>, <a href="https://www.fastly.com/">Fastly</a>, and <a href="https://www.datadoghq.com/">DataDog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://blog.rubygems.org/2024/11/07/maintainer-role.html"><strong>Released Maintainer Role Feature</strong></a></p>
<ul>
<li>Until now, every gem owner on <a href="http://rubygems.org/">Rubygems.org</a> had the same permissions, regardless of their role or trust level within their organization. This highlighted a significant weakness: users with lower levels of trust could potentially cause considerable harm to widely used gems.</li>
<li>To address this, we’ve introduced a new role field for gem ownerships. This enhancement allows gem owners to assign and configure roles for their gems, better reflecting real-world organizational structures and reducing potential security risks.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5085"><strong>Converted RubyGems.org to Use Propshaft</strong></a></p>
<ul>
<li>With Rails 8 adopting Propshaft as the default, we aimed to make the switch. After transitioning to importmaps earlier this year, we were largely ready to move from Sprockets. However, our first attempt led to styles not loading on staging, prompting us to delay.</li>
<li>While working on a new design, we realized our site’s caching behavior could be longer than expected, and Propshaft might work fine. After thorough staging checks and timing refresh intervals, we deployed to production. Unfortunately, things broke longer than on staging. New assets triggered 404 errors, causing some initial panic before resolving on their own.</li>
<li><strong>Lesson learned</strong>: A smoother deploy would have involved loading new assets alongside old ones to allow for gradual cache warming. We underestimated the impact and duration of the disruption—apologies for the temporary issues. All is working fine now!</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5160"><strong>Added bcrypt Password Validation</strong></a></p>
<ul>
<li>This update introduces bcrypt password validation to enhance security for password handling on <a href="http://rubygems.org/">RubyGems.org</a>. It uses byte-size validation to prevent passwords longer than 72 bytes, as bcrypt silently truncates passwords exceeding this length.</li>
</ul>
<p>In October, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-10-01%7D...master@%7B2024-10-31%7D">106 new commits</a> contributed by 9 authors. There were 5,008 additions and 2,076 deletions across 288 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/jbampton">@jbampton</a> John Bampton</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/tompng">@tompng</a> Tomoya Ishida</li>
<li><a href="https://github.com/leoarnold">@leoarnold</a> Leo Arnold</li>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/sue445">@sue445</a> Go Sueyoshi</li>
<li><a href="https://github.com/karreiro">@karreiro</a> Guilherme Carreiro</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/manuelmeurer">@manuelmeurer</a> Manuel Meurer</li>
<li><a href="https://github.com/Kuanchiliao1">@kuanchiliao1</a> Tony Liao</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Maintainer Role2024-11-07T00:00:00+00:00http://blog.rubygems.org/2024/11/07/maintainer-role<p>Today, we are excited to announce a new type of permission for users to have on gems. Until today, permissions on a gem were simply binary: either you were an <code class="language-plaintext highlighter-rouge">owner</code> on a gem, and you could do anything, or you were not an owner, and you could do nothing. In response to user requests, we have added a new option, the <code class="language-plaintext highlighter-rouge">maintainer</code> role.</p>
<h3 id="what-can-maintainers-do">What can maintainers do?</h3>
<p>Like owners, maintainers are able to publish new versions of a gem. Unlike owners, maintainers are not allowed to change gem permissions, which means they cannot add additional owners or maintainers to the gem, and they cannot add trusted publishers to make automated pushes.</p>
<table>
<thead>
<tr>
<th> </th>
<th>Owner</th>
<th>Maintainer</th>
</tr>
</thead>
<tbody>
<tr>
<td>Publish new versions</td>
<td>✅</td>
<td>✅</td>
</tr>
<tr>
<td>Configure OIDC & Trusted publishing</td>
<td>✅</td>
<td>❌</td>
</tr>
<tr>
<td>Add owners/maintainers</td>
<td>✅</td>
<td>❌</td>
</tr>
<tr>
<td>Manage gem adoptions</td>
<td>✅</td>
<td>❌</td>
</tr>
</tbody>
</table>
<h3 id="why-add-this-new-role">Why add this new role?</h3>
<p>We’re adding the <code class="language-plaintext highlighter-rouge">maintainer</code> role primarily to improve security. As long as every user has <code class="language-plaintext highlighter-rouge">owner</code> permissions, gaining access any of those accounts is enough to fully take over a gem. Since not all users need the maximum permissions of an owner, the new role allows the defensive security strategy often called “minimal permissions”, where users are only given the permissions that they actually need to use, in order to reduce damage if an account is compromised.</p>
<p>The underlying system that creates multiple kinds of permissions on a gem will also serve as a building block for our ongoing work to add organization accounts to RubyGems in the future.</p>
<h3 id="what-happens-next">What happens next?</h3>
<p>For the time being, permissions will stay exactly the same. New permissions will default to <code class="language-plaintext highlighter-rouge">owner</code>, and users will need to manually opt in to giving someone <code class="language-plaintext highlighter-rouge">maintainer</code> permissions. Sometime in the next 2 or 3 months, once we have higher confidence in the code to handle the new roles, we will change the default for newly added users to <code class="language-plaintext highlighter-rouge">maintainer</code>, and users will have to manually choose the <code class="language-plaintext highlighter-rouge">owner</code> permission if they want to give it.</p>
3.5.23 Released2024-11-05T00:00:00+00:00http://blog.rubygems.org/2024/11/05/3.5.23-released<p>RubyGems 3.5.23 includes enhancements, bug fixes, performance and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Validate user input encoding of <code class="language-plaintext highlighter-rouge">gem</code> CLI arguments. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6471">#6471</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> leaving old default bundler executables
around. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8172">#8172</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.23 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix commands with 2 MFA requests when webauthn is enabled. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8174">#8174</a> by
deivid-rodriguez</li>
<li>Make <code class="language-plaintext highlighter-rouge">--enable-load-relative</code> binstubs prolog work when Ruby is not
installed in the same directory as the binstub. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7872">#7872</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Speed up <code class="language-plaintext highlighter-rouge">gem install <nonexistent-gem></code> by finding alternative name
suggestions faster. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8084">#8084</a> by duckinator</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Add missing comma in documentation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8152">#8152</a> by leoarnold</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.23.tgz<br />
3d277bf0b12ff46834d89b283fc451d130dbe6428d00d7ace4664c449c3ef28c</li>
<li>rubygems-3.5.23.zip<br />
00eeb2ca33acf008a58937ca98a88acf5166ab9dc0555a5c25cd08427062a6ec</li>
<li>rubygems-update-3.5.23.gem<br />
366b7a71c9196f3b3d09cf4522c9bac26e6d4a3f0fa2a88a18fa1e33c6fd7c0c</li>
</ul>
September 2024 RubyGems Updates2024-10-18T00:00:00+00:00http://blog.rubygems.org/2024/10/18/september-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in September.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In September, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3519--2024-09-18">3.5.19</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3520--2024-09-24">3.5.20</a> along with Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2519-september-18-2024">2.5.19</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2520-september-24-2024">2.5.20</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include the <a href="https://github.com/rubygems/rubygems/pull/7939">removal of temporary <code class="language-plaintext highlighter-rouge">.lock</code> files</a> unintentionally left behind by the gem installer, the rejection of <a href="https://github.com/rubygems/rubygems/pull/7967">unknown platforms when running <code class="language-plaintext highlighter-rouge">bundle lock --add-platform</code></a>, and a performance fix that addresses the excessive <a href="https://github.com/rubygems/rubygems/pull/8006">slowness of the <code class="language-plaintext highlighter-rouge">gem install <nonexistent gem></code> command</a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://github.com/rubygems/rubygems/pull/8029"><strong>Significant Progress on Lockfile Checksums Enablement</strong></a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems/pull/7896">Previously</a>, we implemented checksums in the lockfile to ensure that installed gems have not been tampered with, aligning with standard security measures in other package managers. We are now addressing platform-related issues to enforce strict gem locking and prevent false security assurances.</li>
<li>The checksums feature is now available in our master branch and is being prepared for inclusion in Bundler 2.6’s December release, allowing users to opt in. It will become the default in Bundler 3, supported by continuous integration testing to guarantee reliability.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7985"><strong>Fixing Strict Permissions Check in Bundler for GitHub Actions</strong></a></p>
<ul>
<li>We resolved permission issues reported in GitHub Actions workflows where Bundler was refusing to delete directories before reinstalling gems, causing workflows to abort. This problem affected both GitHub Actions runner’s repositories and the official <code class="language-plaintext highlighter-rouge">ruby/setup-ruby</code> action, forcing users to manually adjust permissions as a workaround.</li>
<li>Through investigative efforts, we identified that the Bundler 2.5.12 release began treating default gems as regular gems and explicitly installing them. Since default gems include empty directories in Ruby distributions, Bundler was failing when attempting to remove these empty directories before installation.</li>
<li>We fixed the issue by modifying Bundler to skip removing empty directories, ensuring smooth gem installations without requiring manual permission adjustments.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8013"><strong>Enhancing Support for Caching Git Gems in</strong></a> <a href="https://github.com/rubygems/rubygems/pull/8047"><strong>Cache Specific Project (vendor/cache) Settles</strong></a></p>
<ul>
<li>We have improved Bundler’s ability to cache git gems in the <code class="language-plaintext highlighter-rouge">vendor/cache</code> by maintaining a bare clone of the repository within the cache. This enhancement allows users to bundle all dependencies with their applications, facilitating installations in environments without internet access.</li>
<li>Additionally, we implemented patches to reduce the size of bare clones by removing <code class="language-plaintext highlighter-rouge">.sample</code> files and ensuring that empty directories are preserved when cloning repositories on different machines. These improvements prevent cache misidentification and enhance the reliability of git gem caching.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7960"><strong>Improvements in Gem Activation Conflict Prevention</strong></a></p>
<ul>
<li>As a dependency manager, Bundler needs to be very careful about having dependencies itself, because those dependencies could interfere with the dependencies of end users. We addressed dependency conflicts by carefully managing Bundler and RubyGem’s own dependencies, particularly with the gemification of Ruby’s standard library, such as <code class="language-plaintext highlighter-rouge">securerandom</code> becoming a default gem.</li>
<li>To prevent conflicts, we vendored the <code class="language-plaintext highlighter-rouge">securerandom</code> gem under our own namespace in both RubyGems and Bundler, ensuring our dependencies do not interfere with user dependencies and maintaining a stable environment for end users.</li>
<li>In the particular case of <code class="language-plaintext highlighter-rouge">bundler/inline,</code> we applied a workaround: rescue the conflict when it happens and retry with an explicit dependency on the user version, so that conflict does not happen the second time.</li>
<li>We also explored more general solutions to provide robust fixes for common entry points prone to dependency conflicts, such as re-executing the original process after gem installation during <code class="language-plaintext highlighter-rouge">bundler/inline</code> or installing gems in a subprocess when <code class="language-plaintext highlighter-rouge">auto_install</code> is set.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/8083"><strong>Improving Suggestions for</strong></a> <a href="https://github.com/rubygems/rubygems/pull/8084"><strong>and Speeding Up</strong></a> <a href="https://github.com/rubygems/rubygems/pull/8083"><code class="language-plaintext highlighter-rouge">gem install <nonexistent gem></code></a>**</p>
<ul>
<li>Previously, attempting to install a nonexistent gem (e.g., railss) resulted in Bundler suggesting multiple gem names that were over 20 characters long, while the correct gem (rails) was never suggested.</li>
<li>We recognized that waiting 10 seconds for suggestions when installing a nonexistent gem was more annoying than helpful. By determining that computing the Levenshtein distance was the main performance penalty, we refactored Bundler to avoid computing this distance in as many cases as possible. This significantly speeds up the gem install command for nonexistent gems, enhancing the overall user experience.</li>
</ul>
<p><strong>Introduced the New Design for RubyGems.org</strong></p>
<ul>
<li>We are slowly rolling out a full refresh of the site that aims to meet our goals of modernizing the design and improving the usability of <a href="http://rubygems.org/">RubyGems.org</a> for all of our users.</li>
<li>The new design aims to support the full range of devices/browser widths and (much to my relief) includes a dark mode theme!</li>
<li><a href="https://blog.rubygems.org/2024/10/15/our-new-design.html">Learn more here</a></li>
</ul>
<p><img src="https://rubycentral.org/content/images/size/w1600/2024/10/hammy-light-top-1-1-1.png" alt="RubyGems.org "About" page, top navigation menu, featuring new design.
" /></p>
<p>RubyGems.org “About” page, top navigation menu, featuring new design.</p>
<p><img src="https://rubycentral.org/content/images/size/w1600/2024/10/hammy-dark-bottom-1-1-1.png" alt="RubyGems New Design Dark Mode" /></p>
<p>RubyGems.org “About” page, bottom navigation menu, featuring new design…in dark mode!</p>
<p>In September, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-9-01%7D...master@%7B2024-9-31%7D">168 new commits</a> contributed by 17 authors. They were 1,852 additions and 802 deletions across 164 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in September was provided by <a href="https://aws.amazon.com/">AWS</a>, <a href="https://www.fastly.com">Fastly</a>, and <a href="https://www.datadoghq.com">DataDog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5056"><strong>Added Length Validations for User-Supplied String Attributes</strong></a></p>
<ul>
<li>We added length validations for user-supplied string attributes to prevent users from adding a large amount of unexpected data to the pages we render.</li>
<li>This improvement helps maintain application performance and security by ensuring that input data remains within acceptable limits.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/5035"><strong>Disabled Honeybadger & Datadog in local environments</strong></a></p>
<ul>
<li>We disabled Honeybadger and Datadog from being initialized in local environments to prevent errors and unnecessary resource usage.</li>
<li>These monitoring tools are configured and authenticated for production environments only, while local development setups do not have the necessary configurations. This fix ensures that Honeybadger and Datadog are active exclusively in production, maintaining a smooth and error-free experience for developers working in local environments.</li>
</ul>
<p>In September, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-9-01%7D...master@%7B2024-9-31%7D">92 new commits</a> contributed by 8 authors. There were 1,643 additions and 1,644 deletions across 157 files.</p>
<h2 id="ruby-ecosystem-news">Ruby Ecosystem News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<h3 id="ruby-toolbox">Ruby Toolbox</h3>
<p>These are highlights from the work done in <a href="https://www.ruby-toolbox.com/">Ruby Toolbox</a>:</p>
<ul>
<li>To keep the Ruby Toolbox application orderly and running smoothly, we updated numerous dependencies on both the Ruby Toolbox Rails main application and the catalog repository, including upgrading to the latest <code class="language-plaintext highlighter-rouge">Ruby 3.3.5</code> and <code class="language-plaintext highlighter-rouge">Rails 7.2.1</code>.</li>
<li>We reviewed and merged the most recent contributions to the catalog, ensuring that submissions are up-to-date and meet quality standards.</li>
</ul>
<h3 id="organization-accounts-update">Organization Accounts Update</h3>
<p>We are making steady progress and remain on track to have the new feature ready for users by the end of November. <a href="https://github.com/rubycentral/alpha-omega/blob/update-2024-09/alpha/engagements/2024/RubyCentral/update-2024-09.md">For details, check out this post.</a> Development work on this project was made possible by funding from <a href="https://rubycentral.org/news/ruby-central-receives-alpha-omega-grant/">Alpha-Omega</a>.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/byroot">@byroot</a> Jean Boussier</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/marcoroth">@marcoroth</a> Marco Roth</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/composerinteralia">@composerinteralia</a> Daniel Colson</li>
<li><a href="https://github.com/djberube">@djberube</a> David J Berube</li>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/earlopain">@earlopain</a> Earlopain</li>
<li><a href="https://github.com/y-yagi">@y-yagi</a> Yuuji Yaginuma</li>
<li><a href="https://github.com/jonathanhefner">@jonathanhefner</a> Jonathan Hefner</li>
<li><a href="https://github.com/tnir">@tnir</a> Takuya N</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/JuanVqz">@JuanVqz</a> Juan Vásquez</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.22 Released2024-10-16T00:00:00+00:00http://blog.rubygems.org/2024/10/16/3.5.22-released<p>RubyGems 3.5.22 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Prevent <code class="language-plaintext highlighter-rouge">._*</code> files in packages generated from macOS. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8150">#8150</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem pristine etc</code> resetting gem twice sometimes. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8117">#8117</a> by
deivid-rodriguez</li>
<li>Allow <code class="language-plaintext highlighter-rouge">gem pristine</code> to reset default gems too. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8118">#8118</a> by
deivid-rodriguez</li>
<li>Update vendored <code class="language-plaintext highlighter-rouge">uri</code> and <code class="language-plaintext highlighter-rouge">net-http</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8112">#8112</a> by segiddins</li>
<li>Installs bundler 2.5.22 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem contents</code> for default gems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8132">#8132</a> by
deivid-rodriguez</li>
<li>Fix duplicated specs when they have been previously activated. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8131">#8131</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install</code> on NFS shares. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8123">#8123</a> by
deivid-rodriguez</li>
<li>Fix a <code class="language-plaintext highlighter-rouge">gem install</code> crash during “done installing” hooks. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8113">#8113</a> by
deivid-rodriguez</li>
<li>Fix plugin command loading. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8121">#8121</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.22.tgz<br />
229c8e393a412e99d6a0fe2a22fb98f7d2e2d79cdbc48e5a8dcca6fa9a356c87</li>
<li>rubygems-3.5.22.zip<br />
a002ec5b89333d5f22c98fb8b0ee82a208555f1e2f7ba3c7648d9475b5367dee</li>
<li>rubygems-update-3.5.22.gem<br />
22223807de23e25a0d1053ef0a86a1bac5c61cbc8376a3f6348e4440b6fb7cf1</li>
</ul>
New Design for RubyGems.org2024-10-15T00:00:00+00:00http://blog.rubygems.org/2024/10/15/our-new-design<p>We are excited to announce the initial release of the new design for RubyGems.org!</p>
<p>The new design is the result of a collaboration with UX designer <a href="https://www.taylordesign.co/">Ian Taylor</a> and the RubyGems.org core team.
Eventually, the full refresh of the site aims to meet our goals of modernizing the design and improving the usability of RubyGems.org for all of our users.</p>
<p>The design will be released incrementally and we’ve chosen the <code class="language-plaintext highlighter-rouge">/pages</code> routes to be refreshed first.
These pages contain non-critical, mostly static content, allowing us to release the design without risking problems for our users.</p>
<p><em>As part of the roll-out strategy, we are prioritizing stability over a “big reveal”.</em></p>
<p>The new design aims to support the full range of devices and browser widths, and much to my relief, it includes a dark mode theme!
Please let us know if you run into any usability issues by <a href="https://github.com/rubygems/rubygems.org/issues">adding an issue to the project on GitHub</a> or, better yet, by opening a PR to resolve the issue.
We want to ensure the site remains functional for everyone!</p>
<h2 id="help-us-review-the-design-on-your-devices">Help us review the design on your devices</h2>
<p>Shortly after this blog post is published, you can visit <a href="https://rubygems.org/pages/about">About</a> and <a href="https://rubygems.org/pages/data">Data</a> to see examples of the new design.</p>
<p>Light mode:</p>
<p><img src="/images/hammy-light.png" width="100%" /></p>
<p>Dark mode:</p>
<p><img src="/images/hammy-dark.png" width="100%" /></p>
3.5.21 Released2024-10-03T00:00:00+00:00http://blog.rubygems.org/2024/10/03/3.5.21-released<p>RubyGems 3.5.21 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">Gem::MissingSpecVersionError#to_s</code> not showing exception message.
Pull request <a href="https://github.com/rubygems/rubygems/pull/8074">#8074</a> by
deivid-rodriguez</li>
<li>Remove code that makes suggest_gems_from_name give worse results. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8083">#8083</a> by
duckinator</li>
<li>Warning about PATH in <code class="language-plaintext highlighter-rouge">--user-install</code> mode is only necessary for gems
with executables. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8071">#8071</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.21 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix error in one source when fetching dependency APIs clearing results
from all sources. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8080">#8080</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem cleanup</code> warning when two versions of psych installed. Pull
request <a href="https://github.com/rubygems/rubygems/pull/8072">#8072</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.21.tgz<br />
959b3e4886986975d85d0b02117790883e53b8d051529df6eacfe64745ef3160</li>
<li>rubygems-3.5.21.zip<br />
3992a92ae569abe8a48e031e86ab29c1615f18c6acbbbb50302c459e2b847185</li>
<li>rubygems-update-3.5.21.gem<br />
b18e55a3e7bb8f04ccefba8d0a6274f8b0bf56856c12d08f011aceccfbd7efc8</li>
</ul>
August 2024 RubyGems Updates2024-09-24T00:00:00+00:00http://blog.rubygems.org/2024/09/24/august-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in August.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In August, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3517--2024-08-01">3.5.17</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3518--2024-08-26">3.5.18</a> along with Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2517-august-1-2024">2.5.17</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2518-august-26-2024">2.5.18</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include fixing an issue where <a href="https://github.com/rubygems/rubygems/pull/7949"><code class="language-plaintext highlighter-rouge">gem uninstall <name>:<version></code> would fail on shadowed default gems</a>, <a href="https://github.com/rubygems/rubygems/pull/7805">enabling lockfile checksums in future Bundler 3</a> even when there’s no previous lockfile, and fixing an issue where <code class="language-plaintext highlighter-rouge">bundle update <indirect_dep></code> would <a href="https://github.com/rubygems/rubygems/pull/7915">fail to upgrade when versions are present in two different sources</a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://github.com/rubygems/rubygems/pull/7916"><strong>Fixing an Edge Case Where Bundler Was Removing Platforms Due to Bad Indentation</strong></a></p>
<ul>
<li>We resolved an issue where Bundler was removing platforms and associated gems from <code class="language-plaintext highlighter-rouge">Gemfile.lock</code> because of bad indentation.</li>
<li>Now, Bundler auto-fixes indentation by properly stripping whitespace, ensuring badly indented platforms are recognized and retained, which prevents broken dependencies and confusion.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7915"><strong>Fixing a Source Dependency Confusion in <code class="language-plaintext highlighter-rouge">bundle update <specific_gem></code></strong></a></p>
<ul>
<li>We fixed an issue where <code class="language-plaintext highlighter-rouge">bundle update <specific_gem></code> would confuse the source of <code class="language-plaintext highlighter-rouge"><specific_gem></code> if an old version existed on a different gem server than specified in the lockfile, allowing smoother gem updates.</li>
<li>The bug was due to the additional unlocked resolution not using the correct source requirements during <code class="language-plaintext highlighter-rouge">bundle update <specific_gem></code>. The fix ensures it now uses the same source requirements as the main resolution.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7942"><strong>Improved Developer Experience When Setting Up RubyGems With an Unsupported Ruby</strong></a></p>
<ul>
<li>We added a clearer error message when an unsupported Ruby version is detected and the setup process is aborted, improving the process by preventing new developers from being discouraged by obscure errors.</li>
<li>This change helps people starting to develop RubyGems by immediately informing them if their Ruby version isn’t supported.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7949"><strong>Fixed <code class="language-plaintext highlighter-rouge">gem uninstall <gem>:<version></code></strong> <strong>Failing When Target Gem is Also a Default Gem</strong></a></p>
<ul>
<li>We resolved an issue where <code class="language-plaintext highlighter-rouge">gem uninstall <gem>:<version></code> would fail with a confusing error if the target gem was also a default gem, providing a smoother CLI experience.</li>
<li>The fix skips the default copy of the gem during uninstallation, avoiding the “double uninstall” problem.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7951"><strong>Fixed Issues With the<code class="language-plaintext highlighter-rouge">--prefer-local</code> Flag in <code class="language-plaintext highlighter-rouge">bundle install</code></strong></a></p>
<ul>
<li>We resolved problems where the <code class="language-plaintext highlighter-rouge">--prefer-local</code> flag wasn’t working effectively; it didn’t fallback to remote gems when local ones didn’t satisfy requirements and didn’t prefer local gems for sub-dependencies.</li>
<li>We implemented a solution similar to how we handle prereleases: for each gem, first prefer local versions; if conflicts arise, allow remote versions for those specific gems.</li>
<li>This was inspired by <a href="https://github.com/gouravkhunger">@gouravkhunger</a>, who uses <code class="language-plaintext highlighter-rouge">--prefer-local</code> to help package Ruby for his Jekyllex project.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7950"><strong>Helped Appraisals Maintainers Run Tests With Latest Bundler</strong></a></p>
<ul>
<li>Ensured that Appraisals, a library for testing against multiple Gemfiles, <a href="https://github.com/thoughtbot/appraisal/pull/229">works with the latest Bundler</a> by proposing updates and fixing a small behavior changes in Bundler 2.4 that affected them.</li>
<li>Appraisals is tightly coupled to Bundler internals, so it’s important it remains compatible to detect potential issues in Bundler itself.</li>
</ul>
<p>In August, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-8-01%7D...master@%7B2024-8-31%7D">77 new commits</a> contributed by 8 authors. They were 1,163 additions and 151 deletions across 90 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/">RubyGems.org</a> in August was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">DataDog</a>.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4968"><strong>Prevented AWS Secrets From Being Printed in Logs or Error Messages</strong></a></p>
<ul>
<li>We modified the logging and error-handling mechanisms to ensure AWS secrets are sanitized and never outputted.</li>
<li>Although this issue wasn’t occurring in CI, it’s crucial to safeguard against future changes that might inadvertently expose sensitive information.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4957"><strong>Renamed <code class="language-plaintext highlighter-rouge">#search_field</code></strong> <strong>to Resolve a Naming Conflict With Rails Internals</strong></a></p>
<ul>
<li>The conflict was causing the Rails info page (<code class="language-plaintext highlighter-rouge">/rails/info/routes</code>) to raise an error, hindering access to important debugging routes.</li>
<li>To resolve this we changed the method name to eliminate the conflict, restoring normal functionality to the Rails info page.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4953"><strong>Fixed a Minor Inefficiency in RubyGems Controller</strong></a></p>
<ul>
<li>The <code class="language-plaintext highlighter-rouge">GemNameReservation</code> query was being executed four times per request, leading to potential performance issues.</li>
<li>We refactored the controller logic to perform the <code class="language-plaintext highlighter-rouge">GemNameReservation</code> query only once per request, improving efficiency.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4950"><strong>Fixed Broken Recovery Code Acceptance Tests</strong></a></p>
<ul>
<li>Tests were failing due to two issues, blocking the CI pipeline. We addressed each:
<ul>
<li><em>Invalid jQuery Selector Length Check</em>: We corrected the jQuery selector <code class="language-plaintext highlighter-rouge">$("#recovery-code-list").length</code> to properly detect the element.</li>
<li><em>Confirmation Dialog Not Triggering on Path Change</em>: We adjusted the test so that changing the current path triggers the confirm dialog as expected.</li>
</ul>
</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4975"><strong>Optimized API Key Expiration Process by Skipping Already Expired Keys</strong></a></p>
<ul>
<li>The existing expiration process was inefficient because it looped through all API keys, including those that were already expired.</li>
<li>To fix this, we modified the API key expiration routine to process only unexpired API keys, thereby avoiding unnecessary iterations over keys that have already expired.</li>
</ul>
<p>In August, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-8-01%7D...master@%7B2024-8-31%7D">57 new commits</a> contributed by 6 authors. There were 134 additions and 137 deletions across 15 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/marcoroth">@marcoroth</a> Marco Roth</li>
<li><a href="https://github.com/gouravkhunger">@gouravkhunger</a> Gourav Khunger</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/KJTsanaktsidis">@KJTsanaktsidis</a> KJ Tsanaktsidis</li>
<li><a href="https://github.com/mattbrictson">@mattbrictson</a> Matt Brictson</li>
<li><a href="https://github.com/djberube">@djberube</a> David J Berube</li>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/byroot">@byroot</a> Jean Boussier</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/sunpoet">@sunpoet</a> Po-Chuan Hsieh</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/okuramasafumi">@okuramasafumi</a> Okura Masafumi</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.20 Released2024-09-24T00:00:00+00:00http://blog.rubygems.org/2024/09/24/3.5.20-released<p>RubyGems 3.5.20 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.20 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.20.tgz<br />
211e0b0fa5313620e1d4a2b352deaf60687c3549ba35f89cdb604f993ff69f83</li>
<li>rubygems-3.5.20.zip<br />
959e711271f1e41c502be4752af77af8e729c26e8df15ef4bfb198ca5578405f</li>
<li>rubygems-update-3.5.20.gem<br />
722ac315f9fd9413fcbadd35a001e8760ab31cbec3ee3cd8de26d65745940a1b</li>
</ul>
3.5.19 Released2024-09-18T00:00:00+00:00http://blog.rubygems.org/2024/09/18/3.5.19-released<p>RubyGems 3.5.19 includes enhancements, bug fixes and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Standardize pretty-print output for <code class="language-plaintext highlighter-rouge">Gem::Source</code> and subclasses. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7994">#7994</a> by
djberube</li>
<li>Update vendored <code class="language-plaintext highlighter-rouge">molinillo</code> to master and vendored <code class="language-plaintext highlighter-rouge">resolv</code> to 0.4.0.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7521">#7521</a> by
hsbt</li>
<li>Installs bundler 2.5.19 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">bundle exec rake install</code> failing when local gem has extensions.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7977">#7977</a> by
deivid-rodriguez</li>
<li>Make <code class="language-plaintext highlighter-rouge">gem exec</code> use the standard GEM_HOME. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7982">#7982</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem fetch</code> always exiting with zero status code. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8007">#8007</a> by
deivid-rodriguez</li>
<li>Remove temporary <code class="language-plaintext highlighter-rouge">.lock</code> files unintentionally left around by gem
installer. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7939">#7939</a> by nobu</li>
<li>Removed unused stringio. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8001">#8001</a> by hsbt</li>
<li>Avoid another race condition of open mode. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7931">#7931</a> by nobu</li>
<li>Fix <code class="language-plaintext highlighter-rouge">@license</code> typo preventing licenses from being correctly
unmarshalled. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7975">#7975</a> by djberube</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install does-not-exist</code> being super slow. Pull request
<a href="https://github.com/rubygems/rubygems/pull/8006">#8006</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.19.tgz<br />
8025aa482fa18bad8a46ae4ca5ab84ecf7a232dcbb93ff6688f8abd7be0bda42</li>
<li>rubygems-3.5.19.zip<br />
609dcceeac4bd5931fc1531353b05b45a4e6f5ff0a3ec723cf3ec8f315e42a1e</li>
<li>rubygems-update-3.5.19.gem<br />
fb339f29650b656461e1b7e57cc268413edadf48922a67e780cc82be5f056df4</li>
</ul>
3.5.18 Released2024-08-26T00:00:00+00:00http://blog.rubygems.org/2024/08/26/3.5.18-released<p>RubyGems 3.5.18 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.18 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem uninstall <name>:<version></code> failing on shadowed default gems.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7949">#7949</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.18.tgz<br />
a99163d03286850559134448e4c666fa32513407b63f1c277e5142b75180db56</li>
<li>rubygems-3.5.18.zip<br />
9b4fcf33c92aaf8bdc1c3c3711d22cadb12327cac388ae56e87a3795d9f5920a</li>
<li>rubygems-update-3.5.18.gem<br />
60460dae859b7714b9f64f846f6e99b8e876845b006476d82d4d0d13ef53fda4</li>
</ul>
July 2024 RubyGems Updates2024-08-19T00:00:00+00:00http://blog.rubygems.org/2024/08/19/july-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in July.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In July, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3515--2024-07-09">3.5.15</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3516--2024-07-18">3.5.16</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2515-july-9-2024">2.5.15</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2516-july-18-2024">2.5.16</a>. These releases brings a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements included a performance enhancement by using <a href="https://github.com/rubygems/rubygems/pull/7708"><code class="language-plaintext highlighter-rouge">caller_locations</code> instead of splitting <code class="language-plaintext highlighter-rouge">caller</code></a>, as collecting all call locations as strings and then extracting and splitting just one was inefficient. Additionally, we resolved issues with loading <a href="https://github.com/rubygems/rubygems/pull/7851">nested <code class="language-plaintext highlighter-rouge">gemrc</code> configuration keys</a> when specified as symbols and implemented a file lock to <a href="https://github.com/rubygems/rubygems/pull/7806">safeguard the creation of <code class="language-plaintext highlighter-rouge">binstubs</code></a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong>Publishing a <a href="https://github.com/rubygems/gem_server_conformance">basic conformance test for all gem servers</a></strong></p>
<ul>
<li>This update allows any gem server to be easily tested for compliance with RubyGems standards, significantly impacting both users and developers.</li>
<li>The conformance test can be accessed and utilized through our <a href="https://github.com/rubygems/gem_server_conformance">GitHub repository</a>.</li>
</ul>
<p><a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/release-notes.html"><strong>Updating our OpenSearch cluster from 2.11 to 2.13</strong></a></p>
<ul>
<li>We recently updated our OpenSearch cluster from version 2.11 to 2.13 as part of our regular maintenance routine.</li>
<li>This upgrade was efficiently executed with a one-click process in our AWS console. The update ensures that our systems continue to run smoothly and benefit from the latest features and improvements. For more details on the update and its benefits, refer to the <a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/release-notes.html">AWS OpenSearch release notes</a>.</li>
</ul>
<p><strong>Confirmed protection against recent OpenSSH Bug</strong></p>
<ul>
<li>Early this month, <a href="https://cyberinsider.com/14-million-openssh-servers-potentially-vulnerable-to-regresshion-bug/">a vulnerability was discovered</a> in certain versions of OpenSSH that could trigger remote code execution.</li>
<li>The RubyGems security team promptly responded by implementing tests to ensure our software was not exposed to this threat, guaranteeing that our users and developers could continue their work without interruption.</li>
</ul>
<p>In July, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-7-01%7D...master@%7B2024-7-31%7D">171 new commits</a> contributed by 12 authors. They were 2,827 additions and 1,769 deletions across 113 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in July was provided by AWS, Fastly, and DataDog. The following are highlights of what the team worked on this month:</p>
<p><strong>Discontinued Auto Sign-In <a href="https://github.com/rubygems/rubygems.org/pull/4810">After Email Confirmation</a> and <a href="https://github.com/rubygems/rubygems.org/pull/4811">Password Reset</a></strong></p>
<ul>
<li>The primary goal for this change is to simplify login flows, reducing the likelihood of mistakes or bypasses.</li>
<li>This change aligns with best practices recommended by <a href="https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#user-resets-password">OWASP</a> and will enhance security and streamline the login process for both users and developers.</li>
</ul>
<p><strong>Presented on <a href="http://rubygems.org/">RubyGems.org</a> at RedDot Ruby Conference 2024</strong></p>
<ul>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> gave a presentation on <a href="https://drive.google.com/file/d/1szfL-qNAa_isxsnPqR8d7rDmxwZD1MzJ/view">“Scaling RubyGems.org to 1 Trillion Downloads”</a>.</li>
<li>The talk was a deep dive into Ruby’s package ecosystem, exploring how RubyGems.org is maintained and the ongoing efforts of the team ensuring <a href="http://rubygems.org/">rubygems.org</a> remains a healthy and sustainable platform long into the future.</li>
<li>Colby discussed the latest work and improvements made to the platform and outlined plans for future enhancements.</li>
</ul>
<p>In July, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-7-01%7D...master@%7B2024-7-31%7D">134 new commits</a> contributed by 8 authors. There were 2,421 additions and 978 deletions across 167 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/ntkme">@ntkme</a> Natsuki Times</li>
<li><a href="https://github.com/moofkit">@moofkit</a> Dmitriy Ivliev</li>
<li><a href="https://github.com/leetking">@leetking</a> Alpha 0x00</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/jasonkarns">@jasonkarns</a> Jason Karns</li>
<li><a href="https://github.com/CorySpitzer">@coryspitzer</a> Cory Spitzer</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/Earlopain">@earlopain</a> Earlopain</li>
<li><a href="https://github.com/robbyrussell">@robbyrussell</a> Robby Russell</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.17 Released2024-08-01T00:00:00+00:00http://blog.rubygems.org/2024/08/01/3.5.17-released<p>RubyGems 3.5.17 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Explicitly encode <code class="language-plaintext highlighter-rouge">Gem::Dependency</code> to yaml. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7867">#7867</a> by segiddins</li>
<li>Installs bundler 2.5.17 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem list</code> regression when a regular gem shadows a default one. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7892">#7892</a> by
deivid-rodriguez</li>
<li>Always leave default gem executables around. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7879">#7879</a> by
deivid-rodriguez</li>
<li>Fix line comment issue for hash when loading gemrc. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7857">#7857</a> by leetking</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.17.tgz<br />
53c17eae1e7fbe84ad32957137938c08bd0e383f45eda354fc81ad085d56e0ea</li>
<li>rubygems-3.5.17.zip<br />
40cec7dc41030756a36981a6b898e7eded2a9e1c76f56b10cc6cf4f0e1ab2feb</li>
<li>rubygems-update-3.5.17.gem<br />
d14b3772bd695a57b39a82317a025f86a3aeecc99fb8ad9f87890f1058688b3a</li>
</ul>
June 2024 RubyGems Updates2024-07-23T00:00:00+00:00http://blog.rubygems.org/2024/07/23/june-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in June.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In June, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3512--2024-06-13">3.5.12</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3513--2024-06-14">3.5.13</a>, and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3514--2024-06-21">3.5.14</a> , and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2512-june-13-2024">2.5.12</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2513-june-14-2024">2.5.13</a>, and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2514-june-21-2024">2.5.14</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include: an improvement to <a href="https://github.com/rubygems/rubygems/pull/7719">auto-switch to the locked Bundler version</a> even when using <code class="language-plaintext highlighter-rouge">binstubs</code>, a fix for duplicated config keys generated when the <code class="language-plaintext highlighter-rouge">fallback_timeout</code> URI option is used, and a fix for slow and incorrect resolution when adding <code class="language-plaintext highlighter-rouge">sorbet</code> to a Gemfile if the lockfile only includes “RUBY” in the platforms section.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://github.com/rubygems/rubygems/pull/7707"><strong>A better out of the box experience when creating new gems with <code class="language-plaintext highlighter-rouge">bundle gem</code></strong></a></p>
<ul>
<li>A user alerted us to a potential source of friction in the gem creation process: users needing to edit all the TODOs in the gemspec prior to running Bundler and dummy generated tests.</li>
<li>The issue was, values like e.g the gem’s homepage, source code and changelog URIs, while important, are not what users have in mind (yet) when they create a new gem. They just want to start working on the new gem. In many cases inputting this information can be delayed until gem build/push time.</li>
<li>Due to internal RubyGems methods we’ve added to validate gems that have a few different usages — like <a href="http://rubygems.org/">RubyGems.org</a>, Bundler and RubyGems — it would have been risky to change validations just for Bundler (and as a result relax validations everywhere). The alternative, adding a new parameter to <code class="language-plaintext highlighter-rouge">Gem::Specification#validate</code>, felt like complicating things too much. So we went with adding a new <code class="language-plaintext highlighter-rouge">Gem::Specification#validate_for_resolution</code> method just for Bundler that skips validations that are non essential for Bundler to work with a local gemspec.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/6957"><strong>Fixing longstanding issues with plugins by tracking them in the <code class="language-plaintext highlighter-rouge">Gemfile.lock</code> file</strong></a></p>
<ul>
<li>A couple of frustrations with plugins specified via Gemfile have been coming up for years: they are constantly reinstalled, and they cause unnecessary resolution metadata to be fetched, even in deployment mode. We want to encourage people to create and use Bundler plugins by ensuring they have a smooth usage experience.</li>
<li>After a few iterations, we realized we can treat plugins the same as regular gems and therefore avoid all the unnecessary work by having a lockfile. So the solution ended up being simple: including plugins as gems in the lockfile.</li>
<li>We need to do some backwards compatibility work around making changes to the lockfile but aside from that, we expect this solution to resolve most of the issues.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7669"><strong>Bundler specs will now use the Compact Index by default</strong></a></p>
<ul>
<li>As a first step to providing a way to opt-in to lockfile checksums, we want to make sure most Bundler specs use the compact index (that exercises checksums under the hood).</li>
<li>Bundler specs currently use the fallback to the full index by default. This is a very rare working mode these days since it requires that all dependency APIs fail. In addition to that, the full index does not provide checkums. Switching to using the compact index by default will give us confidence to enable lockfile checksums.</li>
<li>It was a very big PR with bulk changes migrating from file:// sources that skip dependency APIs to dummy https sources that do exercise the compact index. It was a bit tricky to get everything passing but we trust it is safe as most of the changes are confined to test code.</li>
</ul>
<p>In June, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-6-01%7D...master@%7B2024-6-31%7D">153 new commits</a> contributed by 18 authors. They were 5,907 additions and 4,833 deletions across 231 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/?ref=rubycentral.org">RubyGems.org</a> in June was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">DataDog</a>. The following are highlights of what the team worked on this month:</p>
<p><strong>RubyGems Organization Accounts</strong></p>
<ul>
<li>We are building a new feature for <a href="http://RubyGems.org">RubyGems.org</a> that will allow organization accounts, memberships and increased control over gem permissions. The feature will give gem owners more precise control over ownership of gems and permissions for organization members.</li>
<li>We know that nuance is required when introducing this additional layer of organization into the existing RubyGems.org framework and we plan to introduce the new feature without disrupting existing workflows.</li>
<li>This month, we created user flows to identify potential challenges and edge cases, refactored permissions models to use the well-known Pundit gem, and added basic models in preparation for the feature.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/milestone/17"><strong>Aligning Authentication on RubyGems.org with best practices</strong></a></p>
<ul>
<li>Back in January when we released details about <a href="https://blog.rubygems.org/2024/03/15/password-reset-vulnerability.html">an MFA bypass in the password reset</a> process, it became clear that our MFA strategy was not applied uniformly in a way that helped us reduce mistakes. We have some flows that don’t follow <a href="https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html">OWASP guidelines for password resets</a>, email tokens, or MFA.</li>
<li><a href="https://github.com/martinemde">@martinemde</a> has been working to carefully refactor all MFA interaction points in RubyGems.org, increasing test coverage and unifying MFA processes under a single code path. We have adopted many of the best practices for securing authentication processes as defined by OWASP and other guidelines.</li>
<li>One example is, we have now stopped our previous practice of auto-sign-in after password changes or email confirmations to ensure that all processes that can result in a session must pass through through the full sign-in process.</li>
</ul>
<h2 id="ruby-ecosystem-news">Ruby Ecosystem News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<h3 id="ruby-toolbox">Ruby Toolbox</h3>
<p><a href="https://www.ruby-toolbox.com/blog/2024-05-31/devcontainers"><strong>Making local setup and codespaces based contributions to the Ruby Toolbox easier</strong></a></p>
<ul>
<li>Data dumps are quite large nowadays and importing them locally can take hours. It would be helpful to provide a slim data dump for a realistic but small local development dataset, to create a more accessible way of contributing to the site itself.</li>
<li><a href="https://github.com/colszowka">@colszowka</a> has added partial production database exports to the Ruby Toolbox, making it easier to get a realisitc dataset for development purposes. Alongside this, there is now a devcontainer setup for easier local or browser-based development environment setup, for example using Codespaces.</li>
</ul>
<p><a href="https://github.com/rubytoolbox/rubytoolbox/issues/1196"><strong>Making historical and recent security advisories for RubyGems visible on the Ruby Toolbox</strong></a></p>
<ul>
<li>To increase transparency and ensure everyone has the latest database information, work by Christoph is underway to import the Ruby advisory database to the Ruby Toolbox, for displaying security advisories on the site. The data is already being imported, with the remaining step being to actually show it on the UI.</li>
</ul>
<p>In June, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-6-01%7D...master@%7B2024-6-31%7D">110 new commits</a> contributed by 11 authors. There were 3,655 additions and 2,518 deletions across 211 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/tompng">@tompng</a> Tomoya Ishida</li>
<li><a href="https://github.com/sobrinho">@sobrinho</a> Gabriel Sobrinho</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/MSP-Greg">@MSP-Greg</a> MSP Greg</li>
<li><a href="https://github.com/kddnewton">@kddnewton</a> Kevin Newton</li>
<li><a href="https://github.com/kateinoigakukun">@kateinoigakukun</a> Yuta Saito</li>
<li><a href="https://github.com/Earlopain">@Earlopain</a> Earlopain</li>
<li><a href="https://github.com/alexeyschepin">@alexeyschepin</a> Alexey Schepin</li>
<li><a href="https://github.com/x-yuri">@x-yuri</a> X Yuri</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/ccmywish">@ccmywish</a> CCMyWish</li>
<li><a href="https://github.com/thomasmarshall">@thomasmarshall</a> Thomas Marshall</li>
<li><a href="https://github.com/jeromedalbert">@jeromedalbert</a> Jerome Dalbert</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/jacklynhma">@jacklynhma</a> Jacklyn Ma</li>
<li><a href="https://github.com/nateberkopec">@nateberkopec</a> Nate Berkopec</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/robbyrussell">@robbyrussell</a> Robby Russell</li>
<li><a href="https://github.com/gemmaro">@gemmaro</a> Gemmaro</li>
<li><a href="https://github.com/okuramasafumi">@okuramasafumi</a> Okura Masafumi</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.16 Released2024-07-18T00:00:00+00:00http://blog.rubygems.org/2024/07/18/3.5.16-released<p>RubyGems 3.5.16 includes enhancements, bug fixes and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.16 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix gemspec <code class="language-plaintext highlighter-rouge">require_paths</code> validation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7866">#7866</a> by
deivid-rodriguez</li>
<li>Fix loading of nested <code class="language-plaintext highlighter-rouge">gemrc</code> config keys when specified as symbols.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7851">#7851</a> by
moofkit</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Use <code class="language-plaintext highlighter-rouge">caller_locations</code> instead of splitting <code class="language-plaintext highlighter-rouge">caller</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7708">#7708</a> by nobu</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.16.tgz<br />
7fd10de9e5e933321b62b8f1194256ae64703ba2541cab91ec31244a018d9012</li>
<li>rubygems-3.5.16.zip<br />
8856502100771ecf0da6fe4cbcf585aaff521fc312fa37731a850c55b67f6c0e</li>
<li>rubygems-update-3.5.16.gem<br />
98c2904749b614a8a838188979b7ecab85f41a633795292ce5697f9461267fba</li>
</ul>
3.5.15 Released2024-07-09T00:00:00+00:00http://blog.rubygems.org/2024/07/09/3.5.15-released<p>RubyGems 3.5.15 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.15 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Restrict generic <code class="language-plaintext highlighter-rouge">arm</code> to only match 32-bit arm. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7830">#7830</a> by ntkme</li>
<li>Protect creating binstubs with a file lock. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7806">#7806</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Make it clearer that <code class="language-plaintext highlighter-rouge">add_dependency</code> is the main way to add
non-development dependencies. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7800">#7800</a> by jeromedalbert</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.15.tgz<br />
d086e1c368fd3cbe04ca0f108459d0142d0d57413ae9e1d2ff4b220ebc8e6b87</li>
<li>rubygems-3.5.15.zip<br />
b36c1fdef9b3dc37233ff02c441bf1f35f70c2f281bd11bf153e578364e54c52</li>
<li>rubygems-update-3.5.15.gem<br />
aa94fc663e445ddaa316e1c1fe2d3cdc6daf036081a05f942b2cafc4e2e1890e</li>
</ul>
3.5.14 Released2024-06-21T00:00:00+00:00http://blog.rubygems.org/2024/06/21/3.5.14-released<p>RubyGems 3.5.14 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.14 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Make “bundler? update –bundler” behave identically. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7778">#7778</a> by x-yuri</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.14.tgz<br />
07a62267f5f282b6d549bccc61dc0295169574cb2fec36b60dc4518fafaf9419</li>
<li>rubygems-3.5.14.zip<br />
ea07fdd6e13eb332d3cddaee43560fc84df807bdbee2cdf3920eefeb307d7064</li>
<li>rubygems-update-3.5.14.gem<br />
d13ed965479b018d4377bfb815a786de23cc790c544c5177f6b046628e99404e</li>
</ul>
May 2024 RubyGems Updates2024-06-17T00:00:00+00:00http://blog.rubygems.org/2024/06/17/may-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in May.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In May, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3510--2024-05-03">3.5.10</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3511--2024-05-28">3.5.11</a> , and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2510-may-3-2024">2.5.10</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2511-may-28-2024">2.5.11</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems, including: a security update to <a href="https://github.com/rubygems/rubygems/pull/7568">limit the size of the metadata and checksums files</a> in a gem package, a fix for an issue when <a href="https://github.com/rubygems/rubygems/pull/7631">plugin stubs would sometimes not be properly removed</a> by <code class="language-plaintext highlighter-rouge">gem uninstall</code>, the <a href="https://github.com/rubygems/rubygems/pull/7653">deprecation of Bundler constants</a> and <a href="https://github.com/rubygems/rubygems/pull/7557">the addition of<code class="language-plaintext highlighter-rouge">--glob</code> flag to <code class="language-plaintext highlighter-rouge">bundle add</code></a>. Finally, Ngan Pham, software engineer at Gusto, penned this <a href="https://blog.rubygems.org/2024/05/30/bundler-auto-install-just-got-a-whole-lot-better.html">guest blog post</a> on an exciting improvement to <code class="language-plaintext highlighter-rouge">auto_install</code> <a href="https://github.com/technicalpickles">@technicalpickles</a> implemented, that is also included in this Bundler release.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><a href="https://github.com/rubygems/rubygems/pull/7680"><strong>Improve handling of applications with a local cache of gems</strong></a></p>
<ul>
<li>Recently we had fixed some issues for gems with a local cache of gems. Unfortunately these fixes created both functionality and performance regressions with this mode of operation. We worked on fixing these issues while also improving Bundler’s internal code organization.</li>
<li>We made handling the type of gems considered by bundler (locally installed, cached, or remote) more explicit and moved it out of <code class="language-plaintext highlighter-rouge">Bundler::Definition</code> which is a class with too many responsibilities. This allowed us to simplify the code and fix reported issues about functionality and performance, improving the RubyGems experience for both users and developers.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7673"><strong>Making default gems behave like regular gems</strong></a></p>
<ul>
<li>Handling default gems can be challenging even with minor Ruby updates. This can impact Bundler when switching Ruby versions, leading to missing gems.</li>
<li>Default gems also require special internal handling. Ideally, we want to treat default gems like regular gems, allowing them to be cached and fully installed in Bundler’s configured path. Although we attempted this change for Bundler 2.5, we reverted it just before release due to reports of issues.</li>
<li>This time, we’ve tried to learn from past experiences and re-enable the feature, ensuring that default gems are considered a last resort if their regular copies cannot be found. This approach maintains backward compatibility.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7649"><strong>Fixing a shallow clone bug in Bundler git sources</strong></a></p>
<ul>
<li>Bundling a git source could fail if the git server does not support shallow cloning. This issue was a regression from previous versions of Bundler.</li>
<li><a href="https://github.com/llenk">@llenk</a> joined us at RailsConf 2024’s Hack Day and helped work on a fix for this. We focused on a bug report about git sources breaking for some users. <a href="https://github.com/llenk">@llenk</a> developed a solution that first attempts an efficient shallow clone and, if that fails, automatically retries with a full git clone.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7678"><strong>Refactoring the Compact Index Client</strong></a></p>
<ul>
<li>The <code class="language-plaintext highlighter-rouge">CompactIndexClient</code>, Bundler’s high efficiency gem resolution interface to <a href="http://rubygems.org">rubygems.org</a> and other gem sources, has grown organically over time.</li>
<li>Previously we had to refactor the updater to make it compatible with other gem sources and to clarify behavior. Increasing the readability of critical code paths makes it easier for new and experienced contributors alike to improve code, find bugs and increase performance.</li>
<li>Inspired by memory improvements implemented during RailsConf 2024’s Hack Day, we have refactored the client, improved the cache interfaces and extracted a compact index parser.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems/pull/7637"><strong>Improving the memory footprint of <code class="language-plaintext highlighter-rouge">bundle update</code></strong></a></p>
<ul>
<li>When running <code class="language-plaintext highlighter-rouge">bundle update</code> and parsing the compact index versions file, an inefficiency caused nearly 70MB of unnecessary memory usage each time.</li>
<li>This issue was discussed during at session at RailsConf 2024, which led <a href="https://github.com/jacklynhma">@jacklynhma</a> to join us during the conference’s Hack Day and help tackle it. We quickly identified a change to reduce the memory footprint of parsing compact index versions: updating cache checksums. <a href="https://github.com/jacklynhma">@jacklynhma</a> successfully implemented this improvement.</li>
</ul>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">==></span> after <<span class="o">==</span>
Total allocated: 689.06 MB <span class="o">(</span>9638226 objects<span class="o">)</span>
Total retained: 237.01 MB <span class="o">(</span>2979180 objects<span class="o">)</span>
<span class="o">==></span> before <<span class="o">==</span>
Total allocated: 755.64 MB <span class="o">(</span>10379242 objects<span class="o">)</span>
Total retained: 236.94 MB <span class="o">(</span>2977745 objects<span class="o">)</span>
</code></pre></div></div>
<p><a href="https://github.com/rubygems/rubygems/issues/7681#issuecomment-2125887269"><strong>Fixing a Bundler Error Message Related Bug</strong></a></p>
<ul>
<li>A user reported that they received a confusing error message during a failed Bundle install of the Crono gem, leading them to open an issue. The error message incorrectly suggested a problem with Bundler, while the actual issue was operating system incompatibility.</li>
<li>After collaborating with the user to define the problem, the error message was clarified to accurately reflect the operating system incompatibility issue. It now also provides clear guidance on gem naming to help users resolve the problem.</li>
</ul>
<p>In May, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-5-01%7D...master@%7B2024-5-31%7D">131 new commits</a> contributed by 18 authors. They were 1,961 additions and 864 deletions across 142 files.</p>
<h2 id="rubygemsorg-news"><a href="http://rubygems.org/">RubyGems.org</a> News</h2>
<p>The updates made this month to <a href="http://rubygems.org/">RubyGems.org</a> reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for <a href="http://rubygems.org/?ref=rubycentral.org">RubyGems.org</a> in May was provided by <a href="https://aws.amazon.com/?ref=rubycentral.org">AWS</a>, <a href="https://www.fastly.com/?ref=rubycentral.org">Fastly</a>, and <a href="https://www.datadoghq.com/?ref=rubycentral.org">DataDog</a>. The following are highlights of what the team worked on this month:</p>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4676"><strong>Set up Users for Trusted Publishing at RailsConf 2024</strong></a></p>
<ul>
<li>At the end of last year we announced the release of <a href="https://blog.rubygems.org/2023/12/14/trusted-publishing.html?ref=rubycentral.org">Trusted Publishing</a>, a new feature that will help make <a href="http://rubygems.org/">RubyGems.org</a> more secure, and make it easier to automate gem publishing.</li>
<li>RailsConf 2024’s Hack Day provided contributors with an opportunity to get involved in RubyGems projects and learn how to set up Trusted Publishing. During the event, <a href="https://github.com/segiddins">@segiddins</a> successfully set up a Trusted Publishing API for users, making the process even more accessible.</li>
</ul>
<p><a href="https://github.com/rubygems/rubygems.org/pull/4716"><strong>Added a timescaledb to RubyGems.org infrastructure</strong></a></p>
<ul>
<li>Earlier this year we began work on the <a href="https://github.com/rubygems/rubygems.org/issues/4642">metrics project</a>, which seeks to introduce granular tracking and insights of gem downloads for users. To continue momentum on this, we have started the process of adding Timescale DB to <a href="http://rubygems.org/">RubyGems.org</a> stack. We plan to use a separate Timescale instance to hold analytics information, like downloads over time.</li>
</ul>
<p>In May, <a href="http://rubygems.org/">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-5-01%7D...master@%7B2024-5-31%7D">83 new commits</a> contributed by 11 authors. There were 1,429 additions and 662 deletions across 135 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and <a href="http://rubygems.org/">RubyGems.org</a> for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/kateinoigakukun">@kateinoigakukun</a> Yuta Saito</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/llenk">@llenk</a> Ellen Keal</li>
<li><a href="https://github.com/x-yuri">@x-yuri</a> X Yuri</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/jacklynhma">@jacklynhma</a> Jacklyn Ma</li>
<li><a href="https://github.com/stomar">@stomar</a> Marcus Stollsteimer</li>
<li><a href="https://github.com/dkav">@dkav</a> Darren Kavanagh</li>
<li><a href="https://github.com/MSP-Greg">@MSP-Greg</a> MSP Greg</li>
<li><a href="https://github.com/pascalbetz">@pascalbetz</a> Pascal Betz</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/k0kubun">@k0kubun</a> Takashi Kokubun</li>
<li><a href="https://github.com/sachin-sandhu">@sachin-sandhu</a> S.Sandhu</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/honeyankit">@honeyankit</a> Ankit Honey</li>
<li><a href="https://github.com/JRice">@JRice</a> Jeremy Rice</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to <a href="http://rubygems.org/">RubyGems.org</a>:</h3>
<ul>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/jacklynhma">@jacklynhma</a> Jacklyn Ma</li>
<li><a href="https://github.com/nateberkopec">@nateberkopec</a> Nate Berkopec</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.13 Released2024-06-14T00:00:00+00:00http://blog.rubygems.org/2024/06/14/3.5.13-released<p>RubyGems 3.5.13 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.13 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Never remove executables that may belong to a default gem. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7747">#7747</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.13.tgz<br />
10a27b5b959e87959a0c86b091cf2b88117b2987c40628a011623aca7fd8ae0b</li>
<li>rubygems-3.5.13.zip<br />
438ccb149aff4ed055afa02170c704f71451658fbf78e7c4003633f71d554513</li>
<li>rubygems-update-3.5.13.gem<br />
d66895fea6e7cec14e6a6c26c5ce485b463a73c4be4ee6a5ba4774a7bdd2c0c3</li>
</ul>
3.5.12 Released2024-06-13T00:00:00+00:00http://blog.rubygems.org/2024/06/13/3.5.12-released<p>RubyGems 3.5.12 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.12 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem uninstall</code> unresolved specifications warning. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7667">#7667</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem pristine</code> sometimes failing to pristine user installed gems.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7664">#7664</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.12.tgz<br />
032ee73938e04f99247df5f6c3c262b9dbd67f87cb6d5fe1feeef69526fd21fa</li>
<li>rubygems-3.5.12.zip<br />
9f70f2719c041e6d0c0e948b7f3304a362d0cd9bca203c577854a4b0a68bbdb8</li>
<li>rubygems-update-3.5.12.gem<br />
bfa0b7e95272bd578e3e46ca5fe976b49c94ac111eb39a5b6f4124d9630812a7</li>
</ul>
Bundler Auto-Install Just Got A Whole Lot Better2024-05-30T00:00:00+00:00http://blog.rubygems.org/2024/05/30/bundler-auto-install-just-got-a-whole-lot-better<p><em>The RubyGems Team is happy to share this post from our colleague Ngan Pham, Principle Software Engineer @ Gusto. Thank you, Ngan!</em></p>
<p>Working in a large monolith with many engineers, you never fail to get a flurry of changes everytime you pull from <code class="language-plaintext highlighter-rouge">main</code>.
Then you have the typical ritual of running <code class="language-plaintext highlighter-rouge">bundle install</code> and, if you’re on a Rails application, <code class="language-plaintext highlighter-rouge">rails db:prepare</code>.
Sometimes, you forget to run <code class="language-plaintext highlighter-rouge">bundle install</code> and get this message:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Could not find X-1.2.3 in locally installed gems
Run `bundle install` to install missing gems.
</code></pre></div></div>
<p>As of Bundler 2.5.10, you can now enable the <code class="language-plaintext highlighter-rouge">auto_install</code> config to have Bundler automatically install your bundle on demand.
Simply set it in your project (or globally) with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bundle config auto_install true
# or
bundle config --global auto_install true
</code></pre></div></div>
<p>Auto-install is not a new concept. Commands like <code class="language-plaintext highlighter-rouge">bundle (show | binstubs | outdated | exec | open | console | license | clean)</code> already benefited from the <code class="language-plaintext highlighter-rouge">auto_install</code> config.</p>
<p>However, the <a href="https://github.com/rubygems/rubygems/pull/6561">recent enhancement</a> by <a href="https://github.com/technicalpickles">@technicalpickles</a> made it work with anything that uses <code class="language-plaintext highlighter-rouge">require "bundler/setup"</code>. This means even binstubs (which use <code class="language-plaintext highlighter-rouge">require "bundler/setup"</code> by default) will now <em>just work</em>.</p>
<p>It’s a small change but it results in a big quality of life improvement. Try it out!</p>
<hr />
<p><em>If you would like to share a post about something you love about Bundler or RubyGems on the RubyGems.org blog, we encouraged you to <a href="https://github.com/rubygems/rubygems.github.io">contribute here on GitHub</a> or talk to us on the <a href="https://join.slack.com/t/bundler/shared_invite/zt-1rrsuuv3m-OmXKWQf8K6iSla4~F1DBjQ">Bundler Slack</a>.</em></p>
3.5.11 Released2024-05-28T00:00:00+00:00http://blog.rubygems.org/2024/05/28/3.5.11-released<p>RubyGems 3.5.11 includes enhancements, bug fixes, performance and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Update SPDX license list as of 2024-05-22. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7689">#7689</a> by
github-actions[bot]</li>
<li>Fix the update_rubygems inconsistency (–disable-gems). Pull request
<a href="https://github.com/rubygems/rubygems/pull/7658">#7658</a> by x-yuri</li>
<li>Accept WASI as an OS name in Gem::Platform. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7629">#7629</a> by kateinoigakukun</li>
<li>Warn if RubyGems version explicitly set in gemspec does not match
running version. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7460">#7460</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.11 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix binstubs sometimes not getting regenerated when <code class="language-plaintext highlighter-rouge">--destdir</code> is
given. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7660">#7660</a> by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem uninstall --user-install</code> for symlinked HOME. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7645">#7645</a> by
deivid-rodriguez</li>
<li>Fix issue when plugin stubs would sometimes not be properly removed by
<code class="language-plaintext highlighter-rouge">gem uninstall</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7631">#7631</a> by
deivid-rodriguez</li>
<li>Fix plugins uninstallation for user installed gems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6456">#6456</a> by voxik</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Use a constant empty tar header to avoid extra allocations. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7484">#7484</a> by segiddins</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Recommend <code class="language-plaintext highlighter-rouge">bin/rake</code> over <code class="language-plaintext highlighter-rouge">rake</code> in contributing docs. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7648">#7648</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.11.tgz<br />
4521b52f843620a9fc5ca7414526b7463b0989564c3ae80b26b68fbd1304c818</li>
<li>rubygems-3.5.11.zip<br />
8fe8ec3045694e64b2d3c8536ed3ae5be381e8808c97243ed46df51d98e602ea</li>
<li>rubygems-update-3.5.11.gem<br />
bbcaac7ec271dab3aa615ce12a97931befc2c3279c4d9a37f44b95839011f41a</li>
</ul>
April 2024 RubyGems Updates2024-05-15T00:00:00+00:00http://blog.rubygems.org/2024/05/15/april-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in April.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In April, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#358--2024-04-11">3.5.8</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#359--2024-04-12">3.5.9</a>, and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#258-april-11-2024">2.5.8</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#259-april-12-2024">2.5.9</a>. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems, including: a security improvement that adheres to <a href="https://github.com/rubygems/rubygems/pull/7518">global <code class="language-plaintext highlighter-rouge">umask</code> settings when writing files</a>, a fix for the <a href="https://github.com/rubygems/rubygems/pull/7539"><code class="language-plaintext highlighter-rouge">NoMethodError</code> crash linked to issues with corrupt package files</a>, and a resolution for an error message problem in the resolver <a href="https://github.com/rubygems/rubygems/pull/7527">when it runs out of versions due to the use of <code class="language-plaintext highlighter-rouge">--strict --patch</code> filters</a>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/7560">Making Avoiding Writing Credentials to Lockfiles the Default</a></strong></p>
<ul>
<li>In an effort to enhance security and prevent users from accidentally sharing credentials publicly, we recommend that you do not embed credentials in lockfiles.</li>
<li>This practice was already uncommon, except in instances where users included credentials directly in their Gemfile—a method we do not recommend. Instead, it’s advisable to utilize settings.</li>
<li>Despite some users opting to use an ENV variable, we consistently ensure that credentials are not stored in the lockfile but are sourced either from the configuration or directly from the Gemfile.</li>
</ul>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/7558">Making <code class="language-plaintext highlighter-rouge">bundle update specific_gems</code> Smarter</a></strong></p>
<ul>
<li>For years, reports have indicated that <code class="language-plaintext highlighter-rouge">bundle update gem</code> does not consistently update the gem to its latest available version. Users find that if they delete their lockfile, specify the desired version in the Gemfile, or run <code class="language-plaintext highlighter-rouge">bundle install</code>, the gem updates as expected. Ideally, such steps shouldn’t be necessary for updating a gem—<code class="language-plaintext highlighter-rouge">bundle update gem</code> should suffice.</li>
<li>This is also why dependency bots like Dependabot sometimes fail to create PRs to address security alerts. The challenge is that upgrading one gem may require upgrading others to prevent version conflicts. <code class="language-plaintext highlighter-rouge">bundle update gem</code> currently lacks the capability to handle this complexity.</li>
<li>To address this, I implemented a fix where a full <code class="language-plaintext highlighter-rouge">bundle update</code> is first executed to determine the latest resolvable versions, followed by a targeted update that forces these versions, allowing the resolver to manage any conflicts by unlocking conflicting dependencies.</li>
</ul>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/7583">Resolving Musl Platform Issues for RubyGems and Bundler</a></strong></p>
<ul>
<li>Since introducing support for the musl platform, there’s been different issues and regressions with it, leading to hesitancy among gem authors about releasing musl variants. The maintainer of Nokogiri has been actively identifying these issues, including a critical problem he believes to be the last barrier to fully supporting musl precompiled gems. Addressing this issue seemed necessary.</li>
<li>The non-transitivity of <code class="language-plaintext highlighter-rouge">Gem::Platform#===</code> with musl was causing missing platforms in the lockfile, leading to resolution errors. The issue has been resolved by specifically accommodating the unique aspects of musl when removing invalid platforms from the lockfile.</li>
</ul>
<p>In April, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-4-01%7D...master@%7B2024-4-31%7D">106 new commits</a> contributed by 13 authors. There were 1,175 additions and 797 deletions across 106 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong><a href="https://github.com/rubygems/rubygems.org/pull/4599">Re-introducing Avatars to RubyGems.org</a></strong></p>
<ul>
<li>Originally, profile images were removed from RubyGems.org due to privacy concerns, as Gravatar’s system exposed user emails, leading to complaints. This change, however, made the site appear anonymous, diminishing the perceived trustworthiness of gem info pages.</li>
<li>To address this issue, <a href="https://github.com/segiddins">@segiddins</a> has developed a solution that allows images to be safely displayed without compromising privacy. This new method proxies images through RubyGems.org, maintaining user privacy while enhancing the visual appeal and trust of the platform.</li>
</ul>
<p><strong><a href="https://github.com/rubygems/rubygems.org/pull/4631">Adding RubyGems Yank Limits</a></strong></p>
<ul>
<li>To reduce the likelihood of disruption caused by a left-pad-like package removal, we’ve introduced limits on deleting old or highly downloaded gems.</li>
<li>Gem deletions are now primarily for immediate fixes of newly released but broken gems, where reverting is the best solution. For other issues, the recommended approach is to release a new version.</li>
<li>We’ve set a provisional limit on gems that can be yanked without a public review to avoid premature exposure. This policy affects gems with over 100,000 downloads or those older than 30 days, aligning more closely with other ecosystems that restrict deletions.</li>
<li>We will adjust the policy based on feedback and continue to coordinate yank requests through RubyGems staff, balancing the needs of maintainers and the wider community.</li>
</ul>
<p><strong><a href="https://github.com/rubygems/rubygems.org/pull/4613">An Upgraded Search System from OpenSearch v1 to v2</a></strong></p>
<ul>
<li>The upgrade from OpenSearch v1 to v2 allows us to benefit from new updates, features, and enhancements.</li>
<li>Additionally, the introduction of High Availability ensures that our search functionality will remain operational even if an AWS Availability Zone(Data Center) goes offline, providing a robust and resilient service.</li>
</ul>
<p>In April, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-4-01%7D...master@%7B2024-4-31%7D">82 new commits</a> contributed by 10 authors. There were 1,111 additions and 761 deletions across 150 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/andyw8">@andyw8</a> Andy Waite</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/fatkodima">@fatkodima</a> Fatkodima</li>
<li><a href="https://github.com/flavorjones">@flavorjones</a> Mike Dalessio</li>
<li><a href="https://github.com/Fryguy">@fryguy</a> Jason Frey</li>
<li><a href="https://github.com/gdubicki">@gdubicki</a> Greg Dubicki</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/ilyazub">@ilyazub</a> ilyazub</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/mensfeld">@mensfeld</a> Maciej Mensfeld</li>
<li><a href="https://github.com/ngan">@ngan</a> Ngan Pham</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/technicalpickles">@technicalpickles</a> Josh Nichols</li>
<li><a href="https://github.com/thedavemarshall">@thedavemarshall</a> Dave Marshall</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/ahangarha">@ahangarha</a> Mostafa Ahangarha</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/dancristianb">@dancristianb</a> Dancristianb</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
<li><a href="https://github.com/markets">@markets</a> Marc Anguera</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
</ul>
<p><em>If we missed you, please let us know so we can include you in our shout out!</em></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.10 Released2024-05-03T00:00:00+00:00http://blog.rubygems.org/2024/05/03/3.5.10-released<p>RubyGems 3.5.10 includes security, enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security:</em></p>
<ul>
<li>Add a limit to the size of the metadata and checksums files in a gem
package. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7568">#7568</a> by segiddins</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t fully require <code class="language-plaintext highlighter-rouge">rubygems</code> from <code class="language-plaintext highlighter-rouge">rubygems/package</code> to prevent some
circular require warnings when using Bundler. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7612">#7612</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.10 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Rename credential email to identifier in WebAuthn poller. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7623">#7623</a> by jenshenny</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.10.tgz<br />
bbabd26611ff450cafe8a79368e649ae8da90fb1665fcb198a36dfafbd266db5</li>
<li>rubygems-3.5.10.zip<br />
59eb2934a3c0e90a33f8159559ebe3eea1413a3c6b5ce1a98367d9e86133b976</li>
<li>rubygems-update-3.5.10.gem<br />
5c9f1fdef208b335fcac0bf3e532b4a65b3c73cbb562c332737f9a2f4a65ba20</li>
</ul>
The Implications of Crypto Rewards on RubyGems.org2024-04-14T00:00:00+00:00http://blog.rubygems.org/2024/04/14/the-implications-of-crypto-rewards-on-rubygems_org<p>Recently, at <a href="https://rubygems.org/">RubyGems.org</a>, we’ve encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the <code class="language-plaintext highlighter-rouge">tea.xyz</code> protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we’ve reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions.</p>
<h2 id="teaxyz-trigger"><code class="language-plaintext highlighter-rouge">tea.xyz</code> Trigger</h2>
<p>The <code class="language-plaintext highlighter-rouge">tea.xyz</code> cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a ‘Proof of Contribution’ system, inspired by Google’s PageRank, to measure the impact of various OSS packages.</p>
<h2 id="the-unintended-consequences">The Unintended Consequences</h2>
<p>However, good intentions often come with challenges. At RubyGems.org, we began noticing a strange trend: the proliferation of empty gems. These gems weren’t harmful per se but were peculiar in their consistent reference to a mildly popular OSS package.</p>
<h2 id="investigating-the-anomalies">Investigating the Anomalies</h2>
<p>As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios:</p>
<ul>
<li>A spam attack to overwhelm our system.</li>
<li>A cover for malicious activities.</li>
<li>A scheme to manipulate tea.xyz ranking system.</li>
</ul>
<p>What struck us was that many of these gems were published under account with otherwise legitimate packages.</p>
<p>Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a <code class="language-plaintext highlighter-rouge">tea.yaml</code> file. This was a moment in our investigation that suggested the activities were aimed at exploiting the tea.xyz protocol rather than harming our ecosystem.</p>
<h2 id="addressing-the-issue">Addressing the Issue</h2>
<p>This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor, temporary delays in gem index updates. We also took strict action against accounts solely created for spamming, ensuring they didn’t disrupt the community further.</p>
<h2 id="conclusion-and-appeal">Conclusion and Appeal</h2>
<p>While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed by this <a href="https://www.web3isgoinggreat.com/?id=teaxyz-spam">web3isgoinggreat.com article</a>. At RubyGems.org, we’ve encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. The RubyGems.org team takes these incidents seriously and accounts found violating terms or abusing the service will be blocked and ownership access revoked.</p>
March 2024 RubyGems Updates2024-04-12T00:00:00+00:00http://blog.rubygems.org/2024/04/12/march-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in March.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, RubyGems released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#357--2024-03-22">3.5.7</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#257-march-22-2024">2.5.7</a>. These updates introduce a range of enhancements and bug fixes, all aimed at enhancing the developer experience. They include: <a href="https://github.com/rubygems/rubygems/pull/7464">the introduction of an attribute</a> in <code class="language-plaintext highlighter-rouge">Gem::SafeYAML.safe_load</code> to control whether YAML aliases is enabled, <a href="https://github.com/rubygems/rubygems/pull/5010">a warning mechanism</a> for when the <code class="language-plaintext highlighter-rouge">required_ruby_version</code> specification attribute is empty, and <a href="https://github.com/rubygems/rubygems/pull/7478">the removal of unnecessary configurations</a> in the RuboCop setup generated by <code class="language-plaintext highlighter-rouge">bundle gem</code>.</p>
<p>Some other important accomplishments from the team this month include:</p>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/7518">Making <code class="language-plaintext highlighter-rouge">gem install</code> respect the umask of the target system</a>:</strong></p>
<ul>
<li>The goal of this change is to address the issue where RubyGems may install files with permissions that are broader than desired, giving write permissions to users other than the current user. This issue arises when the original packaging of files includes these broad permissions, likely due to an unsafe umask set by the gem’s author.</li>
<li>The solution implemented by <a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> was to adopt a more straightforward approach than the previous attempt (which was reverted due to test failures in <code class="language-plaintext highlighter-rouge">ruby core</code>) by applying the target system’s umask to regular files (excluding directories) before setting their permissions.</li>
</ul>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/7516">Fixed Bundler’s application cache misuse</a>:</strong></p>
<ul>
<li>This update resolves an issue in how Bundler was using its cache, leading to odd behavior. Users were seeing unusual updates, like Bundler claiming it was updating to versions that didn’t actually exist (for example, “Updating to 3.0.9”).</li>
<li>The problem was rooted in how Bundler managed cached gems. These gems were mistakenly being considered in situations they shouldn’t have been, which caused not only strange messages but also errors in the lockfile, such as gems appearing under incorrect sources.</li>
<li>The solution implemented ensures that cached gems are kept separate from those available online, preventing the confusion that was causing these issues. This approach helps maintain clarity and accuracy in Bundler’s operations.</li>
</ul>
<p>In March, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-3-01%7D...master@%7B2024-3-31%7D">67 new commits</a> contributed by 13 authors. There were 934 additions and 194 deletions across 92 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>March’s updates to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong><a href="https://github.com/rubygems/pg-major-update">Major PostgreSQL zero downtime upgrade</a></strong>:</p>
<ul>
<li>This significant update was carried out to ensure that application dependencies remain up-to-date. Notably, this is the second upgrade effort, moving from PostgreSQL version 12 to 13, following the original upgrade to version 12 in response to the end of life (EOL) for PostgreSQL 11 on Amazon RDS.</li>
<li>The upgrade process utilized <code class="language-plaintext highlighter-rouge">pgbouncer</code> and a manually managed blue/green environment to achieve zero downtime. For detailed scripts and an explanation of the procedure, visit the <a href="https://github.com/rubygems/pg-major-update">project’s GitHub page</a>.</li>
<li>A detailed blog post with additional details will be released soon.</li>
</ul>
<p>In March, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-3-01%7D...master@%7B2024-3-31%7D">69 new commits</a> contributed by 12 authors. There were 466 additions and 1,263 deletions across 75 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/kateinoigakukun">@kateinoigakukun</a> Yuta Saito</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/cuishuang">@cuishuang</a> Cui Fliter</li>
<li><a href="https://github.com/jez">@jez</a> Jake Zimmerman</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/agrobbin">@agrobbin</a> Alex Robbin</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/JaneScarlet">@JaneScarlet</a> Amanda JC</li>
<li><a href="https://github.com/doodzik">@doodzik</a> Frederik Dudzik</li>
<li><a href="https://github.com/marcandre">@marcandre</a> Marc-André Lafortune</li>
<li><a href="https://github.com/dduugg">@dduugg</a> Douglas Eichelberger</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/jgarber623">@jgarber623</a> Jason Garber</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/spk">@spk</a> Laurent Arnoud</li>
<li><a href="https://github.com/bradly">@bradly</a> Bradly Feeley</li>
<li><a href="https://github.com/joeldrapper">@joeldrapper</a> Joel Drapper</li>
<li><a href="https://github.com/ytjmt">@ytjmt</a> Yuki Tsujimoto</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.9 Released2024-04-12T00:00:00+00:00http://blog.rubygems.org/2024/04/12/3.5.9-released<p>RubyGems 3.5.9 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.9 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.9.tgz<br />
2b203642191e6bb9ece19075f62275a88526319b124684c46667415dca4363f1</li>
<li>rubygems-3.5.9.zip<br />
e84246e89ddd8ac14844fc289e5c863346c67fdaa898c88a55438943397993b6</li>
<li>rubygems-update-3.5.9.gem<br />
4825e486c53db8885978f5892357fd7c2c8bebb39601d66e24e9c2fe1d891cbd</li>
</ul>
3.5.8 Released2024-04-11T00:00:00+00:00http://blog.rubygems.org/2024/04/11/3.5.8-released<p>RubyGems 3.5.8 includes security, enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security:</em></p>
<ul>
<li>Respect global umask when writing regular files. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7518">#7518</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Allow string keys with gemrc. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7543">#7543</a> by hsbt</li>
<li>[Experimental] Add “gem rebuild” command. Pull request
<a href="https://github.com/rubygems/rubygems/pull/4913">#4913</a> by duckinator</li>
<li>Installs bundler 2.5.8 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix NoMethodError crash when building errors about corrupt package
files. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7539">#7539</a> by jez</li>
<li>Fix resolver to properly intersect Arrays of <code class="language-plaintext highlighter-rouge">Gem::Resolver::Activation</code>
objects. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7537">#7537</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.8.tgz<br />
6ddd48fc8c53ec303b24b7517a6102477463c992936174f828cc2eab9ecb6055</li>
<li>rubygems-3.5.8.zip<br />
e91afd4d68345dbba856c4c912754ad73d20ee07d86cbd5373ef77dddd971ad1</li>
<li>rubygems-update-3.5.8.gem<br />
66ae3ab9b1063e6a301de73d92f744683a2c2ae4a296ecb47b869b6846e6ecfb</li>
</ul>
RubyGems is not vulnerable to the xz/liblzma backdoor2024-03-31T00:00:00+00:00http://blog.rubygems.org/2024/03/31/rubygems-and-xz<p>The past few days have seen the security world focused on the revelation of the <a href="https://xeiaso.net/notes/2024/xz-vuln/">xz/liblzma backdoor</a>. For more background, see <a href="https://xeiaso.net/notes/2024/xz-vuln/">this early writeup of the issue</a>, <a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">this GitHub Gist</a>, <a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor">this detailed timeline</a>, and the official detail page for <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094">CVE-2024-3094</a>.</p>
<p>In response to the backdoor becoming public, we have done an internal audit not just of the software used to run RubyGems.org itself, but also every gem that has ever been published.</p>
<p>We are happy to report that RubyGems.org is not vulnerable to this issue. Furthermore, we are happy to confirm that no gem currently published on RubyGems.org contains the vulnerable <code class="language-plaintext highlighter-rouge">liblzma</code> library.</p>
<p>I would like to thank the rest of the RubyGems.org security team for their support in this investigation, and for their continued dedication to the security of the ecosystem. I would also like to thank AWS for their continued support of RubyGems security, including sponsoring me as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central’s security engineer in residence</a>, as well as funding the <a href="https://github.com/segiddins/rubygems-research">rubygems-research</a> project.</p>
<p>Thanks to the data consolidated in that project (available publicly at <a href="https://research.rubygems.info">research.rubygems.info</a>), we were able to quickly confirm that no currently published gems contain any references to the vulnerable <code class="language-plaintext highlighter-rouge">liblzma</code> library.</p>
<h3 id="technical-details">Technical Details</h3>
<p>The RubyGems.org app containers, built <a href="https://github.com/rubygems/rubygems.org/blob/master/Dockerfile">via Dockerfile</a>, do not contain vulnerable versions of <code class="language-plaintext highlighter-rouge">liblzma</code> nor <code class="language-plaintext highlighter-rouge">xz</code>. Our images are based on <a href="https://github.com/rubygems/rubygems.org/blob/master/Dockerfile#L5">Alpine 3.18 stable</a>, which never contained or had access to the vulnerable library version. In addition, Alpine Linux uses the <code class="language-plaintext highlighter-rouge">musl</code> libc, which does not contain the (glibc-only) <a href="https://sourceware.org/glibc/wiki/GNU_IFUNC">IFUNC mechanism</a> used to activate the backdoor.</p>
<p>Our process for building the containers deployed to production is public, run via GitHub Actions after every commit to the public RubyGems.org codebase. The <a href="https://github.com/rubygems/rubygems.org/actions/runs/8498544592/job/23278360812">latest container build job logs</a> can be used to reproduce the build by any interested parties.</p>
<p>As verified by running <code class="language-plaintext highlighter-rouge">find / -name '*lzma*'</code> in our built containers, we depend only on version 5.4.3 and not on the vulnerable versions 5.6.0 or 5.6.1.</p>
<details>
<summary>Full command output</summary>
<pre><code>$ find / -name '*lzma*'
/usr/bin/lzma
/usr/bin/unlzma
/usr/lib/liblzma.so.5
/usr/lib/liblzma.so.5.4.3
/app/vendor/ruby/3.3.0/gems/bindata-2.5.0/lib/bindata/transform/lzma.rb
$ find / -name '*xz*'
/sys/module/xz_dec
/usr/bin/unxz
/usr/bin/xzcat
/app/vendor/ruby/3.3.0/gems/bindata-2.5.0/lib/bindata/transform/xz.rb
</code></pre>
</details>
<p></p>
<p>As of March 31st 2024, the only gem on RubyGems.org that contains <code class="language-plaintext highlighter-rouge">liblzma</code> is the <a href="https://rubygems.org/gems/liblzma">gem also named liblzma</a>. That gem contains only versions 0.2 and 0.3 of the library, which do not contain the backdoor. There are zero gems that contain the <code class="language-plaintext highlighter-rouge">xz</code> command-line tool.</p>
<details>
<summary>Full command output</summary>
<pre><code>
irb(main):005> attrs = ['version_data_entries.full_name', 'rubygems.name', 'versions.number', 'versions.platform', 'versions.uploaded_at']
=> ["version_data_entries.full_name", "rubygems.name", "versions.number", "versions.platform", "versions.uploaded_at"]
irb(main):006> VersionDataEntry.where('version_data_entries.name LIKE ?', 'liblzma%.so').joins(:version, :rubygem).pluck(*attrs).map { |p| attrs.zip(p).to_h }
=>
[{"version_data_entries.full_name"=>"lib/liblzma.so", "rubygems.name"=>"liblzma", "versions.number"=>"0.2", "versions.platform"=>"mingw32", "versions.uploaded_at"=>Sat, 31 Mar 2012 05:57:47.212691000 UTC +00:00},
{"version_data_entries.full_name"=>"lib/1.9.1/liblzma.so",
"rubygems.name"=>"liblzma",
"versions.number"=>"0.3",
"versions.platform"=>"x86-mingw32",
"versions.uploaded_at"=>Thu, 21 Feb 2013 13:21:51.961608000 UTC +00:00},
{"version_data_entries.full_name"=>"lib/2.0.0/liblzma.so",
"rubygems.name"=>"liblzma",
"versions.number"=>"0.3",
"versions.platform"=>"x86-mingw32",
"versions.uploaded_at"=>Thu, 21 Feb 2013 13:21:51.961608000 UTC +00:00}]
irb(main):008> VersionDataEntry.where('version_data_entries.name = ?', 'xz').joins(:version, :rubygem).pluck(*attrs).map { |p| attrs.zip(p).to_h }
=> []
</code></pre>
</details>
3.5.7 Released2024-03-22T00:00:00+00:00http://blog.rubygems.org/2024/03/22/3.5.7-released<p>RubyGems 3.5.7 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Warn on empty or open required_ruby_version specification attribute.
Pull request <a href="https://github.com/rubygems/rubygems/pull/5010">#5010</a> by
simi</li>
<li>Control whether YAML aliases are enabled in Gem::SafeYAML.safe_load via
attribute. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7464">#7464</a> by segiddins</li>
<li>Update SPDX license list as of 2024-02-08. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7468">#7468</a> by
github-actions[bot]</li>
<li>Installs bundler 2.5.7 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Allow prerelease activation (even if requirement is not explicit about
it) when it’s the only possibility. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7428">#7428</a> by kimesf</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix a typo. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7505">#7505</a> by hsbt</li>
<li>Use https instead of http in documentation links. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7481">#7481</a> by hsbt</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.7.tgz<br />
c3d04a204d2f7265fe9a6b43a85d6d227869947741a24d56e51d7136d4629e39</li>
<li>rubygems-3.5.7.zip<br />
6f52ef49fd85e3582a98ad26c00949797faf496f25b2f726e419f81fbc180f16</li>
<li>rubygems-update-3.5.7.gem<br />
d76a7f0f85b843bf35798fcd851335975ae5473c25b5f6a9bf507f74ae9f7579</li>
</ul>
February 2024 RubyGems Updates2024-03-21T00:00:00+00:00http://blog.rubygems.org/2024/03/21/february-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, RubyGems released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#356--2024-02-06">3.5.6</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#256-february-6-2024">2.5.6</a>. These updates include enhancements such as <a href="https://github.com/rubygems/rubygems/pull/7439">improved deep copy requirements in <code class="language-plaintext highlighter-rouge">Gem::Specification</code> and <code class="language-plaintext highlighter-rouge">Gem::Requirement</code> specifications</a>, and <a href="https://github.com/rubygems/rubygems/pull/7342">improvements to the gem login scope</a>. These efforts are part of our ongoing commitment to improving the RubyGems development experience.</p>
<p>Another accomplishment from the team this month:</p>
<p><strong><a href="https://github.com/rubygems/rubygems/pull/4913">Merging a new <code class="language-plaintext highlighter-rouge">gem rebuild</code> command</a></strong></p>
<ul>
<li>The goal of this feature was to help create a simplified version of gem rebuild command as a standalone tool, so reproducible builds are available for existing RubyGems versions (since RubyGems versions have to match a build to be reproduced properly). The process involved setting up reproducible gem builds as a default, and including the <code class="language-plaintext highlighter-rouge">Gem.source_date_epoch</code> value into the metadata of built gems.</li>
<li>The groundwork for this command involved a preliminary rebuild script to assess reproducibility requirements. Special thanks to <a href="https://github.com/duckinator">@duckinator</a> for their significant contributions in developing this feature.</li>
</ul>
<p>In February, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-2-01%7D...master@%7B2024-2-31%7D">97 new commits</a> contributed by 16 authors. There were 691 additions and 329 deletions across 120 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>February’s updates to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>The following are highlights of what the team worked on this month:</p>
<p><strong>Converted Rubygems.org to Importmap + Stimulus Controllers</strong></p>
<ul>
<li>The goal of adding stimulus controllers is to enable a modern, faster and simpler development experience for devs and bring us all the way to the most modern Rails default.</li>
<li>We introduced <code class="language-plaintext highlighter-rouge">importmaps</code> on RubyGems.org last month to set us up for adding stimulus controllers. This entailed <a href="https://github.com/rubygems/rubygems.org/pull/4396">first creating a foundation for import map changes</a> - the first stage of which was a <a href="https://github.com/rubygems/rubygems.org/pull/4123">migration to <code class="language-plaintext highlighter-rouge">propshaft</code></a>, allowing us to avoid Node entirely for our assets and still use and update npm packages for JS. The second stage was creating a separate pull request for the import map changes.</li>
<li>We’ve now begun implementing changes, <a href="https://github.com/rubygems/rubygems.org/pull/4418">adding an API key stimulus controller</a> and improving it for ease of developer use.</li>
<li>If you’re interested in learning more about Stimulus.js and its best practices, more information can be found <a href="https://www.betterstimulus.com/">here</a> and <a href="https://thoughtbot.com/blog/taking-the-most-out-of-stimulus">here</a>.</li>
</ul>
<p><strong>Improving the Design of RubyGems Gems page</strong></p>
<ul>
<li>The <a href="https://rubygems.org/gems">Gems page</a> on RubyGems ranks as the most visited page of the website, serving as a key resource for engineers to understand essential details about a gem, including its purpose, licenses, dependencies, and how to access and install the gem itself. Recognizing the importance of these pages in helping visiting engineers accomplish their tasks, it’s crucial to closely examine their needs and ensure that the page structure and design align with their objectives.</li>
<li>Through interviews and discussions with RubyGems power users and stakeholders, we have been able to identify the fundamental values of the interface elements, understand the reasons behind their development, track their evolution, and determine the most beneficial next steps for our broader user base. Moving forward, we are exploring new design options to enhance user experience on these pages.</li>
</ul>
<p><strong><a href="https://blog.segiddins.me/2024/02/09/residency-update/">Initiating the Gem Research Tool Project</a></strong></p>
<ul>
<li>This will be most relevant for RubyGems developers. The team will be able to use this as a playground for features that we want to expose to the public eventually, like browsing gem contents and being able to make queries. We also have been able to use this for security research to assess the impact of particular changes across the entire published gem ecosystem.</li>
<li>The creation of this tool has involved (and will continue to involve) <a href="https://blog.segiddins.me/2024/02/09/residency-update/">a lot of investigation</a>, experimentation and steps like renting a dedicated server from Hetzner to host the gem research tool, after repeatedly running out of disk space!</li>
</ul>
<p><strong>Developing a Pure Ruby Sigstore Implementation</strong></p>
<ul>
<li>This project kicked off with a long-term goal of integrating it directly into RubyGems. The team is drawing inspiration from the existing sigstore and The Update Framework (TUF) implementations in Python.</li>
<li>We intend to focus on meeting the sigstore compliance specifications through continuous iterations. Additionally, by analyzing code and branch coverage, we’re identifying sections that need more extensive testing.</li>
<li>A critical part of this project is creating a <code class="language-plaintext highlighter-rouge">protobuf</code> implementation that does not depend on native extensions, ensuring it can be seamlessly incorporated into RubyGems.</li>
</ul>
<p>In February, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-2-01%7D...master@%7B2024-2-31%7D">86 new commits</a> contributed by 13 authors. There were 5,265 additions and 2,022 deletions across 270 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/VitaliySerov">@VitaliySerov</a> Vitaliy Serov</li>
<li><a href="https://github.com/flavorjones">@flavorjones</a> Mike Dalessio</li>
<li><a href="https://github.com/jgarber623">@jgarber623</a> Jason Garber</li>
<li><a href="https://github.com/kimesf">@kimesf</a> Kim Emmanuel</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/mame">@mame</a> Yusuke Endoh</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/dduugg">@dduugg</a> Douglas Eichelberger</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/sh0n0">@sh0n0</a> sh0n0</li>
<li><a href="https://github.com/coorasse">@coorasse</a> Alessandro Rodi</li>
<li><a href="https://github.com/CuddlyBunion341">@CuddlyBunion341</a> Daniel Bengl</li>
<li><a href="https://github.com/albertchae">@albertchae</a> Albert Chae</li>
<li><a href="https://github.com/bradly">@bradly</a> Bradly Feeley</li>
<li><a href="https://github.com/ekyburz">@ekyburz</a> EtienneKyburz</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Password Reset Vulnerabilities, Hacker One and Humility2024-03-15T00:00:00+00:00http://blog.rubygems.org/2024/03/15/password-reset-vulnerability<p>Have you ever thrown actual spaghetti at a wall? It’s funny, sticky and barely induces any panic. HackerOne reports, on the other hand, have the opposite effect. Unlike wet spaghetti, the clean-up job is far more work for our security team.</p>
<p>Running a bug bounty program means a stream of incoming reports, not all of them correct, that must be reviewed. After receiving enough dire-sounding reports that ultimately lead nowhere, it can look like thrown spaghetti (a see-what-sticks approach). Though we try to give each report a thorough, unbiased evaluation, it’s difficult to keep an open mind about any given report.</p>
<p>Dead-end reports cost the RubyGems security team time, and slow down our ability to address more urgent security issues. I once spent days working on a vulnerability and the result was: <em>clicking that checkbox in BurpSuite invalidates this approach.</em></p>
<p>But sometimes a hacker finds a very real security issue. This is a story about a recent bug report that I almost closed, assuming it was another false alarm, and how I realized I was wrong.</p>
<h2 id="mfa-bypass-detected">MFA bypass detected?</h2>
<p>On Dec 22nd, 2023, we received the report about multi-factor authentication (MFA) bypass on RubyGems.org’s password reset form. The report claimed to reset an MFA-protected user’s password using only the emailed password reset token, significantly undermining the value of MFA. Most reports tend to claim a similar severity level with varying accuracy. However, that’s not exactly what the report’s included screen capture looked like to me.</p>
<p>In the screen recording, the reporter showed the following:</p>
<ol>
<li>Use a tool to store the full response from a valid password reset on an attacker-controlled user without MFA.</li>
<li>Use the same tool to man-in-the-middle (MITM) the request by the victim (an MFA enabled user).</li>
<li>Swap the saved response in place of the MFA challenge response for the victim before it is returned.</li>
<li>Change every <code class="language-plaintext highlighter-rouge">user_id</code> in the page to the victim’s <code class="language-plaintext highlighter-rouge">user_id</code> (mostly to places that I could tell did not matter, which added skepticism).</li>
<li>Allow the MITM to finish, returning the full password edit page to the attacker, but with the victim’s user IDs swapped.</li>
<li>Use the form intended for the attacker’s user, but with the victim’s user id, to submit the password for the victim.</li>
</ol>
<p>I was confused and, if I’m honest, a little annoyed. The report made no sense and the changes he was making to the page seemed unrelated. It was not clear to me from the screen recording which account was being submitted or which user had their password updated. I didn’t see signing in nor the user profile of either user. I thought swapping the response body was just sending back the attacker’s session cookie, therefore logging in the attacker user as intended and ignoring the victim. Swapping the user IDs everywhere seemed especially silly and further invited my skepticism.</p>
<p>Additionally, the attacker used MITM to execute the vulnerability. Very few applications are immune to MITM where the attacker has unencrypted access to the victim’s request and response (HTTPS should make this impossible).</p>
<p>I can come up with a lot of excuses for why I couldn’t possibly have seen this vulnerability right away to make me feel better about my misplaced skepticism, but in short, I was dismissive. I responded to the hacker multiple times with “more information” requests. I pointed out why the approach seemed to be abusing MITM or how sending back a user’s cookies would just authorize that user.</p>
<h2 id="investigation">Investigation</h2>
<p>Luckily the reporter was very responsive to my requests and I was open to being proven wrong. The report was filed at 5:30am Dec 22nd and by 7:30pm the same day we had communicated back and forth for hours. By the 3rd screen recording and after a discussion with <a href="https://github.com/segiddins">Samuel Giddins</a>, our AWS sponsored Software Engineer in Residence, we finally arrived at a proof of the vulnerability. The report had found a real issue.</p>
<p>The vulnerability worked like this: the password reset form (the <code class="language-plaintext highlighter-rouge">edit</code> action in our rails app) was well protected behind MFA and an email token. You could not render the form without verifying your MFA credentials. However, the submit action on the form (the <code class="language-plaintext highlighter-rouge">update</code> action in our rails app) only checked the email token and did not care if you had previously submitted a valid MFA. Oops. <em>All the seemingly pointless changes the hacker was doing were for the purpose of rendering the form so it could be submitted without having passed the MFA check.</em></p>
<p>Once verified, I opened a <a href="https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2">GitHub Security Advisory</a> which allows the creation of a private fork. This is a critical step for open source projects to avoid leaking vulnerabilities before they are patched.</p>
<p>With the further help of <a href="https://github.com/ericherscovich">Eric Herscovich</a> and <a href="https://github.com/simi">Josef Šimánek</a>, we merged and deployed the fix in <a href="https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565">commit 0b3272a</a> on Jan 7th, 2024. The vulnerability was published and assigned <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21654">CVE-2024-21654</a>. We have no reason to believe that this exploit was ever used since it would require a compromised email token.</p>
<h2 id="reflection">Reflection</h2>
<p>This report provided a valuable lesson for me. Valid security research can come from hackers that are completely unfamiliar with your app.</p>
<p>What I first interpreted as a naive false alarm turned out to be a real security issue. It was humbling for me to take a look back at how doubtful I had been at first when ultimately the report proved valid. I wanted, even expected, reports to be sophisticated, to put my doubts to rest with advanced techniques or clear scripted exploits. The reality is that you can’t dismiss a report based on your initial impressions.</p>
<p>The hacker who submitted the report relied on the tools at their disposal to explain the problem. The approach that I would expect from a maintainer of RubyGems.org, someone with a fuller understanding of our code, was not available to this reporter. What I interpreted as a convoluted approach, copypasta hand-editing via MITM, was still an effective way to exploit rubygems.org.</p>
<p>When vulnerability reports talk about “a sophisticated hacker”, it may just be a cover for the egos of the hacked. As I have now experienced, an apparently “non-sophisticated” attack can still be sophisticated enough to bypass security.</p>
<p>My hope is that this story helps you understand how the password reset process poses a unique attack surface, and that it also challenges your own sense of what makes a good vulnerability report. High-quality reports sometimes look like low-effort spaghetti throwing.</p>
<p>I want to thank the undisclosed reporter of this vulnerability for their patience and persistance.</p>
<h2 id="what-you-can-do-right-now-to-support-rubygemsorg-security">What you can do right now to support RubyGems.org security</h2>
<p>While you’re here, I encourage you to immediately enable MFA on RubyGems.org via one time passcode. Better yet, enable our <a href="https://blog.rubygems.org/2022/12/21/introducing-hardware-security-token-and-passkey-support.html">recently launched Passkey support</a>. Without a one-time passcode or a passkey your account is only as secure as your email.</p>
<p>We invite anyone with an interest in security to challenge RubyGems.org and the RubyGems/Bundler library. Please, please read our policy first! You can find it at <a href="https://hackerone.com/rubygems">the RubyGems Hacker One program</a>. Please don’t disrupt the RubyGems.org service or interfere with users of RubyGems. Our bug bounty program is backed by the <a href="https://www.hackerone.com/internet-bug-bounty">Internet Bug Bounty</a> which makes it possible for us to award hackers that help make our service more secure for everyone.</p>
<p>Responding to security reports like this takes significant time and resources. Paying our maintainers for their time to validate and fix vulnerabilities like this costs Ruby Central many thousands of dollars per year. <a href="https://rubycentral.org/support/">Our generous supporters and sponsors</a> ensure that we are able to support the security of the RubyGems ecosystem and respond to reports like this. If you aren’t already chipping in to support RubyGems, please consider <a href="https://rubycentral.org/support/">supporting us directly</a> with even a small donation. If you use Ruby at work, ask your employer about sponsorship opportunities for Ruby Central. Help us ensure that RubyGems is safe and secure.</p>
January 2024 RubyGems Updates2024-02-17T00:00:00+00:00http://blog.rubygems.org/2024/02/17/january-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In January in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#355--2024-01-18">3.5.5</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#255-january-18-2024">2.5.5</a>. These releases included fixes for: <a href="https://github.com/rubygems/rubygems/pull/7331">caching specifictions directory</a>, <a href="https://github.com/rubygems/rubygems/pull/7358">development dependency ommission</a> and <a href="https://github.com/rubygems/rubygems/pull/7352">formatting of compact index requests headers</a>, as part of our continuous effort to enhance the Ruby development experience.</p>
<p>Some other important accomplishments from the team this month include:</p>
<ul>
<li>
<p><strong>Fixing a bug in<code class="language-plaintext highlighter-rouge">rack-test</code> related to Importmaps</strong></p>
<p>During the development work on <strong>importmaps</strong>, a modern approach to serving JavaScript utilizing HTTP2, a bug in rack-test was identified. The bug manifested through failing tests, triggered when initializing sessions to ensure a <code class="language-plaintext highlighter-rouge">session_id</code> from the first response. Detailed debugging revealed issues with handling multiple cookies, specifically a blank cookie that led to crashes and test failures. The resolution involved fixing how these cookies are processed. - <a href="https://github.com/rack/rack-test/pull/343">(#343)</a>.</p>
</li>
<li>
<p><strong>Resolution of Bundler issue with Renovatebot</strong></p>
<p><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> addressed a specific Bundler resolution problem affecting the operation of Renovatebot. We try to place nice with update bots since they contribute to a more healthy and secure ecosystem. Renovate in particular does not seem to use Bundler internals, but runs Bundler directly through well defined CLI flags. This is very good for us, so it’s nice to give back and make sure the CLI flags they use work as expected.</p>
<p>The issue happens when Renovatebot first changes the Gemfile and then runs <code class="language-plaintext highlighter-rouge">bundle lock –update –patch –strict</code>. He first investigated a solution that involved bringing the lockfile up to date but ultimately realized that this approach breaks the <code class="language-plaintext highlighter-rouge">--patch --strict</code> contract because it results in that patch level version possibly being upgraded. In the end, he decided to call the current behavior as expected and will focus on improving the error message in the future. - (<a href="https://github.com/rubygems/rubygems/issues/7369">7369</a>).</p>
</li>
<li>
<p><strong>Resolution of RubyGems require issue</strong></p>
<p><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> tackled a challenging issue within RubyGems related to its custom require implementation. The gemification of default gems, especially those with dependencies, unveiled issues post Ruby 3.3 release, affecting user experience. The fix ensures RubyGems <code class="language-plaintext highlighter-rouge">require</code> bypasses activating default versions of gems under conflict-prone conditions. For more details, see <a href="https://github.com/rubygems/rubygems/pull/7379">#7379</a>.</p>
</li>
<li>
<p><strong>Work toward vendoring URI in RubyGems</strong></p>
<p>This initiative was part of efforts to smooth out the extraction of default gems from <code class="language-plaintext highlighter-rouge">ruby-core</code>, ensuring a seamless transition. The successful vendoring of URI marks a significant step towards mitigating activation conflicts. Information on this update is available in <a href="https://github.com/rubygems/rubygems/pull/7386">#7386</a>.</p>
</li>
<li>
<p><strong>Addressing an ENV resetting issue in RubyGems</strong></p>
<p>Restoring Bundler-related ENV variables to empty prevents downstream issues related to trying to invoke Bundler from subprocesses, as one of our users <a href="https://github.com/Edouard-chin">Edouard-chin</a> pointed out. An investigation led to the identification of a bug related to special casing empty ENV variables. The decision was made to remove this exception and the fix. Its implications are detailed in <a href="https://github.com/rubygems/rubygems/pull/7383">#7383</a>.</p>
</li>
<li>
<p><strong>Introduction of a Gem Rebuild Command</strong></p>
<p><a href="https://github.com/duckinator">Ellen Dash</a> is leading the development of a gem rebuild command to facilitate reproducible builds. Reproducible builds allow people to identify problems such as compromised build environments or builds not using the published source. For a few years now, it’s been technically possible to reproduce a build if you knew enough about the original build environment. The <code class="language-plaintext highlighter-rouge">gem rebuild</code> command’s purpose is to automate as much of this as possible.</p>
</li>
</ul>
<p>In January, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2024-1-01%7D...master@%7B2024-1-31%7D">163 new commits</a> contributed by 18 authors. There were 6,051 additions and 1,059 deletions across 244 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>January’s updates to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>The following are highlights of what the team worked on this month:</p>
<ul>
<li>
<p><strong>Audit/Event Logging for Enhanced Security Monitoring</strong></p>
<p>We introduced a user-visible log of security events that have happened on their account. This will help maintainers stay on top of how their account is being used, and events that happen on the gems they own, reducing mean time to remediation for unexpected actions. This also helps the RubyGems.org security team by providing a trail that can be followed in response to security incidents.</p>
<p>Critical events such as logins, password changes, email updates, API token generation and revocation, and ruby gem ownership changes are now logged. These logs are user-specific for account activities, while gem-related events are accessible to all owners of the respective gem. Check out <a href="https://github.com/rubygems/rubygems.org/pull/4367">(#4367)</a> for more information.</p>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_490,h_450/v1708150450/rykoTmOop_vnbkhk.png" alt="rubygems-org-profile-security_events" /></p>
</li>
<li>
<p><strong>Resolution of a multi-factor authentication (MFA) bypass on password reset vulnerability</strong></p>
<p>A vulnerability report from HackerOne brought to our attention a critical flaw in the MFA process during password reset. This issue was addressed and resolved through the collaborative efforts of <a href="https://github.com/martinemde">Martin Emde</a>, with significant contributions from <a href="https://github.com/simi">Josef Šimánek</a>, <a href="https://github.com/segiddins">Samuel Giddins</a>, and <a href="https://github.com/ericherscovich">Eric</a>. <a href="https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2">Read more about the report here.</a></p>
</li>
<li>
<p><strong>Soft Deleting User Records</strong></p>
<p><a href="https://github.com/segiddins">@segiddins</a> implemented a feature for soft-deleting user records, a foundational step for the audit/event logging system. This ensures the preservation of database relationships for historical records referencing users, even after an account is deleted by the user. When a user requests account deletion, we clear out all user information from the user record and mark it as deleted, but leave the row in the database. Deleted records are not shown in queries on the site. Find more information about this update in <a href="https://github.com/rubygems/rubygems.org/pull/4376">#4376</a> and <a href="https://github.com/rubygems/rubygems.org/pull/3766">#3766</a>.</p>
</li>
<li>
<p><strong>Updating to Rails 7.1</strong></p>
<p>We updated RubyGems.org to Rails 7.1 to keep dependencies of the Rails app up to date. The update involved a long-running pull request that addressed dependency issues. The merge and deployment proceeded smoothly after ensuring all upstream dependencies supported Rails 7.1, along with an update to the Rails configuration to align with 7.1 defaults.</p>
</li>
</ul>
<p>In January, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2024-1-01%7D...master@%7B2024-1-31%7D">85 new commits</a> contributed by 8 authors. There were 2,490 additions and 1,238 deletions across 224 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/mrkn">@mrkn</a> Kenta Murata</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hyuraku">@hyuraku</a> hyuraku</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/avdi">@avdi</a> Avdi Grimm</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/bravehager">@bravehager</a> Brave Hager</li>
<li><a href="https://github.com/stanhu">@stanhu</a> Stan Hu</li>
<li><a href="https://github.com/ntkme">@ntkme</a> なつき</li>
<li><a href="https://github.com/olleolleolle">@olleolleolle</a> Olle Jonsson</li>
<li><a href="https://github.com/ohbarye">@ohbarye</a> Masato Ohba</li>
<li><a href="https://github.com/williantenfen">@williantenfen</a> Willian Tenfen Wazilewski</li>
<li><a href="https://github.com/m-nakamura145">@m-nakamura145</a> Masato Nakamura</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/robbyrussell">@robbyrussell</a> Robby Russell</li>
<li><a href="https://github.com/a5-stable">@a5-stable</a> B3</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.6 Released2024-02-06T00:00:00+00:00http://blog.rubygems.org/2024/02/06/3.5.6-released<p>RubyGems 3.5.6 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Deep copy requirements in <code class="language-plaintext highlighter-rouge">Gem::Specification</code> and <code class="language-plaintext highlighter-rouge">Gem::Requirement</code>.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7439">#7439</a> by
flavorjones</li>
<li>Change gem login message to clear up that username can be also used.
Pull request <a href="https://github.com/rubygems/rubygems/pull/7422">#7422</a> by
VitaliySerov</li>
<li>Add metadata for rubygems.org. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7435">#7435</a> by m-nakamura145</li>
<li>Improve gem login scope selection. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7342">#7342</a> by williantenfen</li>
<li>Vendor uri in RubyGems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7386">#7386</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.6 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Skip to load commented out words. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7413">#7413</a> by hsbt</li>
<li>Fix rake runtime dependency warning for rake based extension. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7395">#7395</a> by ntkme</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.6.tgz<br />
f3fcc0327cee0b7ebbee2ef014a42ba05b4032d7e1834dbcd3165dde700c99c2</li>
<li>rubygems-3.5.6.zip<br />
d15265729713654167ea1f4af66cd121abb34cc78b799b062bcd588dfc4798b3</li>
<li>rubygems-update-3.5.6.gem<br />
293e8fc50233d77111266d7ec85395e91b354a9e776410964794f055d7b5907d</li>
</ul>
3.5.5 Released2024-01-18T00:00:00+00:00http://blog.rubygems.org/2024/01/18/3.5.5-released<p>RubyGems 3.5.5 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.5 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">require</code> activation conflicts when requiring default gems under
some situations. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7379">#7379</a> by
deivid-rodriguez</li>
<li>Use cache_home instead of data_home in default_spec_cache_dir. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7331">#7331</a> by mrkn</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Use squiggly heredocs in <code class="language-plaintext highlighter-rouge">Gem::Specification#description</code> documentation,
so it doesn’t add leading whitespace. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7373">#7373</a> by bravehager</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.5.tgz<br />
12b2ac28c204bece2803c792f6fd4049faa530e24ec5e4d57c203df4021c4e1d</li>
<li>rubygems-3.5.5.zip<br />
06d2c8fa1afab66affb9cbfd9ba2ab2476380ba1418edf09349819f3c25e5964</li>
<li>rubygems-update-3.5.5.gem<br />
adb986b9883ea61c86277d8fd63925c0efc78ae8059480379101528aaf9b464f</li>
</ul>
December 2023 RubyGems Updates2024-01-17T00:00:00+00:00http://blog.rubygems.org/2024/01/17/december-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In December, we released the following version of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#350--2023-12-15">3.5.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#351--2023-12-15">3.5.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#352--2023-12-21">3.5.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#353--2023-12-22">3.5.3</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#250-december-15-2023">2.5.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#251-december-15-2023">2.5.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#252-december-21-2023">2.5.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#253-december-22-2023">2.5.3</a>. These updates mark significant milestones in our continuous effort to enhance the Rubygems development experience.</p>
<p>With the yearly minor version release of RubyGems 3.5 and Bundler 2.5, we have dropped support for Ruby versions less than 3.0.0. This enables the usage of more modern features of the Ruby language; improving efficiency, performance and memory usage. It also reduces our test runtimes and removes the more error prone Ruby 2.6 and 2.7 tests. We spent time this month modernizing the codebase to take advantage of this change.</p>
<p>A major enhancement was made to the <code class="language-plaintext highlighter-rouge">generate_index command</code>. It now has the capability to create compact index files. This feature has been integrated into the externally available <code class="language-plaintext highlighter-rouge">rubygems-generate_index</code> gem (<a href="https://github.com/rubygems/rubygems/pull/7085">#7085</a>). This advancement not only improves efficiency but also extends the command’s utility.</p>
<p>The <code class="language-plaintext highlighter-rouge">gem install</code> command also saw an important update. To better accommodate environments where permissions might be restricted, it now automatically uses the user’s installation directory when the default <code class="language-plaintext highlighter-rouge">gem home</code> is not writable (<a href="https://github.com/rubygems/rubygems/pull/5327">#5327</a>).</p>
<p>Additionally, <a href="https://bundler.io">Bundler</a> introduced the <code class="language-plaintext highlighter-rouge">bundle config set version</code> feature. This allows users to explicitly select the Bundler version they wish to use, adding a layer of customization. It also provides the option to override the lockfile version by setting it to <code class="language-plaintext highlighter-rouge">system</code> (<a href="https://github.com/rubygems/rubygems/pull/6817">#6817</a>).</p>
<p>Some other improvements that landed into our repo this month that are NOT included in the above releases are:</p>
<ul>
<li>an upgraded documentation process, now utilizing <a href="https://github.com/n-ronn/nronn">nronn</a> for generation (<a href="https://github.com/rubygems/rubygems/pull/7227">#7227</a>).</li>
<li>the use of <code class="language-plaintext highlighter-rouge">Minitest::TestTask</code> in a template file for minitest streamlining the testing process (<a href="https://github.com/rubygems/rubygems/pull/7234">#7234</a>).</li>
<li>avoidance of some allocations when evaluating <code class="language-plaintext highlighter-rouge">ruby</code> Gemfile DSL (<a href="https://github.com/rubygems/rubygems/pull/7251">#7251</a>).</li>
<li>better install advice when some gems are not found (<a href="https://github.com/rubygems/rubygems/pull/7265">#7265</a>).</li>
<li>implementation of a fix for the <code class="language-plaintext highlighter-rouge">bundler test</code> on the Ruby package (<a href="https://github.com/rubygems/rubygems/pull/7298">#7298</a>).</li>
<li>a call to make<code class="language-plaintext highlighter-rouge">bundle lock</code> always touch the lockfile (even when nothing changed) to improve Make-style compatibility (<a href="https://github.com/rubygems/rubygems/pull/7220">#7220</a>).</li>
<li>improved RubyGems and Bundler CI detection (<a href="https://github.com/rubygems/rubygems/pull/7205">#7205</a>).</li>
<li>streamed output from ext builds when <code class="language-plaintext highlighter-rouge">--verbose</code> (<a href="https://github.com/rubygems/rubygems/pull/7240">#7240</a>).</li>
<li>allowing <code class="language-plaintext highlighter-rouge">bundle pristine</code> to run in parallel, resulting in a remarkable speed improvement (<a href="https://github.com/rubygems/rubygems/pull/6927">#6927</a>).</li>
<li>ensuring gem install respects system umask (<a href="https://github.com/rubygems/rubygems/pull/7300">#7300</a>).</li>
</ul>
<p>In December, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-12-01%7D...master@%7B2023-12-31%7D">280 new commits</a> contributed by 17 authors. There were 28,544 additions and 8,338 deletions across 761 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>December’s updates to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>A significant upgrade made was the complete transition to Ruby 3.3, [<a href="https://github.com/rubygems/rubygems.org/pull/4320">#4320</a>]. This update represents a major step in keeping the platform current with the latest Ruby advancements.</p>
<p>We also added improvements to the <a href="https://blog.rubygems.org/2023/12/14/trusted-publishing.html">trusted publishing</a> feature. Notably, the pending publisher link is now visible to everyone in the settings edit section (<a href="https://github.com/rubygems/rubygems.org/pull/4290">#4290</a>). Additionally, we added integration of passkeys as a single factor of authentication, this marks a significant improvement in security of the platform (<a href="https://github.com/rubygems/rubygems.org/pull/4271">#4271</a>).</p>
<p>Some other improvements that landed into our repo this month that are NOT included in the above releases are:</p>
<ul>
<li>implementation of <code class="language-plaintext highlighter-rouge">Deletion#version_id</code> for better version association (<a href="https://github.com/rubygems/rubygems.org/pull/4273">#4273</a>).</li>
<li>resolution to issues in creating Rubygem trusted publishers when GitHub actions exist (<a href="https://github.com/rubygems/rubygems.org/pull/4282">#4282</a>).</li>
<li>an added <code class="language-plaintext highlighter-rouge">/profile/me</code> action that redirects logged-in users to their profile (<a href="https://github.com/rubygems/rubygems.org/pull/4291">#4291</a>).</li>
<li>an update to Bundler 2.5.1 with the addition of CHECKSUMS (<a href="https://github.com/rubygems/rubygems.org/pull/4296">#4296</a>).</li>
<li>addition of <code class="language-plaintext highlighter-rouge">ruby/setup-ruby</code> for switching RubyGems versions (<a href="https://github.com/rubygems/rubygems.org/pull/4298">#4298</a>).</li>
</ul>
<p>In December, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-12-01%7D...master@%7B2023-12-31%7D">54 new commits</a> contributed by 7 authors. There were 4,096 additions and 510 deletions across 139 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/nevinera">@nevinera</a> Eric Mueller</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/franzliedke">@franzliedke</a> Franz Liedke</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/junaruga">@junaruga</a> Jun Aruga</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/y-yagi">@y-yagi</a> y-yagi</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/osyoyu">@osyoyu</a> Daisuke Aritomo</li>
<li><a href="https://github.com/etherbob">@etherbob</a> Andrew Stevenson</li>
<li><a href="https://github.com/AndrewSwerlick">@AndrewSwerlick</a> Andrew Swerlick</li>
<li><a href="https://github.com/amomchilov">@amomchilov</a> Alexander Momchilov</li>
<li><a href="https://github.com/hogelog">@hogelog</a> hogelog</li>
<li><a href="https://github.com/takmar">@takmar</a> Takuma Yoshida</li>
<li><a href="https://github.com/ekohl">@ekohl</a> Ewoud Kohl van Wijngaarden</li>
<li><a href="https://github.com/iuriguilherme">@iuriguilherme</a> Iuri Guilherme</li>
<li><a href="https://github.com/MSP-Greg">@MSP-Greg</a> MSP-Greg</li>
<li><a href="https://github.com/kenyon">@kenyon</a> Kenyon Ralph</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/ntkme">@ntkme</a> なつき</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/paracycle">@paracycle</a> Ufuk Kayserilioglu</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.4 Released2024-01-04T00:00:00+00:00http://blog.rubygems.org/2024/01/04/3.5.4-released<p>RubyGems 3.5.4 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Always avoid “Updating rubygems-update” message. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7335">#7335</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.5.4 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Make <code class="language-plaintext highlighter-rouge">gem update --system</code> respect ruby version constraints. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7334">#7334</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.4.tgz<br />
bf70fee8dcc11ebea76d31399c3b6eea90590b06c1c587cef1b6e53ec32b0128</li>
<li>rubygems-3.5.4.zip<br />
3252eecdff7aa05edcebea61651ec581c910925cf5968d3f321f0e8c3356dc82</li>
<li>rubygems-update-3.5.4.gem<br />
41d4c93a79426a7e034080cc367c696ee0ae5c26fcfef20bb58f950031c95924</li>
</ul>
3.5.3 Released2023-12-22T00:00:00+00:00http://blog.rubygems.org/2023/12/22/3.5.3-released<p>RubyGems 3.5.3 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.3 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.3.tgz<br />
f3115ee8080992f257c0161b811e07b012f20175ed89349fb1ac98977ddc5c9c</li>
<li>rubygems-3.5.3.zip<br />
ef02c735f068b62148fa921ee75b14c91fcd6ae4f45f689f23e53eee53958a7c</li>
<li>rubygems-update-3.5.3.gem<br />
dcfca3989ca0c9274143c89f66e55bbf4ac05454b639b1df9c0a9b050af3461c</li>
</ul>
3.5.2 Released2023-12-21T00:00:00+00:00http://blog.rubygems.org/2023/12/21/3.5.2-released<p>RubyGems 3.5.2 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Support dynamic library loading with extension .so or .o. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7241">#7241</a> by hogelog</li>
<li>Installs bundler 2.5.2 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Replace <code class="language-plaintext highlighter-rouge">object_id</code> comparison with identity Hash. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7303">#7303</a> by amomchilov</li>
<li>Use IO.copy_stream when reading, writing. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6958">#6958</a> by martinemde</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.2.tgz<br />
8451765e1be6c1b62de2fdcfaef06ad989de5423f7a67deddfcf2822d306305c</li>
<li>rubygems-3.5.2.zip<br />
db7c97f3fdb7ac9b18ef746b18a924a991ced87821211661e0347a582a282b2e</li>
<li>rubygems-update-3.5.2.gem<br />
69bad4ec83d292d79567859650c3647dd5ea2fdd591e22f40fcb50c3f3dd6fe8</li>
</ul>
November 2023 RubyGems Updates2023-12-19T00:00:00+00:00http://blog.rubygems.org/2023/12/19/november-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in November.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3422--2023-11-09">3.4.22</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2422-november-9-2023">2.4.22</a>. These updates mark significant milestones in our continuous effort to enhance the Ruby development experience.</p>
<p>One of the key changes is a boost in performance, achieved by eliminating the need for regular expression matches in <code class="language-plaintext highlighter-rouge">Gem::Platform.local</code> (<a href="https://github.com/rubygems/rubygems/pull/7104">#7104</a>). Additionally, we shipped an update of the SPDX license list, ensuring that RubyGems is in line with the most recent industry standards (<a href="https://github.com/rubygems/rubygems/pull/7040">#7040</a>).</p>
<p>Another important update: The YAML serializer has been enhanced to correctly handle empty arrays (<a href="https://github.com/rubygems/rubygems/pull/7099">#7099</a>). The search process has also been refined, now effectively ignoring <code class="language-plaintext highlighter-rouge">.gem </code>files that are not in tar format (<a href="https://github.com/rubygems/rubygems/pull/7095">#7095</a>). The update also brings a new feature that allows users to uninstall multiple versions of the same gem at once, making gem management more efficient (<a href="https://github.com/rubygems/rubygems/pull/7063">#7063</a>).</p>
<p>Some other improvements that landed into our repo this month that are NOT included in the above releases are:</p>
<ul>
<li>an added response body on <code class="language-plaintext highlighter-rouge">fetch_http error</code> (<a href="https://github.com/rubygems/rubygems/pull/7148">#7148</a>).</li>
<li>a more robust writability check for gem home (<a href="https://github.com/rubygems/rubygems/pull/7211">#7211</a>).</li>
<li>an update to the Magnus library in the Rust extension gem template (<a href="https://github.com/rubygems/rubygems/pull/7204">#7204</a>).</li>
<li>an update to gem uninstall error reporting (<a href="https://github.com/rubygems/rubygems/pull/7149">#7149</a>).</li>
<li>an added <code class="language-plaintext highlighter-rouge">--json</code> output option to bundle-outdated (<a href="https://github.com/rubygems/rubygems/pull/7167">#7167</a>).</li>
<li>a fix for invalid platform removal omitting adjacent platforms (<a href="https://github.com/rubygems/rubygems/pull/7170">#7170 </a>).</li>
<li>fixed universal lockfiles regression (<a href="https://github.com/rubygems/rubygems/pull/7177">#7177</a>).</li>
<li>dropped Ruby 2.6 and 2.7 support (<a href="https://github.com/rubygems/rubygems/pull/7116">#7116</a>).</li>
<li>fixed bundle install <code class="language-plaintext highlighter-rouge">--system</code> deprecation advice (<a href="https://github.com/rubygems/rubygems/pull/7190">#7190</a>).</li>
<li>no longer remembering cli flags like<code class="language-plaintext highlighter-rouge"> --jobs</code> or ` –retry` in configuration (<a href="https://github.com/rubygems/rubygems/pull/7191">#7191</a>).</li>
<li>an added option for missing <code class="language-plaintext highlighter-rouge">--prefer-local</code> to Synopsis in bundle-install.1.ronn (<a href="https://github.com/rubygems/rubygems/pull/7194">#7194</a>).</li>
<li>allowing auto-install to install missing git gems (<a href="https://github.com/rubygems/rubygems/pull/7197">#7197</a>).</li>
<li>ensuring explicit requirement of <code class="language-plaintext highlighter-rouge">rubygems</code> (<a href="https://github.com/rubygems/rubygems/pull/7139">#7139</a>).</li>
</ul>
<p>In November, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-11-01%7D...master@%7B2023-11-31%7D">113 new commits</a> contributed by 23 authors. There were 1,875 additions and 56,824 deletions across 1,496 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates to RubyGems.org this month reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.</p>
<p>One of the updates made was to upgrade to Postgresql 12 and updated production and staging <code class="language-plaintext highlighter-rouge">DATABASE_URL</code> to PostgreSQL 12 instance (<a href="https://github.com/rubygems/rubygems.org/pull/4245">#4245</a>, <a href="https://github.com/rubygems/rubygems.org/pull/4256">#4256</a>).</p>
<p>Some other improvements that landed into our repo this month that are NOT included in the above releases are:</p>
<ul>
<li>a fix for deletion <code class="language-plaintext highlighter-rouge">version_id</code> backfill when a user is deleted (<a href="https://github.com/rubygems/rubygems.org/pull/4259">#4259</a>).</li>
<li>an added <code class="language-plaintext highlighter-rouge">version_id</code> column to Deletions (<a href="https://github.com/rubygems/rubygems.org/pull/4254">#4254</a>).</li>
<li>an added <a href="https://blog.rubygems.org/2023/12/14/trusted-publishing.html">trusted publishers</a> feature to help automate gem publishing (<a href="https://github.com/rubygems/rubygems.org/pull/4239">#4239</a>).</li>
<li>fixed <code class="language-plaintext highlighter-rouge">api_key_created email</code> when API key belongs to an OIDC id token (<a href="https://github.com/rubygems/rubygems.org/pull/4233">#4233</a>).</li>
<li>an added <code class="language-plaintext highlighter-rouge">maintenance_task</code> to backfill info files into S3 (<a href="https://github.com/rubygems/rubygems.org/pull/4232">#4232</a>).</li>
<li>use of an uncached query to compute compact index info in jobs (<a href="https://github.com/rubygems/rubygems.org/pull/4231">#4231</a>).</li>
<li>an added job to refresh all OIDC provider configs every 30m (<a href="https://github.com/rubygems/rubygems.org/pull/4211">#4211</a>)</li>
<li>extraction of verified session logic into a concern (<a href="https://github.com/rubygems/rubygems.org/pull/4210">#4210</a>).</li>
<li>updated installation instructions OS X (<a href="https://github.com/rubygems/rubygems.org/pull/4203">#4203</a>).</li>
<li>an upgrade of shoryuken to version 5.x (<a href="https://github.com/rubygems/rubygems.org/pull/4166">#4166</a>).</li>
</ul>
<p>In November, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-11-01%7D...master@%7B2023-11-31%7D">83 new commits</a> contributed by 7 authors. There were 950 additions and 501 deletions across 109 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/hanyang-tony">@hanyang-tony</a> Hanyang tony</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/Paul-Bob">@Paul-Bob</a> Paul Bob</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/Bo98">@Bo98</a> Bo Anderson</li>
<li><a href="https://github.com/nevinera">@nevinera</a> Eric Mueller</li>
<li><a href="https://github.com/Maumagnaguagno">@Maumagnaguagno</a> Mau Magnaguagno</li>
<li><a href="https://github.com/olleolleolle">@olleolleolle</a> Olle Jonsson</li>
<li><a href="https://github.com/ggmichaelgo">@ggmichaelgo</a> Michael Go</li>
<li><a href="https://github.com/adrianthedev">@adrianthedev</a> Adrian Marin</li>
<li><a href="https://github.com/kstevens715">@kstevens</a> Kyle Stevens</li>
<li><a href="https://github.com/dearblue">@dearblue</a> Dearblue</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi Shibata</li>
<li><a href="https://github.com/jp524">@jp524</a> Jade</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.5.1 Released2023-12-15T00:00:00+00:00http://blog.rubygems.org/2023/12/15/3.5.1-released<p>RubyGems 3.5.1 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.5.1 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.1.tgz<br />
8f1da63b4d00a9b42833e6edc6b09a40327af8f917c8401a1694f84b72c1eabf</li>
<li>rubygems-3.5.1.zip<br />
7abef797026a430ab05c83b773272f397edc98b75bce9b5385fd215a921f1b06</li>
<li>rubygems-update-3.5.1.gem<br />
878d672fc874234e0cb9ee88078069663e91245c7425a404cac5c7ce3d205899</li>
</ul>
3.5.0 Released2023-12-15T00:00:00+00:00http://blog.rubygems.org/2023/12/15/3.5.0-released<p>RubyGems 3.5.0 includes security, breaking changes, deprecations, features, performance, enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security:</em></p>
<ul>
<li>Replace <code class="language-plaintext highlighter-rouge">Marshal.load</code> with a fully-checked safe gemspec loader. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6896">#6896</a> by
segiddins</li>
</ul>
<p><em>## Breaking changes:</em></p>
<ul>
<li>Drop ruby 2.6 and 2.7 support. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7116">#7116</a> by
deivid-rodriguez</li>
<li>Release package no longer includes test files. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6781">#6781</a> by hsbt</li>
<li>Hide <code class="language-plaintext highlighter-rouge">Gem::MockGemUi</code> from users. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6623">#6623</a> by hsbt</li>
<li>Deprecated <code class="language-plaintext highlighter-rouge">Gem.datadir</code> has been removed. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6469">#6469</a> by hsbt</li>
</ul>
<p><em>## Deprecations:</em></p>
<ul>
<li>Deprecate <code class="language-plaintext highlighter-rouge">Gem::Platform.match?</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6783">#6783</a> by hsbt</li>
<li>Deprecate <code class="language-plaintext highlighter-rouge">Gem::List</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6311">#6311</a> by segiddins</li>
</ul>
<p><em>## Features:</em></p>
<ul>
<li>The <code class="language-plaintext highlighter-rouge">generate_index</code> command can now generate compact index files and
lives as an external <code class="language-plaintext highlighter-rouge">rubygems-generate_index</code> gem. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7085">#7085</a> by segiddins</li>
<li>Make <code class="language-plaintext highlighter-rouge">gem install</code> fallback to user installation directory if default
gem home is not writable. Pull request
<a href="https://github.com/rubygems/rubygems/pull/5327">#5327</a> by duckinator</li>
<li>Leverage ruby feature to warn when requiring default gems from stdlib
that will be turned into bundled gems in the future. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6840">#6840</a> by hsbt</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Use match? when regexp match data is unused. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7263">#7263</a> by segiddins</li>
<li>Fewer allocations in gem installation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6975">#6975</a> by segiddins</li>
<li>Optimize allocations in <code class="language-plaintext highlighter-rouge">Gem::Version</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6970">#6970</a> by segiddins</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Warn for duplicate meta data links when building gems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7213">#7213</a> by etherbob</li>
<li>Vendor <code class="language-plaintext highlighter-rouge">net-http</code>, <code class="language-plaintext highlighter-rouge">net-protocol</code>, <code class="language-plaintext highlighter-rouge">resolv</code>, and <code class="language-plaintext highlighter-rouge">timeout</code> to reduce
conflicts between Gemfile gems and internal dependencies. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6793">#6793</a> by
deivid-rodriguez</li>
<li>Remove non-transparent requirement added to prerelease gems. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7226">#7226</a> by
deivid-rodriguez</li>
<li>Stream output from ext builds when –verbose. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7240">#7240</a> by osyoyu</li>
<li>Add missing services to CI detection and make it consistent between
RubyGems and Bundler. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7205">#7205</a> by nevinera</li>
<li>Update generate licenses template to not freeze regexps. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7154">#7154</a> by
github-actions[bot]</li>
<li>Don’t check <code class="language-plaintext highlighter-rouge">LIBRUBY_RELATIVE</code> in truffleruby to signal a bash prelude
in rubygems binstubs. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7156">#7156</a> by
deivid-rodriguez</li>
<li>Update SPDX list and warn on deprecated identifiers. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6926">#6926</a> by simi</li>
<li>Simplify extended <code class="language-plaintext highlighter-rouge">require</code> to potentially fix some deadlocks. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6827">#6827</a> by nobu</li>
<li>Small refactors for <code class="language-plaintext highlighter-rouge">Gem::Resolver</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6766">#6766</a> by hsbt</li>
<li>Use double-quotes instead of single-quotes consistently in warnings.
Pull request <a href="https://github.com/rubygems/rubygems/pull/6550">#6550</a> by
hsbt</li>
<li>Add debug message for <code class="language-plaintext highlighter-rouge">nil</code> version gemspec. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6436">#6436</a> by hsbt</li>
<li>Installs bundler 2.5.0 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix installing from source with same default bundler version already
installed. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7244">#7244</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Improve comment explaining the necessity of <code class="language-plaintext highlighter-rouge">write_default_spec</code> method.
Pull request <a href="https://github.com/rubygems/rubygems/pull/6563">#6563</a> by
voxik</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.5.0.tgz<br />
6a7ccc98b5ba51be68c5a29a902c125c6f1d3690a0504787c40eb1c4a077e160</li>
<li>rubygems-3.5.0.zip<br />
361992e5d27277e1a470aae6f871814e236faf7c4c3e007cfd882c5c1cbd8d86</li>
<li>rubygems-update-3.5.0.gem<br />
0de926b1bbed63c6aabb899ceb9c9640589dbaa47f5a12c4f98f503744813f12</li>
</ul>
Announcing Trusted Publishing on RubyGems.org2023-12-14T00:00:00+00:00http://blog.rubygems.org/2023/12/14/trusted-publishing<p>Hi all!</p>
<p>I’m excited to share a new feature that will help make RubyGems.org more secure, as well as making it easier to automate gem publishing. Inspired by the Python package index, we’re calling it <a href="https://guides.rubygems.org/trusted-publishing/">Trusted Publishing</a>.</p>
<h2 id="backstory">Backstory</h2>
<p>Over the past few years, we’ve <a href="/2022/08/15/requiring-mfa-on-popular-gems">increased the minimum multi-factor authentication (MFA) requirements</a> for accounts that own popular gems. We highly encourage requiring MFA for all interactions with RubyGems.org, including through the API. This is part of our strategy to make Ruby’s supply chain more secure, specifically by combatting account takeovers — the second most common software supply chain attack.</p>
<p>On the flip side, we want to encourage gem authors to push their gems from trusted environments, based on the state of public repositories. For many, that means using GitHub Actions (as a CI/CD platform) for gems with repos hosted on GitHub.com.</p>
<p>Until now, MFA has been incompatible with automated gem pushes. You needed an API key with MFA disabled, stored by GitHub as a long-lived secret, and provided to every CI job. Even worse, given it was a clunky, multi-step process, many gem authors simply pushed gems from their laptops rather than go through the steps required to set that up.</p>
<h2 id="trusted-publishing">Trusted Publishing</h2>
<p>Enter the subject of today’s announcement: <a href="https://guides.rubygems.org/trusted-publishing/">Trusted Publishing</a>. Before getting into the details, I’d like to quickly thank our friends over at <a href="https://pypi.org/">PyPI</a> for blazing this trail, providing helpful guidance, and writing some pretty great <a href="https://docs.pypi.org/trusted-publishers/">docs</a>.</p>
<p>Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.</p>
<p>After <a href="https://guides.rubygems.org/trusted-publishing/adding-a-publisher/">filling out four form fields for your gem</a> (repo owner, repo name, GitHub Actions workflow file name, and optional GitHub Environment), you’ll be able to <a href="https://guides.rubygems.org/trusted-publishing/releasing-gems/">automate publishing via GitHub Actions with a short, simple, and copy/pastable workflow</a>.</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">jobs</span><span class="pi">:</span>
<span class="na">push</span><span class="pi">:</span>
<span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span>
<span class="na">permissions</span><span class="pi">:</span>
<span class="na">contents</span><span class="pi">:</span> <span class="s">write</span>
<span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span>
<span class="na">steps</span><span class="pi">:</span>
<span class="c1"># Set up</span>
<span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span>
<span class="na">with</span><span class="pi">:</span>
<span class="na">persist-credentials</span><span class="pi">:</span> <span class="kc">false</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Ruby</span>
<span class="na">uses</span><span class="pi">:</span> <span class="s">ruby/setup-ruby@v1</span>
<span class="na">with</span><span class="pi">:</span>
<span class="na">bundler-cache</span><span class="pi">:</span> <span class="kc">true</span>
<span class="na">ruby-version</span><span class="pi">:</span> <span class="s">ruby</span>
<span class="c1"># Release</span>
<span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">rubygems/release-gem@v1</span>
</code></pre></div></div>
<h2 id="benefits">Benefits</h2>
<p>This mechanism has significant security & usability advantages compared to traditional authentication mechanisms:</p>
<ul>
<li><strong>Usability</strong>: trusted publishing does not require manually creating & storing API tokens from RubyGems.org. The only manual step is a one-time form to tell RubyGems.org about the trusted publisher.</li>
<li><strong>Security</strong>: Trusted publishing tokens are short-lived, meaning they can only be used for a short period of time. This is a big improvement over RubyGems.org’s long-lived API tokens, which can be kept and reused by an attacker if they are ever stolen.</li>
<li><strong>Trust</strong>: pushing is done via a trusted environment, in a way that is transparent to users of a gem, leading to higher confidence that what is released matches what is in the repo.</li>
</ul>
<h2 id="whats-next">What’s Next</h2>
<ul>
<li>Support for other trusted publishing platforms</li>
<li>A <a href="https://github.com/rubygems/rubygems.org/issues/4286">comprehensive GitHub Actions workflow</a> that handles building the gem, generating provenance, signing it using sigstore, pushing it</li>
</ul>
<p>Stay tuned!</p>
<p>This work was organized by <a href="https://rubycentral.org">Ruby Central</a>, and made possible by funding from Ruby Central members, the <a href="https://www.sovereigntechfund.de">Sovereign Tech Fund</a>, and the <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">AWS Security Residency</a>.</p>
October 2023 RubyGems Updates2023-11-24T00:00:00+00:00http://blog.rubygems.org/2023/11/24/october-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3421--2023-10-17">3.4.21</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2421-october-17-2023">2.4.21</a>.</p>
<p>A couple of noteworthy updates this month include the introduction of a feature to abort <code class="language-plaintext highlighter-rouge">setup.rb</code> for outdated Ruby versions - <a href="https://github.com/rubygems/rubygems/pull/7011">#7011</a>, and efficiency enhancements enabled by removing <code class="language-plaintext highlighter-rouge">Dir.chdir</code> from subprocess execution - <a href="https://github.com/rubygems/rubygems/pull/6930">#6930</a>. We also achieved a major configuration improvement by implementing a <code class="language-plaintext highlighter-rouge">pure-ruby</code> YAML parser -<a href="https://github.com/rubygems/rubygems/pull/6615">#6615</a>. The documentation also saw significant improvements, with updates to the <code class="language-plaintext highlighter-rouge">bindir</code> variable - <a href="https://github.com/rubygems/rubygems/pull/7028">#7028</a> and fixes to invalid links - <a href="https://github.com/rubygems/rubygems/pull/7008">#7008</a>.</p>
<p>Some other improvements that landed into our repo this month that are NOT included in the above releases are:</p>
<ul>
<li>an enhanced continuous integration (CI) by incorporating the latest patch level releases of Ruby, ensuring more robust testing environments - <a href="https://github.com/rubygems/rubygems/pull/7036">#7036</a>.</li>
<li>updates to the SPDX license list to reflect the latest standards as of October 5, 2023. This ensures compliance and accuracy in licensing - <a href="https://github.com/rubygems/rubygems/pull/7040">#7040</a>.</li>
<li>improved formatting and presentation of global source information on the <code class="language-plaintext highlighter-rouge">bundle plugin</code> manual page, contributing to better usability and readability - <a href="https://github.com/rubygems/rubygems/pull/7045">#7045</a>.</li>
<li>significant optimization by reusing the <code class="language-plaintext highlighter-rouge">Gem::RemoteFetcher</code> instance within Bundler - <a href="https://github.com/rubygems/rubygems/pull/7079">#7079</a>.</li>
<li>modified, more relaxed, pattern matching for Rake versions, allowing for greater flexibility and compatibility in different environments - <a href="https://github.com/rubygems/rubygems/pull/7123">#7123</a>.</li>
<li>refinements to the recent fix related to <code class="language-plaintext highlighter-rouge">force_ruby_platform</code> - <a href="https://github.com/rubygems/rubygems/pull/7115">#7115</a>.</li>
<li>a merged pull request to enable automatic switching to user-level gem installations when <code class="language-plaintext highlighter-rouge">GEM_HOME</code> is unset and the default gem home is not writable - <a href="https://github.com/rubygems/rubygems/pull/5327">#5327</a>.</li>
</ul>
<p>In October, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-10-01%7D...master@%7B2023-10-31%7D">160 new commits</a> contributed by 22 authors. There were 3,940 additions and 1,149 deletions across 197 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>The updates to RubyGems.org this month reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Here’s a brief overview of the key improvements in the release:</p>
<ul>
<li>implementing a fix for the subscription links on the RubyGems dashboard - <a href="https://github.com/rubygems/rubygems.org/pull/4111">#4111</a>.</li>
<li>creating a proof-of-concept (POC) for integrating Tailwind CSS, aiming to modernize and enhance the frontend design and responsiveness of RubyGems - <a href="https://github.com/rubygems/rubygems.org/pull/4113">#4113</a>.</li>
<li>resolving ambiguity in ownership uniqueness errors, specifically addressing scenarios where a user is already invited or is an owner - <a href="https://github.com/rubygems/rubygems.org/pull/4119">#4119</a>.</li>
<li>addressing a critical issue where users who had pushed gems with associated API keys faced difficulties with account deletion. This fix ensures smoother user account management and security - <a href="https://github.com/rubygems/rubygems.org/pull/4130">#4130</a>.</li>
<li>fixing timestamp fields options feature, refining user interface elements and data accuracy - <a href="https://github.com/rubygems/rubygems.org/pull/4132">#4132</a>.</li>
</ul>
<p>In October, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-10-01%7D...master@%7B2023-10-31%7D">60 new commits</a> contributed by 12 authors. There were 4,532 additions and 2,184 deletions across 181 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/mgmarlow">@mgmarlow</a> Graham Marlow</li>
<li><a href="https://github.com/harshalbhakta">@harshalbhakta</a> Harshal Bhakta</li>
<li><a href="https://github.com/composerinteralia">@composerinteralia</a> Daniel Colson</li>
<li><a href="https://github.com/manuraj17">@manuraj17</a> Manu</li>
<li><a href="https://github.com/intrip">@intrip</a> Jacopo Beschi</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/ccutrer">@ccutrer</a> Cody Cutrer</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/kstevens715">@kstevens715</a> Kyle Stevens</li>
<li><a href="https://github.com/mercedesb">@mercedesb</a> Mercedes</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/dearblue">@dearblue</a> dearblue</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
<li><a href="https://github.com/ekohl">@ekohl</a> Ewoud Kohl van Wijngaarden</li>
<li><a href="https://github.com/rye-stripe">@rye-stripe</a> Peteris Rudzusiks</li>
<li><a href="https://github.com/kenyon">@kenyon</a> Kenyon Ralph</li>
<li><a href="https://github.com/jeremy">@jeremy</a> Jeremy Daer</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
<li><a href="https://github.com/jjb">@jjb</a> John Bachir</li>
<li><a href="https://github.com/Uda-Titor">@Uda-Titor</a> ryohei udagawa</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/arletterocks">@arletterocks</a> Arlette Thibodeau</li>
<li><a href="https://github.com/xuanxu">@xuanxu</a> Juanjo Bazán</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.27 Released2023-11-10T00:00:00+00:00http://blog.rubygems.org/2023/11/10/3.3.27-released<p>RubyGems 3.3.27 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Provide fix for bundler Gemfile resolving regression. Pull request #6717
by Hiroshi SHIBATA.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.27.tgz<br />
dc821bf2a416e9c25a964181a83439209b3ae81cfca1632733ca04da946c0fbd</li>
<li>rubygems-3.3.27.zip<br />
11e5cdbb347c0540d28723814b8ea84deb7151f8de1cddbe48a1466a13d0db60</li>
<li>rubygems-update-3.3.27.gem<br />
46cc13e192feb17fb74ce4cdd354154450533ab2844af842381c2d99c5cd45cb</li>
</ul>
3.4.22 Released2023-11-09T00:00:00+00:00http://blog.rubygems.org/2023/11/09/3.4.22-released<p>RubyGems 3.4.22 includes enhancements, bug fixes, performance and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Update SPDX license list as of 2023-10-05. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7040">#7040</a> by
github-actions[bot]</li>
<li>Remove unnecessary rescue. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7109">#7109</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.4.22 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Handle empty array at built-in YAML serializer. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7099">#7099</a> by hsbt</li>
<li>Ignore non-tar format <code class="language-plaintext highlighter-rouge">.gem</code> files during search. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7095">#7095</a> by dearblue</li>
<li>Allow explicitly uninstalling multiple versions of same gem. Pull
request <a href="https://github.com/rubygems/rubygems/pull/7063">#7063</a> by
kstevens715</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Avoid regexp match on every call to <code class="language-plaintext highlighter-rouge">Gem::Platform.local</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7104">#7104</a> by segiddins</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Get <code class="language-plaintext highlighter-rouge">Gem::Specification#extensions_dir</code> documented. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6218">#6218</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.22.tgz<br />
803fa77776d11d3d1bb563826616c811124425e0331ad1fd983c4144046a6156</li>
<li>rubygems-3.4.22.zip<br />
12f52292df0572a10c4d882a2c9467babfc2909dab9685939abac2234aa8485a</li>
<li>rubygems-update-3.4.22.gem<br />
dedab68acfef164f6d29257bb8d01bd6df1430ce4c0c3cf5b198aa211881d849</li>
</ul>
September 2023 RubyGems Updates2023-10-17T00:00:00+00:00http://blog.rubygems.org/2023/10/17/september-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in September.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3420--2023-09-27">3.4.20</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2420-september-27-2023">2.4.20</a>.</p>
<p>One of the goals of this RubyGems release was to work on allowing RubyGems to gracefully fall back to a user install if the default <code class="language-plaintext highlighter-rouge">gem home</code> isn’t writable. This will resolve a request users of RubyGems have been wanting for eight years - <a href="https://github.com/rubygems/rubygems/pull/5327">#5327</a>. Additionally, we sought to update the SPDX license list from 2023-04-28, 2023-06-18, to 2023-01-26, raised <code class="language-plaintext highlighter-rouge">Gem::Package::FormatError</code> when gem encounters corrupt EOF <a href="https://github.com/rubygems/rubygems/pull/6882">#6882</a>, and ensure that loading multiple gemspecs with legacy YAML class references does not warn <a href="https://github.com/rubygems/rubygems/pull/6889">#6889</a>.</p>
<p>In this month’s Bundler release, our goal was to build on the work of <a href="https://github.com/segiddins">@segiddins</a> and <a href="https://github.com/mercedesb">@mercedesb</a>, by adding support for <code class="language-plaintext highlighter-rouge">SHA256</code> checksum verification of Bundled gems during installation, as described in this <a href="https://github.com/rubygems/rfcs/pull/50">RFC</a>. We also focused on Bundler’s performance and memory efficiency; supporting, reviewing, and contributing to improvements there.</p>
<p>Some other improvements that landed into our repo this month but that are not included in the above releases are:</p>
<ul>
<li>added <code class="language-plaintext highlighter-rouge">universal-java-19</code> to CI test setup Gemfile locks - <a href="https://github.com/rubygems/rubygems/pull/6942">#6942</a>.</li>
<li>fixed a false positive SymlinkError in the symbolic link directory - <a href="https://github.com/rubygems/rubygems/pull/6947">#6947</a>.</li>
<li>added support for the <code class="language-plaintext highlighter-rouge">ruby-3.2.2</code> format in the <code class="language-plaintext highlighter-rouge">ruby file:</code> Gemfile directive, and added a test to explicitly test the <code class="language-plaintext highlighter-rouge">3.2.2@gemset</code> format as rejected - <a href="https://github.com/rubygems/rubygems/pull/6954">#6954</a>.</li>
<li>reduced allocations for stub specifications - <a href="https://github.com/rubygems/rubygems/pull/6972">#6972</a>.</li>
<li>allowed standalone mode to work on a Windows edge case - <a href="https://github.com/rubygems/rubygems/pull/6989">#6989</a>.</li>
<li>improved release scripts - <a href="https://github.com/rubygems/rubygems/pull/6999">#6999</a>.</li>
<li>fixed the SafeMarshal test on jruby - <a href="https://github.com/rubygems/rubygems/pull/6984">#6984</a>.</li>
</ul>
<p>In September, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-09-01%7D...master@%7B2023-09-30%7D">116 new commits</a> contributed by 14 authors. There were 2,455 additions and 571 deletions across 105 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month in RubyGems.org, we improved how <a href="https://github.com/rubygems/rubygems.org/issues/3278">gravatar exposed user email</a> by ensuring they are not publicly exposed - <a href="https://github.com/rubygems/rubygems.org/pull/3731">#3731</a>, <a href="https://github.com/rubygems/rubygems.org/pull/4104">#4104</a>. We added this change to keep our users’ information private and well secured. We also opened an <a href="https://github.com/rubygems/rfcs/pull/51">RFC</a> to enhance user profile in general.</p>
<p>Support for PostgreSQL 11 version will end next February, so we have created a plan, wrote reference scripts and started documenting the upgrade in the following RFCs to get feedback - <a href="https://github.com/rubygems/rfcs/pull/52">#52</a>, <a href="https://github.com/rubygems/rfcs/pull/53">#53</a>.</p>
<p>Some other improvements that landed into our repo this month but that are not included in the above releases are:</p>
<ul>
<li>added a log in Pusher when notify is called - <a href="https://github.com/rubygems/rubygems.org/pull/4072">#4072</a>.</li>
<li>added a versions index on <code class="language-plaintext highlighter-rouge">lower(gem_full_name)</code> - <a href="https://github.com/rubygems/rubygems.org/pull/4095">#4095</a>.</li>
<li>added backfill for <code class="language-plaintext highlighter-rouge">spec_sha256</code> on versions - <a href="https://github.com/rubygems/rubygems.org/pull/4083">#4083</a>.</li>
<li>handled nil <code class="language-plaintext highlighter-rouge">api_key</code> in the dashboards controller -<a href="https://github.com/rubygems/rubygems.org/pull/4081">#4081</a>.</li>
<li>added a fix to precompile assets on CI before running tests - <a href="https://github.com/rubygems/rubygems.org/pull/4059">#4059</a>.</li>
<li>made all texts in the about page translatable. - <a href="https://github.com/rubygems/rubygems.org/pull/4063">#4063</a>.</li>
<li>made an update to only validate version metadata on create/change - <a href="https://github.com/rubygems/rubygems.org/pull/4100">#4100</a>.</li>
<li>updated RubyGems & Bundler - <a href="https://github.com/rubygems/rubygems.org/pull/4103">#4103</a>.</li>
</ul>
<p>In September, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-09-01%7D...master@%7B2023-09-30%7D">64 new commits</a> contributed by 5 authors. There were 1,855 additions and 1,070 deletions across 90 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/negi0109">@negi0109</a> negi</li>
<li><a href="https://github.com/pboling">@pboling</a> Peter Boling</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/ytkg">@ytkg</a> YOSHIKI</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/krororo">@krororo</a> kitazawa</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/yaauie">@yaauie</a> Ry Biesemeyer</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/byroot">@byroot</a> Jean Boussier</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.21 Released2023-10-17T00:00:00+00:00http://blog.rubygems.org/2023/10/17/3.4.21-released<p>RubyGems 3.4.21 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Abort <code class="language-plaintext highlighter-rouge">setup.rb</code> if Ruby is too old. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7011">#7011</a> by
deivid-rodriguez</li>
<li>Remove usage of Dir.chdir that only execute a subprocess. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6930">#6930</a> by segiddins</li>
<li>Freeze more strings in generated gemspecs. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6974">#6974</a> by segiddins</li>
<li>Use pure-ruby YAML parser for loading configuration at RubyGems. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6615">#6615</a> by hsbt</li>
<li>Installs bundler 2.4.21 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Update suggested variable for bindir. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7028">#7028</a> by hsbt</li>
<li>Fix invalid links in documentation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/7008">#7008</a> by simi</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.21.tgz<br />
a08cfdb13f997ca8751d9737160df4d0442949f36c1bb7d9641fe295c2971080</li>
<li>rubygems-3.4.21.zip<br />
cb4b4e2dc74bb66d00b711724f28c78e6371b4a85b5a0013d17cebf6f100f6ea</li>
<li>rubygems-update-3.4.21.gem<br />
45dbda6d6b4da187b5035b8b59d10fa8af9e26e8b5e403346cb0990ba4150aa7</li>
</ul>
3.4.20 Released2023-09-27T00:00:00+00:00http://blog.rubygems.org/2023/09/27/3.4.20-released<p>RubyGems 3.4.20 includes enhancements, bug fixes and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Raise <code class="language-plaintext highlighter-rouge">Gem::Package::FormatError</code> when gem encounters corrupt EOF.
Pull request <a href="https://github.com/rubygems/rubygems/pull/6882">#6882</a>
by martinemde</li>
<li>Allow skipping empty license <code class="language-plaintext highlighter-rouge">gem build</code> warning by setting license to
<code class="language-plaintext highlighter-rouge">nil</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6879">#6879</a> by jhong97</li>
<li>Update SPDX license list as of 2023-06-18. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6891">#6891</a> by
github-actions[bot]</li>
<li>Update SPDX license list as of 2023-04-28. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6642">#6642</a> by segiddins</li>
<li>Update SPDX license list as of 2023-01-26. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6310">#6310</a> by segiddins</li>
<li>Installs bundler 2.4.20 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fixed false positive SymlinkError in symbolic link directory. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6947">#6947</a> by
negi0109</li>
<li>Ensure that loading multiple gemspecs with legacy YAML class references
does not warn. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6889">#6889</a> by segiddins</li>
<li>Fix NoMethodError when choosing a too big number from <code class="language-plaintext highlighter-rouge">gem uni</code> list.
Pull request <a href="https://github.com/rubygems/rubygems/pull/6901">#6901</a> by
amatsuda</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Reduce allocations for stub specifications. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6972">#6972</a> by segiddins</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.20.tgz<br />
f6328a79feca3e749880a6f7cdfd4b6ae945049b83a58ea958e2474a91ba1f3b</li>
<li>rubygems-3.4.20.zip<br />
c73f0b54c228e8aa552f57c15ab0b046b42ec4f4eb7621acd33a56f975d64e97</li>
<li>rubygems-update-3.4.20.gem<br />
d7b158ab0ff672a780f18fa73e83dfc158384bb229cb14bf977af36fae541f50</li>
</ul>
August 2023 RubyGems Updates2023-09-19T00:00:00+00:00http://blog.rubygems.org/2023/09/19/august-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in August.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3418--2023-08-02">3.4.18</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3419--2023-08-17">3.4.19</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2418-august-2-2023">2.4.18</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2419-august-17-2023">2.4.19</a>.</p>
<p>In RubyGems, we improved the documentation performance by speeding up the build process when updating RubyGems - <a href="https://github.com/rubygems/rubygems/pull/6864">#6864</a>. We added a poller to fetch WebAuthn OTPs - <a href="https://github.com/rubygems/rubygems/pull/6774">#6774</a>, added a <code class="language-plaintext highlighter-rouge">file</code> option to the Ruby method in the Gemfile - <a href="https://github.com/rubygems/rubygems/pull/6876">#6876</a> and removed some side effects when unmarshalling old <code class="language-plaintext highlighter-rouge">Gem::Specifications</code>- <a href="https://github.com/rubygems/rubygems/pull/6825">#6825</a>.</p>
<p>Some other improvements that landed into our repo this month but that are not included in the above releases are:</p>
<ul>
<li>optimized memory usage in <code class="language-plaintext highlighter-rouge">Bundler::Settings</code>, resulting in a faster boot time - <a href="https://github.com/rubygems/rubygems/pull/6884">#6884</a>.</li>
<li>raised <code class="language-plaintext highlighter-rouge">Gem::Package::FormatError</code> when gem encounters corrupt EOF - <a href="https://github.com/rubygems/rubygems/pull/6882">#6882</a>.</li>
<li>made an update to resolve Ruby version file relative to bundle root - <a href="https://github.com/rubygems/rubygems/pull/6892">#6892</a>.</li>
<li>added support for ruby file <code class="language-plaintext highlighter-rouge">.tool-versions</code> in Gemfile - <a href="https://github.com/rubygems/rubygems/pull/6898">#6898</a>.</li>
<li>fixed a regression that could cause some legacy Gemfiles with multiple sources to take much longer to resolve - <a href="https://github.com/rubygems/rubygems/pull/6916">#6916</a>.</li>
<li>improved warning messages for bundled gems - <a href="https://github.com/rubygems/rubygems/pull/6921">#6921</a>.</li>
</ul>
<p>In August, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-08-01%7D...master@%7B2023-08-31%7D">106 new commits</a> contributed by 17 authors. There were 1,006 additions and 268 deletions across 97 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>fixed the footer sponsor images being cut off at certain screen widths - <a href="https://github.com/rubygems/rubygems.org/pull/3996">#3996</a>.</li>
<li>updated Japanese translations - <a href="https://github.com/rubygems/rubygems.org/pull/3998">#3998</a>.</li>
<li>allowed searching for a user in <code class="language-plaintext highlighter-rouge">avo</code> api key role resource - <a href="https://github.com/rubygems/rubygems.org/pull/4000">#4000</a>.</li>
<li>removed WebAuthn banner from homepage - <a href="https://github.com/rubygems/rubygems.org/pull/4003">#4003</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">Avo</code> to sponsors page - <a href="https://github.com/rubygems/rubygems.org/pull/3999">#3999</a>.</li>
<li>uploaded capybara test screenshots on failure - <a href="https://github.com/rubygems/rubygems.org/pull/3990">#3990</a>.</li>
<li>fixed compact index files when gems are yanked - <a href="https://github.com/rubygems/rubygems.org/commit/207be52ef6ce4fb9ee5eaed97c09f02277911da2">#207be52ef6ce4fb9ee5eaed97c09f02277911da2</a>.</li>
<li>enabled <code class="language-plaintext highlighter-rouge">OIDC</code> to fetch API tokens - <a href="https://github.com/rubygems/rubygems.org/pull/3716">#3716</a>.</li>
</ul>
<p>In August, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-08-01%7D...master@%7B2023-08-31%7D">83 new commits</a> contributed by 15 authors. There were 6,625 additions and 1,967 deletions across 224 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/technicalpickles">@technicalpickles</a> Josh Nichols</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/manuraj17">@manuraj17</a> Manu</li>
<li><a href="https://github.com/ngan">@ngan</a> Ngan Pham</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/jhong97">@jhong97</a> John Hong</li>
<li><a href="https://github.com/amatsuda">@amatsuda</a> Akira Matsuda</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/gvkhna">@gvkhna</a> Gaurav Khanna</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/pboling">@pboling</a>Peter Boling</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/george-ma">@george-ma</a> George Ma</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/Daniel-N-Huss">@Daniel-N-Huss</a> Daniel Huss</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/nagachika">@nagachika</a> Nagachika</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/gemmaro">@gemmaro</a> gemmaro</li>
<li><a href="https://github.com/tnir">@tnir</a> Takuya N</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.19 Released2023-08-17T00:00:00+00:00http://blog.rubygems.org/2023/08/17/3.4.19-released<p>RubyGems 3.4.19 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.19 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Speedup building docs when updating rubygems. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6864">#6864</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.19.tgz<br />
f996294bd50e075eaa0a386b2b0146067e37b7728d3affd022b2ca20f032c16b</li>
<li>rubygems-3.4.19.zip<br />
1ce9513b6157c92e619c934a2aad45e7f69183a9c7db94befe1016da1e63b55b</li>
<li>rubygems-update-3.4.19.gem<br />
5dc2a9092e7d7047b04b7ba8755ad97d42ed1e174e01e5caaae1673433b79a99</li>
</ul>
July 2023 RubyGems Updates2023-08-11T00:00:00+00:00http://blog.rubygems.org/2023/08/11/july-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in July.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3416--2023-07-10">3.4.16</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3417--2023-07-14">3.4.17</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2416-july-10-2023">2.4.16</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2417-july-14-2023">2.4.17</a>.</p>
<p>In RubyGems, we <a href="https://github.com/rubygems/rubygems/pull/6810">improved</a> certain <code class="language-plaintext highlighter-rouge">gem install</code> invocations that had gotten slower since the dependencies API was phased out. In Bundler, the above releases include several improvements such as <a href="https://github.com/rubygems/rubygems/pull/6784">fixes</a> related to locked platforms, <a href="https://github.com/rubygems/rubygems/pull/6786">improvements</a> to make sections related to Git gems stable, and some other regression fixes.</p>
<p>Some other improvements that landed into our repo this month but that are not included in the above releases are:</p>
<ul>
<li>improved RubyGems <code class="language-plaintext highlighter-rouge">require</code> - <a href="https://github.com/rubygems/rubygems/pull/6827">#6827</a>.</li>
<li>improvements related to the Security Devices support feature - <a href="https://github.com/rubygems/rubygems/pull/6774">#6774</a>.</li>
<li>updated the Magnus version in the Rust extension gem template - <a href="https://github.com/rubygems/rubygems/pull/6843">#6843</a>.</li>
<li>removed side effects when unmarshaling old <code class="language-plaintext highlighter-rouge">Gem::Specification</code> files- <a href="https://github.com/rubygems/rubygems/pull/6825">#6825</a>.</li>
<li>made up update to use <code class="language-plaintext highlighter-rouge">File::NULL </code>instead of hard coded null device names - <a href="https://github.com/rubygems/rubygems/pull/6809">#6809</a>.</li>
<li>added Automatiek improvements - <a href="https://github.com/rubygems/rubygems/pull/6788">#6788</a>.</li>
</ul>
<p>In July, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-07-01%7D...master@%7B2023-07-31%7D">96 new commits</a> contributed by 13 authors. There were 1,559 additions and 695 deletions across 86 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>reduced the size of the deployed docker image from >350MB to 277MB - <a href="https://github.com/rubygems/rubygems.org/pull/3894">#3894</a>.</li>
<li>redirected MFA Required users to the edit settings page - <a href="https://github.com/rubygems/rubygems.org/pull/3902">#3902</a>.</li>
<li>extracted <code class="language-plaintext highlighter-rouge">GEM_NAME_RESERVED_LIST</code> into database and included in admin panel.- #<a href="https://github.com/rubygems/rubygems.org/pull/3897">3897</a>.</li>
<li>added user validation on MFA Level - <a href="https://github.com/rubygems/rubygems.org/pull/3905">#3905</a>.</li>
<li>added “enabled/disabled” badge for OTP & Webauthn - <a href="https://github.com/rubygems/rubygems.org/pull/3936">#3936</a>.</li>
<li>fixed issue that led to limiting allowed methods in nginx - <a href="https://github.com/rubygems/rubygems.org/pull/3941">#3941</a>.</li>
<li>implemented the <code class="language-plaintext highlighter-rouge">setup_webauthn_authentication</code> helper method in updating MFA level - <a href="https://github.com/rubygems/rubygems.org/pull/3963">#3963</a>.</li>
<li>implemented Avo actions to enqueue compact index file upload jobs - <a href="https://github.com/rubygems/rubygems.org/pull/3970">#3970</a>.</li>
<li>redirected users to signin after webauthn error occurrances - <a href="https://github.com/rubygems/rubygems.org/pull/3962">#3962</a>.</li>
<li>added a <code class="language-plaintext highlighter-rouge">maintenance_tasks</code> engine for running one-off tasks - <a href="https://github.com/rubygems/rubygems.org/pull/3971">#3971</a>.</li>
<li>refactored the mailer content to specify the MFA implementation used (TOTP) - <a href="https://github.com/rubygems/rubygems.org/pull/3903">#3903</a> (shown below).</li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_300/v1691405747/251542232-7b70ce3f-c92e-41a2-a5a4-279d3ccbd062_ekruea.png" alt="Auth with Yubikey" /></p>
<p>In July, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-07-01%7D...master@%7B2023-07-31%7D">99 new commits</a> contributed by 18 authors. There were 2,460 additions and 1,566 deletions across 128 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/ParadoxV5">@ParadoxV5</a> Jimmy H</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/koic">@koic</a> Koichi ITO</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/obregonia1">@obregonia1</a> Kentaro Takeyama</li>
<li><a href="https://github.com/fxn">@fxn</a> Xavier Noria</li>
<li><a href="https://github.com/ko1">@ko1</a> Koichi Sasada</li>
<li><a href="https://github.com/matsadler">@matsadler</a> Mat Sadler</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/george-ma">@george-ma</a> George Ma</li>
<li><a href="https://github.com/Schwad">@Schwad</a> Nick Schwaderer</li>
<li><a href="https://github.com/shouichi">@shouichi</a> Shouichi Kamiya</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/scottzyang">@scottzyang</a> Scott Yang</li>
<li><a href="https://github.com/a5-stable">@a5-stable</a> a5</li>
<li><a href="https://github.com/etiennebarrie">@etiennebarrie</a> Étienne Barrié</li>
<li><a href="https://github.com/ccmywish">@ccmywish</a> ccmywish</li>
<li><a href="https://github.com/ParadoxV5">@ParadoxV5</a> Jimmy H</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Level up your RubyGems Account Security with Security Devices2023-08-03T00:00:00+00:00http://blog.rubygems.org/2023/08/03/level-up-using-security-devices<p>In a <a href="https://blog.rubygems.org/2023/04/11/security-device-cli-support.html">previous blog post</a>, we introduced the latest updates to our security features, including CLI support for security devices and future plans for the feature.</p>
<p>We are excited to announce that WebAuthn is fully integrated and is recognized to be the preferred choice for multi-factor authentication (MFA). When users register a security device, they will now be provided with recovery codes and be able to configure their <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#authentication-levels">multi-factor authentication level</a> without needing to enable time-based one time password (OTP) MFA.</p>
<h3 id="why-use-a-security-device">Why use a Security Device?</h3>
<p>Security devices offer an additional layer of protection that goes beyond passwords. By leveraging the <a href="https://www.yubico.com/authentication-standards/webauthn/">WebAuthn standard</a>, which utilizes public-key cryptography, they effectively mitigate the risk of password-related attacks. This includes phishing or credential stuffing.</p>
<p>These devices not only provide enhanced security but also offer greater convenience compared to their time-based one time password counterparts, making them a preferred choice for authentication.</p>
<p>While time-based codes from an authentication app can be intercepted or manipulated by phishing attacks, security devices eliminate the need for code inputs. They provide stronger protection against phishing attempts as they require the security key or the user (for biometric devices) to be present. This eliminates the risks associated with code-based authentication, ensuring a more robust defence against unauthorized attacks.</p>
<h3 id="setting-up-a-security-device">Setting up a Security Device</h3>
<p>You can register your security keys and biometric devices on your RubyGems.org <a href="https://rubygems.org/settings/edit#security-device">account settings page</a>, and follow the instructions on how to add a new security device to your account. To learn more about security devices and multi-factor authentication support in RubyGems, please refer to the <a href="https://guides.rubygems.org/setting-up-webauthn-mfa/">guides</a>.</p>
<p>If you have any feedback, questions or ideas on this feature and how to make RubyGems better and more secure, please reach out to us in the <a href="https://bundler.slack.com/">Bundler Slack workspace</a> or open a <a href="https://github.com/rubygems/rubygems.org/issues">GitHub issue</a>.</p>
3.4.18 Released2023-08-02T00:00:00+00:00http://blog.rubygems.org/2023/08/02/3.4.18-released<p>RubyGems 3.4.18 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add poller to fetch WebAuthn OTP. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6774">#6774</a> by jenshenny</li>
<li>Remove side effects when unmarshaling old <code class="language-plaintext highlighter-rouge">Gem::Specification</code>. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6825">#6825</a> by nobu</li>
<li>Ship rubygems executables in <code class="language-plaintext highlighter-rouge">exe</code> folder. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6704">#6704</a> by hsbt</li>
<li>Installs bundler 2.4.18 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.18.tgz<br />
fb21d325679d64d0a4911308453d74dd031314938395b2763f055b4e0844a343</li>
<li>rubygems-3.4.18.zip<br />
8fedfb1ac61101fcf4bbd842216f4f87fd5ca1ab406867ed859f65ad13011228</li>
<li>rubygems-update-3.4.18.gem<br />
12b031edcdbb8d8bc8f3d208c873aed381d5617db3d274f48237acf0fed73546</li>
</ul>
June 2023 RubyGems Updates2023-07-17T00:00:00+00:00http://blog.rubygems.org/2023/07/17/june-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in June.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3414--2023-06-12">3.4.14</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3415--2023-06-29">3.4.15</a>, and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2414-june-12-2023">2.4.14</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2415-june-29-2023">2.4.15</a>.</p>
<p>The following improvements and fixes are included in these releases (see the changelog for more information):</p>
<ul>
<li>resolved a problem where using git sources could make the order of lockfiles unstable - <a href="https://github.com/rubygems/rubygems/pull/6786">#6786</a>.</li>
<li>updated the command to test local gem command changes - <a href="https://github.com/rubygems/rubygems/pull/6761">#6761</a>.</li>
<li>enabled <code class="language-plaintext highlighter-rouge">Performance/FlatMap</code> cop - <a href="https://github.com/rubygems/rubygems/pull/6745">#6745</a>.</li>
<li>improved the edge case error message - <a href="https://github.com/rubygems/rubygems/pull/6733">#6733</a>.</li>
<li>stopped publishing the Gemfile in the default gem template - <a href="https://github.com/rubygems/rubygems/pull/6723">#6723</a>.</li>
<li>added a fix to avoid infinite loops when hitting resolution bugs - <a href="https://github.com/rubygems/rubygems/pull/6722">#6722</a>.</li>
<li>stopped failures from occurring when the build directory name contains <code class="language-plaintext highlighter-rouge">+</code> symbol - <a href="https://github.com/rubygems/rubygems/pull/6750">#6750</a>.</li>
</ul>
<p>In June, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-06-01%7D...master@%7B2023-06-30%7D">109 new commits</a> contributed by 10 authors. There were 978 additions and 624 deletions across 110 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>updated <code class="language-plaintext highlighter-rouge">toxiproxy</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3884">#3884</a>.</li>
<li>updated <code class="language-plaintext highlighter-rouge">kubeconform</code> used on CI - <a href="https://github.com/rubygems/rubygems.org/pull/3886">#3886</a>.</li>
<li>switched <code class="language-plaintext highlighter-rouge">webauthn_credentials.any?</code> and <code class="language-plaintext highlighter-rouge">.present?</code> to be webauthn_enabled? - <a href="https://github.com/rubygems/rubygems.org/pull/3867">#3867</a>.</li>
<li>added recovery code support for webauthn - <a href="https://github.com/rubygems/rubygems.org/pull/3859">#3859</a>.</li>
<li>made <code class="language-plaintext highlighter-rouge">create_between</code> consistent for versions with same<code class="language-plaintext highlighter-rouge">created_at</code> timeframe - <a href="https://github.com/rubygems/rubygems.org/pull/3887">#3887</a>.</li>
<li>added an admin action to reserve a gem namespace - <a href="https://github.com/rubygems/rubygems.org/pull/3875">#3875</a>.</li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_650,h_500/v1689579722/248446070-a0eeaafa-1d52-4825-b73c-ccfa7a77228d_xqcueg.png" alt="admin dashboard" /></p>
<p>In June, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-06-01%7D...master@%7B2023-06-30%7D">113 new commits</a> contributed by 11 authors. There were 2,262 additions and 463 deletions across 76 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/davetron5000">@davetron5000</a> David Copeland</li>
<li><a href="https://github.com/gareth">@gareth</a> Gareth Adams</li>
<li><a href="https://github.com/ioquatix">@ioquatix</a> Samuel Williams</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/andrykonchin">@andrykonchin</a> Andrii Konchyn</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/george-ma">@george-ma</a> George Ma</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/juankuquintana">@juankuquintana</a> Juan Ku Quintana</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/bradly">@bradly</a> Bradly Feeley</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.17 Released2023-07-14T00:00:00+00:00http://blog.rubygems.org/2023/07/14/3.4.17-released<p>RubyGems 3.4.17 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.17 as a default gem.</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Avoid unnecessary work for private local gem installation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6810">#6810</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.17.tgz<br />
4afaaa9463e2a8779943432fba56e07396ccec4d4edc72bb06d9db8ac706d2f1</li>
<li>rubygems-3.4.17.zip<br />
33d69426993f7cc15deaa22ef9048d96008dda77b74ea3a208e8fe5fbfdc86d7</li>
<li>rubygems-update-3.4.17.gem<br />
bc4879f01319c10c9c5f32fd98f412d1fe1a9c84b95c87b9b2969f210f362d67</li>
</ul>
3.4.16 Released2023-07-10T00:00:00+00:00http://blog.rubygems.org/2023/07/10/3.4.16-released<p>RubyGems 3.4.16 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.16 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.16.tgz<br />
4f9f300cb30e08f3f0a0fb97759be95de17bc84457bd6d653f156a7bccc5b3a3</li>
<li>rubygems-3.4.16.zip<br />
6ba5c0dda96c152a2a78df80e8853449463ad25774038cf4a07d37b4bd047ad8</li>
<li>rubygems-update-3.4.16.gem<br />
bbb280fdb45831662845160e84856948396e86e271f151bc00e32d485aae5288</li>
</ul>
3.4.15 Released2023-06-29T00:00:00+00:00http://blog.rubygems.org/2023/06/29/3.4.15-released<p>RubyGems 3.4.15 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.15 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Autoload shellwords when it’s needed. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6734">#6734</a> by ioquatix</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Update command to test local gem command changes. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6761">#6761</a> by jenshenny</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.15.tgz<br />
3828e865bcf7127f0446ae354fe6f29077a82a4386bcc5550d7db590a632a4ac</li>
<li>rubygems-3.4.15.zip<br />
83942fc9c9a69c383d82854f935a5db9851d4ebe34c89784afd8cca7ecf2f57a</li>
<li>rubygems-update-3.4.15.gem<br />
bf44173e671662764617fba794ae4d850436f9865aa950d28e55998a538c5144</li>
</ul>
May 2023 RubyGems Updates2023-06-19T00:00:00+00:00http://blog.rubygems.org/2023/06/19/may-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in May.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3413--2023-05-09">3.4.13</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2413-may-9-2023">2.4.13</a>.</p>
<p>Other changes that landed in our repo during May were:</p>
<ul>
<li>ongoing unification of RubyGems and Bundler codebases - <a href="https://github.com/rubygems/rubygems/pull/6691">#6691</a>, <a href="https://github.com/rubygems/rubygems/pull/6716">#6716</a>.</li>
<li>a fix for API key loading when RubyGems host is set to development - <a href="https://github.com/rubygems/rubygems/pull/6683">#6683</a>.</li>
<li>a new error message to be shown when trying to update bundler in frozen mode - <a href="https://github.com/rubygems/rubygems/pull/6684">#6684</a>.</li>
<li>an update that makes the frozen setting take precedence over the deployment setting - <a href="https://github.com/rubygems/rubygems/pull/6685">#6685</a>.</li>
<li>a fix to correct deployment vs path precedence - <a href="https://github.com/rubygems/rubygems/pull/6703">#6703</a>.</li>
</ul>
<p>In May, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-05-01%7D...master@%7B2023-05-31%7D">91 new commits</a> contributed by 9 authors. There were 674 additions and 1,001 deletions across 103 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>improved styling on the reverse dependencies page - <a href="https://github.com/rubygems/rubygems.org/pull/3760">#3760</a>.</li>
<li>an increased the number of puma threads: from 1 to 5 -<a href="https://github.com/rubygems/rubygems.org/pull/3773">#3773</a>.</li>
<li>setting up <code class="language-plaintext highlighter-rouge">kubeconform</code> to lint rendered k8s yaml - <a href="https://github.com/rubygems/rubygems.org/pull/3774">#3774</a>.</li>
<li>an added job to upload pre-rendered versions files to S3 -<a href="https://github.com/rubygems/rubygems.org/pull/3775">#3775</a>.</li>
<li>an added email notification when MFA is enabled - <a href="https://github.com/rubygems/rubygems.org/pull/3779">#3779</a>.</li>
<li>a fix to ensure <code class="language-plaintext highlighter-rouge">x-amz-meta-Surrogate-Control</code> is set for <code class="language-plaintext highlighter-rouge">/versions</code> from S3 - <a href="https://github.com/rubygems/rubygems.org/pull/3787">#3787</a>.</li>
<li>an added development environment a default mailer port configuration - <a href="https://github.com/rubygems/rubygems.org/pull/3792">#3792</a>.</li>
<li>renaming user OTP methods to reference OTP instead of MFA - <a href="https://github.com/rubygems/rubygems.org/pull/3807">#3807</a>.</li>
<li>referencing <code class="language-plaintext highlighter-rouge">UserWebauthnMethods</code> in <code class="language-plaintext highlighter-rouge">UserMultifactorMethods</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3808">#3808</a>.</li>
</ul>
<p>In May, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-05-01%7D...master@%7B2023-05-31%7D">105 new commits</a>, contributed by 12 authors. There were 1,515 additions and 1,223 deletions across 103 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/aeroastro">@aeroastro</a> Takumasa Ochi</li>
<li><a href="https://github.com/Kou">@kou</a> Sutou Kouhei</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
<li><a href="https://github.com/colby-swandale">@colby-swandale</a> Colby Swandale</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/garyhtou">@garyhtou</a> Gary Tou</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/dancristianb">@dancristianb</a> Dan Cristian</li>
<li><a href="https://github.com/juankuquintana">@juankuquintana</a> Juan Ku Quintana</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.14 Released2023-06-12T00:00:00+00:00http://blog.rubygems.org/2023/06/12/3.4.14-released<p>RubyGems 3.4.14 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Load plugin immediately. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6673">#6673</a> by kou</li>
<li>Installs bundler 2.4.14 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Clarify what the <code class="language-plaintext highlighter-rouge">rubygems-update</code> gem is for, and link to source code
and guides. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6710">#6710</a> by davetron5000</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.14.tgz<br />
979b1842848a39be4d90efc9d399c294aca0b6e67d45f800b26c93cc22d03983</li>
<li>rubygems-3.4.14.zip<br />
c32ac2e19a4cb774db1651985ab0ada9e541b46f3fd37637a785ffaec6de6300</li>
<li>rubygems-update-3.4.14.gem<br />
7edbb248a933384dd733133086e28777156d3dd3b6c927774fdfea14fd0e8a5a</li>
</ul>
April 2023 RubyGems Updates2023-05-17T00:00:00+00:00http://blog.rubygems.org/2023/05/17/april-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in April.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3411--2023-04-10">3.4.11</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3412--2023-04-11">3.4.12</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2411-april-10-2023">2.4.11</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2412-april-11-2023">2.4.12</a>.</p>
<p>The following improvements and fixes are included in these releases (see the changelog for more information):</p>
<ul>
<li>reduced chances of Bundler reverting to old APIs by removing a fallback to full indexes on big gemfiles in RubyGems - <a href="https://github.com/rubygems/rubygems/pull/6578">#6578</a>.</li>
<li>made RubyGems less dependent on default gems by using a vendored <code class="language-plaintext highlighter-rouge">pure-ruby</code> YAML parser to load its own configuration - <a href="https://github.com/rubygems/rubygems/pull/6615">#6615</a>.</li>
<li>added some development improvements like RuboCop enhancements - <a href="https://github.com/rubygems/rubygems/pull/6599">#6599</a>, <a href="https://github.com/rubygems/rubygems/pull/6608">#6608</a>, <a href="https://github.com/rubygems/rubygems/pull/6586">#6586</a>, <a href="https://github.com/rubygems/rubygems/pull/6590">#6590</a>, <a href="https://github.com/rubygems/rubygems/pull/6582">#6582</a>, and unified our tasks to vendor gems - <a href="https://github.com/rubygems/rubygems/pull/6628">#6628</a>.</li>
</ul>
<p>In April, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-04-01%7D...master@%7B2023-04-30%7D">128 new commits</a> contributed by 12 authors. There were 2,125 additions and 1,244 deletions across 175 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<h3 id="dependency-api-updates">Dependency API Updates:</h3>
<p>Based on additional feedback from community members, we have pushed back the removal by two weeks and added an exception until August 8 for Java users. New brownout dates are May 12, 15, 17, 19, 22, and the removal date is moved from May 10 to May 24.</p>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>refactored WebAuthn Verification logic - <a href="https://github.com/rubygems/rubygems.org/pull/3720">#3720</a>.</li>
<li>added logging around pushing gems - <a href="https://github.com/rubygems/rubygems.org/pull/3745">#3745</a>.</li>
<li>added an admin Tool: Yank user - <a href="https://github.com/rubygems/rubygems.org/pull/3684">#3684</a>.</li>
<li>fixed password hint text - <a href="https://github.com/rubygems/rubygems.org/pull/3730">#3730</a>.</li>
<li>added a mailer for WebAuthn credential updates - <a href="https://github.com/rubygems/rubygems.org/pull/3695">#3695</a>.</li>
<li>added a pop-up when a WebAuthn credential is deleted -<a href="https://github.com/rubygems/rubygems.org/pull/3708">#3708</a>.</li>
<li>added an admin Tool: Change User Email - <a href="https://github.com/rubygems/rubygems.org/pull/3709">#3709</a>.</li>
<li>allowed <code class="language-plaintext highlighter-rouge">avo</code> to search when index is allowed - <a href="https://github.com/rubygems/rubygems.org/pull/3725">#3725</a>.</li>
<li>enabled Datadog HTTP request queuing - <a href="https://github.com/rubygems/rubygems.org/pull/3754">#3754</a>.</li>
<li>removed outdated <code class="language-plaintext highlighter-rouge">bin/update_vendor_cache</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3752">#3752</a>.</li>
<li>fixed lifecycle location in k8s yaml config - <a href="https://github.com/rubygems/rubygems.org/pull/3747">#3747</a>.</li>
<li>added the <code class="language-plaintext highlighter-rouge">preStop</code> lifecycle hook to Nginx - <a href="https://github.com/rubygems/rubygems.org/pull/3746">#3746</a>.</li>
<li>removed nginx version caching - <a href="https://github.com/rubygems/rubygems.org/pull/3714">#3714</a>.</li>
<li>advertised that compact index actions accept range requests - <a href="https://github.com/rubygems/rubygems.org/pull/3713">#3713</a>.</li>
<li>updated the default response to render plain text in <code class="language-plaintext highlighter-rouge">WebauthnVerification#authenticate</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3712">#3712</a>.</li>
<li>added caching to dependency API - <a href="https://github.com/rubygems/rubygems.org/pull/3703">#3703</a>.</li>
<li>updated Ingress apiVersion to <code class="language-plaintext highlighter-rouge">networking.k8s.io/v1</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3687">#3687</a>.</li>
<li>replaced the dependency API route with search in encoding test - <a href="https://github.com/rubygems/rubygems.org/pull/3682">#3682</a>.</li>
<li>added a displayed message to user when safari is detected - <a href="https://github.com/rubygems/rubygems.org/pull/3674">#3674</a>.</li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_800,h_400/v1684313721/229232078-ec42d109-2d9f-4dce-9cee-fe1124db6da4_ibdvg3.png" alt="safari message" /></p>
<p>In April, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-04-01%7D...master@%7B2023-04-31%7D">162 new commits</a>, contributed by 15 authors. There were 4,754 additions and 1,317 deletions across 164 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/luke-gru">@luke-gru</a> Luke Gruber</li>
<li><a href="https://github.com/aellispierce">@aellispierce</a> Ashley Ellis Pierce</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/MRozmus">@MRozmus</a> Marcin Rozmus</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/aellispierce">@aellispierce</a> Ashley Ellis Pierce</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/adrianthedev">@adrianthedev</a> Adrian Marin</li>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.13 Released2023-05-10T00:00:00+00:00http://blog.rubygems.org/2023/05/10/3.4.13-released<p>RubyGems 3.4.13 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.13 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.13.tgz<br />
b3feca09b7f4ef37b3b80480ec4d37b7cdd40d8e96fdf170f5b9633a9ad75a5b</li>
<li>rubygems-3.4.13.zip<br />
bd5ee7126a6bf18836a37be6b3d99290fe2c9f7a18aaad2ec7379292a23e7ebb</li>
<li>rubygems-update-3.4.13.gem<br />
d6d5e256666a5c515e4abfb5e9cf04e70f0d5a3d28cc1fb5aceeeca9e0eb25d6</li>
</ul>
March 2023 RubyGems Updates2023-04-18T00:00:00+00:00http://blog.rubygems.org/2023/04/18/march-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in March.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#348--2023-03-08">3.4.8</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#349--2023-03-20">3.4.9</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3410--2023-03-27">3.4.10</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#248-march-8-2023">2.4.8</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#249-march-20-2023">2.4.9</a>, and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2410-march-27-2023">2.4.10</a>.</p>
<p>The following improvements and fixes are included in these releases (see the changelog for more information):</p>
<ul>
<li>enhanced<code class="language-plaintext highlighter-rouge">tar</code> file functionality to support future server-side gem content navigation features - <a href="https://github.com/rubygems/rubygems/pull/6494">#6494</a>, <a href="https://github.com/rubygems/rubygems/pull/6476">#6476</a>, <a href="https://github.com/rubygems/rubygems/pull/6390">#6390</a>.</li>
<li>improved auto-healing of corrupted lockfiles and fixed some related regressions - <a href="https://github.com/rubygems/rubygems/pull/6400">#6400</a>, <a href="https://github.com/rubygems/rubygems/pull/6423">#6423</a>, <a href="https://github.com/rubygems/rubygems/pull/6552">#6552</a>, <a href="https://github.com/rubygems/rubygems/pull/6540">#6540</a>, <a href="https://github.com/rubygems/rubygems/pull/6532">#6532</a>, <a href="https://github.com/rubygems/rubygems/pull/6495">#6495</a>.</li>
<li>fixed resolution edge cases - <a href="https://github.com/rubygems/rubygems/pull/6330">#6330</a>, <a href="https://github.com/rubygems/rubygems/pull/6442">#6442</a>, <a href="https://github.com/rubygems/rubygems/pull/6441">#6441</a>, <a href="https://github.com/rubygems/rubygems/pull/6535">#6535</a>.</li>
<li>added support of OTP fallback when OTP and WebAuthn are enabled from the CLI - <a href="https://github.com/rubygems/rubygems/pull/6523">#6523</a>.</li>
<li>unified RubyGems and Bundler Rubocop rules - <a href="https://github.com/rubygems/rubygems/pull/6487">#6487</a>.</li>
</ul>
<p>Other improvements we worked on during this month that weren’t included in the March release are:</p>
<ul>
<li>fixed the <code class="language-plaintext highlighter-rouge">gems.rb</code> lockfile for Bundler version lookup in the template file - <a href="https://github.com/rubygems/rubygems/pull/6413">#6413</a>.</li>
<li>added gem version promoter specs - <a href="https://github.com/rubygems/rubygems/pull/6537">#6537</a>.</li>
<li>added a better suggestion when <code class="language-plaintext highlighter-rouge">bundler/setup</code> fails due to missing gems and Gemfile is not the default - <a href="https://github.com/rubygems/rubygems/pull/6428">#6428</a>.</li>
<li>removed an unhelpful side-effect of <code class="language-plaintext highlighter-rouge">GEM_HOME</code> configuration in some tests - <a href="https://github.com/rubygems/rubygems/pull/6461">#6461</a>.</li>
</ul>
<p>In March, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-03-01%7D...master@%7B2023-03-31%7D">332 new commits</a>, contributed by 14 authors. There were 4,504 additions and 3,236 deletions across 432 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>added a default retry for application job - <a href="https://github.com/rubygems/rubygems.org/pull/3539">#3539</a>.</li>
<li>added a log tickets page to the admin dashboard - <a href="https://github.com/rubygems/rubygems.org/pull/3586">#3586</a>.</li>
<li>fixed Fastly soft purging - <a href="https://github.com/rubygems/rubygems.org/pull/3619">#3619</a>.</li>
<li>added a feature to allow an admin to reset the user API key from Admin Tools - <a href="https://github.com/rubygems/rubygems.org/pull/3622">#3622</a>.</li>
<li>fixed a flaky test by making <code class="language-plaintext highlighter-rouge">Rubygem#protected_days</code> stop at zero - <a href="https://github.com/rubygems/rubygems.org/pull/3655">#3655</a>.</li>
<li>disabled LaunchDarkly in local environments - <a href="https://github.com/rubygems/rubygems.org/pull/3647">#3647</a>.</li>
<li>renamed <code class="language-plaintext highlighter-rouge">GemContentEntry</code> to <code class="language-plaintext highlighter-rouge">RubygemContents::Entry</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3669">#3669</a>.</li>
<li>removed delayed job <code class="language-plaintext highlighter-rouge">statsd</code> deployment since it’s no longer in use - <a href="https://github.com/rubygems/rubygems.org/pull/3642">#3642</a>.</li>
<li>stored and yanked gem contents in background jobs - <a href="https://github.com/rubygems/rubygems.org/pull/3454">#3454</a>.</li>
<li>added a response to the CLI on webauthn verification - <a href="https://github.com/rubygems/rubygems.org/pull/3535">#3535</a>.</li>
</ul>
<p>In March, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-03-01%7D...master@%7B2023-03-31%7D">190 new commits</a>, contributed by 15 authors. There were 7,437 additions and 2,105 deletions across 337 files.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/TonyCTHsu">@TonyCTHsu</a> TonyCTHsu</li>
<li><a href="https://github.com/orien">@orien</a> Orien Madgwick</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/johnnyshields">@johnnyshields</a> Johnny Shields</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/Julzerator">@Julzerator</a> Julie Haehn</li>
<li><a href="https://github.com/KJTsanaktsidis">@KJTsanaktsidis</a> KJ Tsanaktsidis</li>
<li><a href="https://github.com/MSP-Greg">@MSP-Greg</a> MSP-Greg</li>
<li><a href="https://github.com/voxik">@voxik</a> Vít Ondruch</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/stirlhoss">@stirlhoss</a> Stirling Hostetter</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/y-yagi">@y-yagi</a> y-yagi</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/cprodhomme">@cprodhomme</a> Clément Prod’homme</li>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Introducing Security Device support on RubyGems’ CLI2023-04-11T00:00:00+00:00http://blog.rubygems.org/2023/04/11/security-device-cli-support<p>In a world where many maintainer accounts are being targeted to distribute malicious code via our packages, it is crucial to add more measures that will help prevent these account takeovers. At the end of 2022, we <a href="https://blog.rubygems.org/2022/12/21/introducing-hardware-security-token-and-passkey-support.html">announced</a> the addition of hardware security token and passkey support (aka WebAuthn) to help secure your RubyGems’ account in the browser.</p>
<p>Starting today, you can now use your registered security device as a multi-factor method on the RubyGems CLI! This feature is available in <a href="https://blog.rubygems.org/2023/04/11/3.4.12-released.html">RubyGems 3.4.12</a> and above.</p>
<p>If you have a security device registered, you will be redirected to the browser to authenticate using your security device when signing in on the command line. The same process can also apply for other MFA-required commands if enabled.</p>
<p>To read more about WebAuthn and multi-factor authentication support in RubyGems, please refer to the <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/">guides</a>.</p>
<h3 id="whats-next">What’s next?</h3>
<p>We are still working to make WebAuthn be a drop-in replacement for time-based one time passwords (TOTP). In the near future, users who register a security device will be given recovery codes and be able to select the appropriate MFA level for their account without needing to set up TOTP based authentication.</p>
<p>We are still investing to make a safer, more secure ecosystem for Rubyists, so be sure to stay tuned for updates!</p>
<p>If you have any feedback, questions or ideas on how to make RubyGems better and more secure, please contact us in the <a href="https://bundler.slack.com/">Bundler Slack workspace</a> or open a <a href="https://github.com/rubygems/rubygems.org/issues">GitHub issue</a>.</p>
3.4.12 Released2023-04-11T00:00:00+00:00http://blog.rubygems.org/2023/04/11/3.4.12-released<p>RubyGems 3.4.12 introduces experimental WebAuthn CLI support.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>[Experimental] Add WebAuthn Support to the CLI. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6560">#6560</a> by jenshenny</li>
<li>Installs bundler 2.4.12 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.12.tgz<br />
5850a7c2fc380cdd3da704a1ce7bb048d42d4800933df50b8920265b5845e15b</li>
<li>rubygems-3.4.12.zip<br />
f7a72fcc0c4753b8d2bb310920af65c0f64469eb5c9e10bd0da80c053cc2f147</li>
<li>rubygems-update-3.4.12.gem<br />
27fd5fee9959c76e762b5794f3afce2f9146e8ff2d41bc246d0c1b57fbc68161</li>
</ul>
3.4.11 Released2023-04-10T00:00:00+00:00http://blog.rubygems.org/2023/04/10/3.4.11-released<p>RubyGems 3.4.11 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.11 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.11.tgz<br />
a3dcf37385b4e454a6ecfe6daa00729d2c2a0342dad3190ba2668f1cb220cb17</li>
<li>rubygems-3.4.11.zip<br />
755f23450752e3b11d56eb8e0bcbb23fbbfd271c28ed2e3965f17544055cfea0</li>
<li>rubygems-update-3.4.11.gem<br />
7d9a7ff6f039a16a9ce89e22d0b73a76ada9948d33e8ecb401985e98a5aa7363</li>
</ul>
Dependency API Deprecation Delayed2023-04-07T00:00:00+00:00http://blog.rubygems.org/2023/04/07/dependency-api-deprecation-delayed<p><strong>Update</strong>: Based on additional feedback from community members, we have pushed back the removal by two weeks and added an exception until August 8 for Java users. New brownout dates are May 12, 15, 17, 19, 22, and the removal date is moved from May 10 to May 24.</p>
<p><strong>tl;dr</strong>: the Dependency API will stick around for an extra month to allow downstream projects more time to handle the change. New brownout dates: April 10, 17, 24, May 1, 3, 5, 12, 15, 17, 19, 22. New removal date: May 24.</p>
<h3 id="what-happened">What happened</h3>
<p>Back in February, we posted about <a href="https://blog.rubygems.org/2023/02/22/dependency-api-deprecation.html">our plan to remove the Dependency API</a>. During the full day brownout on April 3, we started to hear from users of third party software like Artifactory and Nexus that it was impossible for them to install gems.</p>
<p>It turns out that Artifactory and Nexus (at least sometimes) get a <code class="language-plaintext highlighter-rouge">404 Not Found</code> response from RubyGems.org, but then return a <code class="language-plaintext highlighter-rouge">200 OK</code> response to Bundler or RubyGems. Unfortunately, that <code class="language-plaintext highlighter-rouge">200 OK</code> response prevents Bundler from falling back to the full index, and breaks installing gems.</p>
<p>We definitely weren’t expecting Artifactory or Nexus to tell Bundler the API request was successful but empty after we returned a 404!</p>
<h3 id="what-were-doing">What we’re doing</h3>
<p>Because of this unexpected impact on end users, we have decided to push back removing the dependency API by one month, to May 10. There will be additional 24-hour brownouts on:</p>
<ul>
<li>April 10 00:00:01 to 23:59:59 (UTC)</li>
<li>April 17 00:00:01 to 23:59:59 (UTC)</li>
<li>April 24 00:00:01 to 23:59:59 (UTC)</li>
<li>May 01 00:00:01 to 23:59:59 (UTC)</li>
<li>May 03 00:00:01 to 23:59:59 (UTC)</li>
<li>May 05 00:00:01 to 23:59:59 (UTC)</li>
<li>May 12 00:00:01 to 23:59:59 (UTC)</li>
<li>May 15 00:00:01 to 23:59:59 (UTC)</li>
<li>May 17 00:00:01 to 23:59:59 (UTC)</li>
<li>May 19 00:00:01 to 23:59:59 (UTC)</li>
<li>May 22 00:00:01 to 23:59:59 (UTC)</li>
</ul>
<p>The dependency API will be disabled on May 24, 2023, at 00:00:01 UTC.</p>
<h3 id="gemfile-workaround">Gemfile workaround</h3>
<p>If you’re using Bundler, the simplest workaround is to use a RubyGems.org source block in your Gemfile for any gems you are installing from RubyGems.org. Here’s an example:</p>
<div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">source</span> <span class="s2">"https://rubygems.org"</span> <span class="k">do</span>
<span class="n">gem</span> <span class="s2">"from_rubygems"</span>
<span class="k">end</span>
<span class="n">source</span> <span class="s2">"my.internal.artifactory"</span> <span class="k">do</span>
<span class="n">gem</span> <span class="s2">"private_gem"</span>
<span class="k">end</span>
</code></pre></div></div>
<h3 id="artifactory-issues">Artifactory issues</h3>
<p>JFrog has already posted <a href="https://jfrog.com/help/r/artifactory-rubygems-org-dependency-api-deprecation">an official solution to the problem</a>, which consists of enabling a single configuration flag in Artifactory to provide the newer compact index format instead.</p>
<p>There is <a href="https://jfrog.atlassian.net/browse/RTFACT-29525">a public Jira ticket</a> that includes discussion of the problem, as well as an nginx or apache-based workaround that can also be applied.</p>
<p>If you are having problems using Artifactory, please <a href="https://jfrog.com/support/">contact JFrog support</a>.</p>
<h3 id="nexus-issues">Nexus issues</h3>
<p>There is <a href="https://issues.sonatype.org/browse/NEXUS-38452">a public Nexus Jira ticket</a> that includes discussion of the problem, as well as an nginx based workaround that can be applied for the time being.</p>
<p>If you are having problems using Nexus, please <a href="https://support.sonatype.com/">contact Sonatype support</a>.</p>
<h3 id="other-issues">Other issues</h3>
<p>If you are seeing a problem while using Artifactory, Nexus, Chef, Puppet, or any other software that depends on RubyGems, please contact the vendor for that product directly for support.</p>
<p>If you are having a problem directly with RubyGems.org, please <a href="https://github.com/rubygems/rubygems.org/issues">open a ticket in our public issue tracker</a> instead of asking for private support. Please avoid contacting maintainers directly to ask for help.</p>
<p>The RubyGems.org team is only a few people, and none of us are able to work on RubyGems as our full-time job. We are providing a free service because we love the Ruby community, but we are not a commercial product with revenue that would allow us to have full-time staff to help with problems.</p>
<p>We are happy to listen to your feedback, and try to work with you to find a solution with the best outcome for you, the Ruby community, and the maintainers of RubyGems.</p>
3.4.10 Released2023-03-27T00:00:00+00:00http://blog.rubygems.org/2023/03/27/3.4.10-released<p>RubyGems 3.4.10 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.10 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.10.tgz<br />
55f1c67fa2ae96c9751b81afad5c0f2b3792c5b19cbba6d54d8df9fd821460d3</li>
<li>rubygems-3.4.10.zip<br />
212aab78da1fc9fc6a7f43bf10584cf6c7e3704f1ecb9dc1bca012a399cb011c</li>
<li>rubygems-update-3.4.10.gem<br />
a1a93ded10d23f4f5a57acd8614609e65658a7cf0c672b0597e4456f25371ad1</li>
</ul>
3.4.9 Released2023-03-20T00:00:00+00:00http://blog.rubygems.org/2023/03/20/3.4.9-released<p>RubyGems 3.4.9 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Improve <code class="language-plaintext highlighter-rouge">TarHeader#calculate_checksum</code> speed and readability. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6476">#6476</a> by
Maumagnaguagno</li>
<li>Added only missing extensions option into pristine command. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6446">#6446</a> by hsbt</li>
<li>Installs bundler 2.4.9 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">$LOAD_PATH</code> in rake and ext_conf builder. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6490">#6490</a> by ntkme</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem uninstall</code> with <code class="language-plaintext highlighter-rouge">--install-dir</code>. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6481">#6481</a> by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Document our current release policy. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6450">#6450</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.9.tgz<br />
63f48b83647dbd3bff20c7a0e280f210829bb9cc2d7149d25971428f8cc19fe3</li>
<li>rubygems-3.4.9.zip<br />
a0782735e8fc2216f54d583770425fbbc4702a1e4b9819d1a57f2ab17dbbb8a2</li>
<li>rubygems-update-3.4.9.gem<br />
7c78efe1cc1cf23670957130a59d0b71f19cc409497e8f9e07b3ae1d05526901</li>
</ul>
February 2023 RubyGems Updates2023-03-11T00:00:00+00:00http://blog.rubygems.org/2023/03/11/february-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in <a href="https://github.com/rubygems/rubygems">RubyGems</a>, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#347--2023-02-15">3.4.7</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#247-february-15-2023">2.4.7</a>.</p>
<p>The following improvements and fixes are included in these releases (see the changelog for more information):</p>
<ul>
<li>added a <code class="language-plaintext highlighter-rouge">--gemfile</code> flag to the <code class="language-plaintext highlighter-rouge">bundle init</code> command to configure the gemfile name to be able to generate a custom name - <a href="https://github.com/rubygems/rubygems/pull/6046">#6046</a>.</li>
<li>added a warning on self-referencing gemspec dependencies - <a href="https://github.com/rubygems/rubygems/pull/6335">#6335</a>.</li>
<li>fixed inconsistent behavior of zero-byte files in one of the archives - <a href="https://github.com/rubygems/rubygems/pull/6329">#6329</a>.</li>
<li>restored older (better) version of error message when locked ref does not exist, to improve clarity - <a href="https://github.com/rubygems/rubygems/pull/6356">#6356</a>.</li>
<li>fixed gem crashing when installing from a corrupted lockfile - <a href="https://github.com/rubygems/rubygems/pull/6355">#6355</a>.</li>
<li>fixed crash in PubGrub involving empty ranges - <a href="https://github.com/rubygems/rubygems/pull/6365">#6365</a>.</li>
</ul>
<p>Other improvements we worked on during this month that weren’t included in the February release are:</p>
<ul>
<li>adding an experimental feature for the <code class="language-plaintext highlighter-rouge">gem exec</code> command to run executables from gems that may or may not be installed - <a href="https://github.com/rubygems/rubygems/pull/6309">#6309</a>.</li>
<li>implementing safe load for all marshaled data - <a href="https://github.com/rubygems/rubygems/pull/6384">#6384</a>.</li>
<li>making the gemspec file generated by bundle gem properly exclude itself from packaged gem - <a href="https://github.com/rubygems/rubygems/pull/6339">#6339</a>.</li>
<li>preserving <code class="language-plaintext highlighter-rouge">bundler-setup-relative</code> paths if the <code class="language-plaintext highlighter-rouge">:path</code> option is set to relative in standalone setup - <a href="https://github.com/rubygems/rubygems/pull/6327">#6327</a>.</li>
</ul>
<p>In February, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-02-01%7D...master@%7B2023-02-28%7D">108 new commits</a>, contributed by 16 authors. There were 1,744 additions and 217 deletions across 100 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, we made significant progress on the backend admin dashboard. We implemented robust auditing of all changes and added support for resetting users’ MFA, blocking a user, and deleting webhooks.</p>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_650,h_400/v1678818813/image_el5xjy.png" alt="admin dashboard" /></p>
<p>We <a href="https://blog.rubygems.org/2023/02/22/dependency-api-deprecation.html">announced</a> the deprecation of the dependency API, and we plan to implement brownouts and remove the endpoint entirely. We also migrated all RDS instances to be managed by Terraform and tested the migration of managed node groups on the rubygems.org EKS cluster.</p>
<p>In addition to these updates, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>the addition of telemetry to capture MFA login durations - <a href="https://github.com/rubygems/rubygems.org/pull/3376">#3376</a>.</li>
<li>the integration of DataDog for application performance monitoring - <a href="https://github.com/rubygems/rubygems.org/pull/3461">#3461</a>.</li>
<li>the set up of GitHub OAuth to protect the new /admin namespace - <a href="https://github.com/rubygems/rubygems.org/pull/3388">#3388</a>.</li>
<li>an updated Rails test job name for stability across version updates - <a href="https://github.com/rubygems/rubygems.org/pull/3420">#3420</a>.</li>
<li>fixed test avo warnings (via removal of redundant rake tasks loading) - <a href="https://github.com/rubygems/rubygems.org/pull/3422">#3422</a>.</li>
<li>an added avo MFA reset admin action & view of audit entries - <a href="https://github.com/rubygems/rubygems.org/pull/3426">#3426</a>.</li>
<li>a fixed ERD CI (via an updated <code class="language-plaintext highlighter-rouge">erd.dot</code>) - <a href="https://github.com/rubygems/rubygems.org/pull/3490">#3490</a>.</li>
<li>an updated Terraform package: <code class="language-plaintext highlighter-rouge">0.13.7 -> 1.3.9</code>.</li>
<li>updated Terraform providers packages: AWS <code class="language-plaintext highlighter-rouge">2.51 -> 4.54</code>, external <code class="language-plaintext highlighter-rouge">1.2 -> 2.2</code>, Kubernetes <code class="language-plaintext highlighter-rouge">1.8 -> 2.18</code>,template <code class="language-plaintext highlighter-rouge">2.1 -> 2.3</code>.</li>
</ul>
<p>In February, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-02-01%7D...master@%7B2023-02-28%7D">209 new commits</a>, contributed by 17 authors. There were 7,602 additions and 1,071 deletions across 273 files.</p>
<h2 id="ruby-ecosystem-news">Ruby Ecosystem News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<p><strong><em>New: Ruby SSL Check</em></strong></p>
<ul>
<li>we updated <code class="language-plaintext highlighter-rouge">ruby-ssl-check</code> to print a warning if you’re using an unmaintained version of Ruby - <a href="https://github.com/rubygems/ruby-ssl-check/pull/14">#14</a>.</li>
</ul>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/amatsuda">@amatsuda</a> Akira Matsuda</li>
<li><a href="https://github.com/sambostock">@sambostock</a> Sam Bostock</li>
<li><a href="https://github.com/composerinteralia">@composerinteralia</a> Daniel Colson</li>
<li><a href="https://github.com/koic">@koic</a> Koichi ITO</li>
<li><a href="https://github.com/jhawthorn">@jhawthorn</a> John Hawthorn</li>
<li><a href="https://github.com/gustavothecoder">@gustavothecoder</a> Gustavo Ribeiro</li>
<li><a href="https://github.com/mercedesb">@mercedesb</a> Mercedes</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/luke-gru">@luke-gru</a> Luke Gruber</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty Li</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
<li><a href="https://github.com/sambostock">@sambostock</a> Sam Bostock</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/indirect">@indirect</a> André Arko</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/javier-menendez">@javier-menendez</a> Javier Menéndez Rizo</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.8 Released2023-03-08T00:00:00+00:00http://blog.rubygems.org/2023/03/08/3.4.8-released<p>RubyGems 3.4.8 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add TarReader::Entry#seek to seek within the tar file entry. Pull
request <a href="https://github.com/rubygems/rubygems/pull/6390">#6390</a> by
martinemde</li>
<li>Avoid calling String#dup in Gem::Version#marshal_dump. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6438">#6438</a> by segiddins</li>
<li>Remove hardcoded “master” branch references. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6425">#6425</a> by
deivid-rodriguez</li>
<li>[Experimental] Add <code class="language-plaintext highlighter-rouge">gem exec</code> command to run executables from gems that
may or may not be installed. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6309">#6309</a> by segiddins</li>
<li>Installs bundler 2.4.8 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix installation error of same version of default gems with local
installation. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6430">#6430</a> by hsbt</li>
<li>Use proper memoized var name for Gem.state_home. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6420">#6420</a> by simi</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Switch supporting explanations to all Ruby Central. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6419">#6419</a> by indirect</li>
<li>Update the link to OpenSource.org. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6392">#6392</a> by nobu</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.8.tgz<br />
d05943649349246564bc198a58d06a351693b68e9c8823ae4042babaae9da2d4</li>
<li>rubygems-3.4.8.zip<br />
7974335862d93fad444d5791551836dd88dd4ae18bdd3362048c7e30a17998cc</li>
<li>rubygems-update-3.4.8.gem<br />
08796d78b486ee9a01d18dfd3d7f02d42a694fb91160fe9e53ad6d8d8082e52d</li>
</ul>
RubyGems.org Dependency API Deprecation2023-02-22T00:00:00+00:00http://blog.rubygems.org/2023/02/22/dependency-api-deprecation<p><strong>Update</strong>: The Dependency API will be disabled on May 24, after a <a href="/2023/04/07/dependency-api-deprecation-delayed.html">final two week extension</a></p>
<p><strong>Update:</strong> The Dependency API <a href="/2023/04/07/dependency-api-deprecation-delayed.html">will be disabled on May 10 instead</a>, one month later than mentioned here. If you are having issues with Nexus, Artifactory, Chef, or another product that uses the dependency API, read <a href="/2023/04/07/dependency-api-deprecation-delayed.html">the post about delaying the deprecation</a></p>
<p>We’re deprecating <a href="https://guides.rubygems.org/rubygems-org-api/#misc-methods">the Dependency API</a> on RubyGems.org. To learn more, read on, or see the original <a href="https://github.com/segiddins/rfcs/blob/segiddins/deprecate-dependency-api/0000-deprecate-dependency-api.md">RFC</a> about this deprecation.</p>
<h3 id="what-is-the-dependency-api">What is the Dependency API?</h3>
<p>The dependency API was the primary way Bundler fetched dependency info for Gemfile resolution from <a href="https://github.com/rubygems/bundler/blob/master/CHANGELOG.md#11pre-january-21-2011">Bundler 1.1</a> until the release of <a href="https://bundler.io/blog/2016/04/28/the-new-index-format-fastly-and-bundler-1-12.html">Bundler 1.12</a> in April 2016, which introduced the <a href="https://andre.arko.net/2014/03/28/the-new-rubygems-index-format/">“new” Compact Index API</a>.</p>
<p>The API has a single endpoint, <code class="language-plaintext highlighter-rouge">/api/v1/dependencies</code> (returning responses as Marshal or as JSON), accepting a single comma-separated <code class="language-plaintext highlighter-rouge">gems</code> query parameter.</p>
<p>For example, <a href="https://index.rubygems.org/api/v1/dependencies.json?gems=rails">https://index.rubygems.org/api/v1/dependencies.json?gems=rails</a> returns every dependency for every version of the gem <code class="language-plaintext highlighter-rouge">rails</code>.</p>
<h3 id="why-is-the-dependency-api-being-deprecated">Why is the Dependency API being deprecated?</h3>
<p>The dependency API is extremely resource-intensive: even today, it makes up 20-25% of the traffic served by the RubyGems.org Rails app that cannot be cached by Fastly. Each unique list of gems requires RubyGems.org to run a complex database query, and a majority of requests include a unique list of gems.</p>
<p>In contrast to the Dependency API, the Compact Index API is designed to be cachable. Since the Compact Index has been out for almost seven years, and since Bundler & RubyGems both support fallback to the slower “full” index when the Dependency API is unavailable, we plan to deprecate and delete the dependency API from RubyGems.org over the coming months.</p>
<h3 id="what-impact-will-this-deprecation-have">What impact will this deprecation have?</h3>
<p>We expect this deprecation to have no user-facing impact.</p>
<p>If you are installing gems from RubyGems.org using versions of Bundler more than 7 years old (1.11 or older), your installs will get slower. Hopefully, everyone has upgraded their copy of Bundler at least once in the last 7 years, and their installs can continue at full speed.</p>
<p>If you are installing gems from other gem sources, like <a href="https://github.com/rubygems/gemstash">Gemstash</a>, <a href="https://github.com/geminabox/geminabox">Geminabox</a>, <a href="https://www.sonatype.com/products/nexus-repository">Nexus</a>, <a href="https://jfrog.com/artifactory/">Artifactory</a>, or <a href="https://github.com/features/packages">GitHub Packages</a>, nothing will change. Bundler will continue to try the Compact Index API first, then fall back to the Dependency API, then fall back to the full index.</p>
<p>If you are using the Dependency API directly, and not through Bundler or Rubygems, we recommend that you switch to either the Compact Index API or the Gem Version API, whichever can more easily provide the information that you need.</p>
<h3 id="give-me-the-details">Give me the details</h3>
<p>Ok!</p>
<p>We’re going to be performing a phased deprecation of the dependency API out of an abundence of caution. Over the next month and a half, there will be several “brownout” periods, during which RubyGems.org will return 404s from the Dependency API.</p>
<ul>
<li>March 22 at 00:00 UTC (4pm PT / 7pm ET) for 5 minutes</li>
<li>March 29 at the top of every hour UTC for 10 minutes</li>
<li>April 03 for the entire day UTC</li>
<li>April 10 from 00:00 UTC onward</li>
</ul>
<hr />
<p>I want to conclude with a hearty thank you to everyone who helped keep the Dependency API up and running over the years, especially <a href="https://github.com/qrush/">@qrush</a> for first creating the API, <a href="https://github.com/hone/">@hone</a> for rewriting the API into a scalable service, and <a href="https://github.com/sonalkr132/">@sonalkr132</a> for merging the service back into the main Rails app, as well as all the other Bundler and RubyGems.org volunteers over the years.</p>
January 2023 RubyGems Updates2023-02-16T00:00:00+00:00http://blog.rubygems.org/2023/02/16/january-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in <a href="https://github.com/rubygems/rubygems">RubyGems</a>, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#342--2023-01-01">3.4.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#343--2023-01-06">3.4.3</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#344--2023-01-16">3.4.4</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#345--2023-01-21">3.4.5</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#346--2023-01-31">3.4.6</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#242-january-1-2023">2.4.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#243-january-6-2023">2.4.3</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#244-january-16-2023">2.4.4</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#245-january-21-2023">2.4.5</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#246-january-31-2023">2.4.6</a> with the following updates:</p>
<ul>
<li>allowing require decorations be disabled - <a href="https://github.com/rubygems/rubygems/pull/6319">#6319</a>.</li>
<li>properly merging incompatibility ranges to speed up resolution - <a href="https://github.com/rubygems/rubygems/pull/6215">#6215</a>.</li>
<li>turning the <code class="language-plaintext highlighter-rouge">--ext</code> option of bundle gem into a string and deprecating usage without explicit value - <a href="https://github.com/rubygems/rubygems/pull/6144">#6144</a>.</li>
<li>enhancing <code class="language-plaintext highlighter-rouge">bundle open</code> command to allow opening subdir/file for a gem - <a href="https://github.com/rubygems/rubygems/pull/6146">#6146</a>.</li>
</ul>
<p>In addition to that, we made the following improvements and fixes (see the changelog for more information):</p>
<ul>
<li>fixed flakiness on <code class="language-plaintext highlighter-rouge">Ruby 3.2</code> and Windows and sped up some specs - <a href="https://github.com/rubygems/rubygems/pull/6321">#6321</a>.</li>
<li>updated the list of <code class="language-plaintext highlighter-rouge">SPDX</code> license identifiers - <a href="https://github.com/rubygems/rubygems/pull/6310">#6310</a>.</li>
<li>added tests for old lockfiles with new ruby versions - <a href="https://github.com/rubygems/rubygems/pull/6317">#6317</a>.</li>
<li>Stopped packages for external platforms from being introduced in the lockfile in instances when Bundler retries resolution - <a href="https://github.com/rubygems/rubygems/pull/6285">#6285</a>.</li>
</ul>
<p>In January, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2023-01-01%7D...master@%7B2023-01-31%7D">158 new commits</a>, contributed by 14 authors. There were 3,450 additions and 2,535 deletions across 112 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In January, RubyGems.org saw several bug fixes and updates, some of which include:</p>
<ul>
<li>an added Webauthn Verification authenticate endpoint - <a href="https://github.com/rubygems/rubygems.org/pull/3331">#3331</a>.</li>
<li>moving browser tests to standard Rails system tests- <a href="https://github.com/rubygems/rubygems.org/pull/3374">#3374</a>.</li>
<li>an added patch for the mfa_expires_at edge condition - <a href="https://github.com/rubygems/rubygems.org/pull/3357">#3357</a>.</li>
<li>a simplified version of GitHub button JS. - <a href="https://github.com/rubygems/rubygems.org/pull/3348">#3348</a>.</li>
<li>the addition of telemetry to capture MFA login durations - <a href="https://github.com/rubygems/rubygems.org/pull/3376">#3376</a>.</li>
<li>introducing a timeout after inactivity on the OTP page - <a href="https://github.com/rubygems/rubygems.org/pull/3325">#3325</a>.</li>
</ul>
<p><img src="https://res.cloudinary.com/lauragift/image/upload/w_650,h_400/v1676537149/211091850-84d7f2e3-ee43-44bd-928e-1051130c3ede_vq4tfk.png" alt="OTP Timeout" /></p>
<p>This month, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2023-01-01%7D...master@%7B2023-01-31%7D">86 new commits</a>, contributed by 12 authors. There were 584 additions and 395 deletions across 46 files.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/composerinteralia">@composerinteralia</a> Daniel Colson</li>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/yoka">@yoka</a> Jesse Ikonen</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/technicalpickles">@technicalpickles</a> Josh Nichols</li>
<li><a href="https://github.com/jdufresne">@jdufresne</a> Jon Dufresne</li>
<li><a href="https://github.com/markdoliner">@markdoliner</a> Mark Doliner</li>
<li><a href="https://github.com/matsadler">@matsadler</a> Mat Sadler</li>
<li><a href="https://github.com/flavorjones">@flavorjones</a> Mike Dalessio</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
<li><a href="https://github.com/tbates-redarc">@tbates-redarc</a> Tim Bates</li>
<li><a href="https://github.com/fxn">@fxn</a> Xavier Noria</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/sonalkr132">@sonalkr132</a> Aditya Prakash</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
<li><a href="https://github.com/ericherscovich">@ericherscovich</a> Eric Herscovich</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/mercedesb">@mercedesb</a> Mercedes</li>
<li><a href="https://github.com/arunagw">@arunagw</a> Arun Agrawal</li>
<li><a href="https://github.com/segiddins">@segiddins</a> Samuel Giddins</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.7 Released2023-02-15T00:00:00+00:00http://blog.rubygems.org/2023/02/15/3.4.7-released<p>RubyGems 3.4.7 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Warn on self referencing gemspec dependency. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6335">#6335</a> by simi</li>
<li>Installs bundler 2.4.7 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix inconsistent behavior of zero byte files in archive. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6329">#6329</a> by martinemde</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.7.tgz<br />
8769c4bbe7bab84718bba812173cc222f4ae084e559b9b19133b93ec188c0b23</li>
<li>rubygems-3.4.7.zip<br />
a3a3c62a216cd46d8fb6550b51ba50110b310edbb69ee76b81bc680125428b5f</li>
<li>rubygems-update-3.4.7.gem<br />
0f7b78a599c23c7c561b6a764ce70e60f102bd203680a68fc5076533c6b82800</li>
</ul>
3.2.34 Released2023-02-06T00:00:00+00:00http://blog.rubygems.org/2023/02/06/3.2.34-released<p>RubyGems 3.2.34 includes enhancements, bug fixes.</p>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Introduce to specify deprecated version for rubygems_deprecate_command.
Pull request #6331 by hsbt</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix broken brew formula due to loading operating_system.rb customizations
too late. Pull request #5154 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li><a href="https://rubygems.org/gems/rubygems-3.2.34.tgz">rubygems-3.2.34.tgz</a>
b34f52c06c9e03ed4499d4ebb17495de859c1be9f5240a5dfca3620ee5a08534</li>
<li><a href="https://rubygems.org/gems/rubygems-3.2.34.zip">rubygems-3.2.34.zip</a>
e2a8509c9a46cf6c4f1a1085fcdcfa8035c26e010830b989fc839b526d3a1660</li>
<li><a href="https://rubygems.org/gems/rubygems-update-3.2.34.gem">rubygems-update-3.2.34.gem</a>
40d9fec35c1881a2c974c15ccf04a0b09135ba5182fb2590c50ba4b47104b688</li>
</ul>
3.4.6 Released2023-01-31T00:00:00+00:00http://blog.rubygems.org/2023/01/31/3.4.6-released<p>RubyGems 3.4.6 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Allow <code class="language-plaintext highlighter-rouge">require</code> decorations be disabled. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6319">#6319</a> by
deivid-rodriguez</li>
<li>Installs bundler 2.4.6 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Include directory in CargoBuilder install path. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6298">#6298</a> by matsadler</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Include links to pull requests in changelog. Pull request
<a href="https://github.com/rubygems/rubygems/pull/6316">#6316</a> by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.6.tgz<br />
6a53bdd53495e80cda63a1f393c45bea0d66b3ecf11c34d88fabdacd0704412f</li>
<li>rubygems-3.4.6.zip<br />
d1a140dbfeabc2bc285d9fe232f52bd2a8efd2ed532bfec1a24ab2803de77811</li>
<li>rubygems-update-3.4.6.gem<br />
a40664a6c6b1a5d0a3f3fa2dfbfb219e252095906b9764abc54f205505ed4a93</li>
</ul>
3.4.5 Released2023-01-21T00:00:00+00:00http://blog.rubygems.org/2023/01/21/3.4.5-released<p>RubyGems 3.4.5 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.5 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.5.tgz<br />
e280c6227abaf8d807106a58badaa7d0f2874bf4ca969f58eafdb81a6fd6d592</li>
<li>rubygems-3.4.5.zip<br />
177fbc738a442840f9843e6549fb346ed19cc71f007b36d640391e3ede2afc3f</li>
<li>rubygems-update-3.4.5.gem<br />
06295f0333b21d15b46cded2d35a62b3eae8caa25cdb3121a49bb9b4ca927064</li>
</ul>
December 2022 RubyGems Updates2023-01-19T00:00:00+00:00http://blog.rubygems.org/2023/01/19/december-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released final versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#340--2022-12-24">3.4.0</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#341--2022-12-24">3.4.1</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#240-december-24-2022">2.4.0</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#241-december-24-2022">2.4.1</a> featuring:</p>
<ul>
<li>a new “call to update” mechanism for RubyGems cleaning - <a href="https://github.com/rubygems/rubygems/pull/5922">#5922</a>.</li>
<li>an enhanced Bundler resolver based on PubGrub - <a href="https://github.com/rubygems/rubygems/pull/6146">#6146</a>.</li>
<li>generating of gems with rust extensions via bundle gem - <a href="https://github.com/rubygems/rubygems/pull/6149">#6149</a>.</li>
<li>lighter Bundler git sources using shallow clones under the hood - <a href="https://github.com/rubygems/rubygems/pull/6241">#6241</a>.</li>
</ul>
<p>In addition to that, we made the following improvements and fixes(see the changelog for more information):</p>
<ul>
<li>added support for <code class="language-plaintext highlighter-rouge">--pre</code> flag in <code class="language-plaintext highlighter-rouge">bundle update</code> and <code class="language-plaintext highlighter-rouge">bundle lock</code> - <a href="https://github.com/rubygems/rubygems/pull/5258">#5258</a>.</li>
<li>fixed <code class="language-plaintext highlighter-rouge">bundle outdated</code> with both <code class="language-plaintext highlighter-rouge">--groups</code> and <code class="language-plaintext highlighter-rouge">--parseable</code> flags - <a href="https://github.com/rubygems/rubygems/pull/6148">#6148</a>.</li>
<li>fixed crash due to <code class="language-plaintext highlighter-rouge">BundlerVersionFinder</code> not being defined - <a href="https://github.com/rubygems/rubygems/pull/6152">#6152</a>.</li>
<li>created a fallback to selecting installable candidates if possible when materializing specs - <a href="https://github.com/rubygems/rubygems/pull/6225">#6225</a>.</li>
<li>updated generated CI scripts to be able to compile Rust extensions - <a href="https://github.com/rubygems/rubygems/pull/6168">#6168</a>.</li>
<li>added a spec to make sure global gemspecs can’t confuse Bundler - <a href="https://github.com/rubygems/rubygems/pull/6086">#6086</a>.</li>
</ul>
<p>We also dropped support for old Rubies (2.3, 2.4, and 2.5) and finally removed the <code class="language-plaintext highlighter-rouge">auto-sudo</code> feature in Bundler 2.4, <a href="https://blog.rubygems.org/2022/10/18/septemeber-rubygems-updates.html/#rubygems-news">a longstanding request of our users</a> because of being considered harmful.</p>
<p>In December, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-12-01%7D...master@%7B2022-12-31%7D">242 new commits</a>, contributed by 20 authors. There were 77,119 additions and 3,466 deletions across 2,051 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In December, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>fixed mocha deprecation warnings in tests - <a href="https://github.com/rubygems/rubygems.org/pull/3295">#3295</a>.</li>
<li>as part of ongoing work involved in creating WebAuthn CLI, we setup a verification page - <a href="https://github.com/rubygems/rubygems.org/pull/3310">#3310</a>, added a Webauthn verification authenticate endpoint <a href="https://github.com/rubygems/rubygems.org/pull/3305">#3305</a>, and set the Webauthn authentication challenge on the prompt page - <a href="https://github.com/rubygems/rubygems.org/pull/3324">#3324</a>.</li>
<li>fixed dependency links pointing to their dependents - <a href="https://github.com/rubygems/rubygems.org/pull/3312">#3312</a>.</li>
<li>created an ES index in <code class="language-plaintext highlighter-rouge">search_test</code> before relying on it - <a href="https://github.com/rubygems/rubygems.org/pull/3303">#3303</a>.</li>
<li>updated the docs and scripts for contributing and setup - <a href="https://github.com/rubygems/rubygems.org/pull/3300">#3300</a>.</li>
<li>migrated from Elasticsearch to the <code class="language-plaintext highlighter-rouge">opensearch-ruby</code> gem - <a href="https://github.com/rubygems/rubygems.org/pull/3036">#3036</a>.</li>
</ul>
<p>This month, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-12-01%7D...master@%7B2022-12-31%7D">59 new commits</a>, contributed by 12 authors. There were 2,133 additions and 632 deletions across 77 files.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<h3 id="contributors-to-rubygems">Contributors to RubyGems:</h3>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/peterzhu2118">@peterzhu2118</a> Peter Zhu</li>
<li><a href="https://github.com/duckinator">@duckinator</a> Ellen Marie Dash</li>
<li><a href="https://github.com/ianks">@ianks</a> Ian Ker-Seymer</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/eregon">@eregon</a> Benoit Daloze</li>
<li><a href="https://github.com/zarqman">@zarqman</a> Zarqman</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
<li><a href="https://github.com/alyssais">@alyssais</a> Alyssa Ross</li>
<li><a href="https://github.com/eloyesp">@eloyesp</a> Eloy Espinaco</li>
<li><a href="https://github.com/siegfault">@siegfault</a> Michael Siegfried</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/joshuaswett">@joshuaswett</a> Joshua Swett</li>
<li><a href="https://github.com/markburns">@markburns</a> Mark Burns</li>
<li><a href="https://github.com/mensfeld">@mensfeld</a> Maciej Mensfeld</li>
<li><a href="https://github.com/gustavothecoder">@gustavothecoder</a> Gustavo Ribeiro</li>
</ul>
<h3 id="contributors-to-rubygemsorg">Contributors to RubyGems.org:</h3>
<ul>
<li><a href="https://github.com/sonalkr132">@sonalkr132</a> Aditya Prakash</li>
<li><a href="https://github.com/jenshenny">@jenshenny</a> Jenny Shen</li>
<li><a href="https://github.com/kevinlinxc">@kevinlinxc</a> Kevin Lin</li>
<li><a href="https://github.com/mensfeld">@mensfeld</a> Maciej Mensfeld</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/aellispierce">@aellispierce</a> Ashley Ellis Pierce</li>
<li><a href="https://github.com/dorianmariefr">@dorianmariefr</a> Dorian Marié</li>
<li><a href="https://github.com/bettymakes">@bettymakes</a> Betty</li>
<li><a href="https://github.com/jchestershopify">@jchestershopify</a> Jacques Chester</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/martinemde">@martinemde</a> Martin Emde</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.4.4 Released2023-01-16T00:00:00+00:00http://blog.rubygems.org/2023/01/16/3.4.4-released<p>RubyGems 3.4.4 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.4 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Improve documentation about <code class="language-plaintext highlighter-rouge">Kernel</code> monkeypatches. Pull request #6217
by nobu</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.4.tgz<br />
7dab9b54c0493422dda5ab110e8cee78a94c106eaafeb83cc5c31f6157ce2e9a</li>
<li>rubygems-3.4.4.zip<br />
c2f347ebba5eb753db20e72a6494c243254f67b21fcdfd4cbcf1041363ddbd23</li>
<li>rubygems-update-3.4.4.gem<br />
d449a3c831e8ab6b28ae5d2217f81af6e7f785e1e2ec2bb94b00d9888f3c97c2</li>
</ul>
3.4.3 Released2023-01-06T00:00:00+00:00http://blog.rubygems.org/2023/01/06/3.4.3-released<p>RubyGems 3.4.3 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.3 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix several typos. Pull request #6224 by jdufresne</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.3.tgz<br />
78c2ca061f376938fc94545638fc8c6d4664c8a8971f94c3fb427df419ad3ca0</li>
<li>rubygems-3.4.3.zip<br />
e5348e1f95471d8802b631c6abacbd9b46297c840cbe530db68cd58f6dd0769b</li>
<li>rubygems-update-3.4.3.gem<br />
d72c08808aa0072f5a0eb64d8ee5e4fa9b95d65cc124e2285df49f7a61c87fd7</li>
</ul>
3.4.2 Released2023-01-01T00:00:00+00:00http://blog.rubygems.org/2023/01/01/3.4.2-released<p>RubyGems 3.4.2 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add global flag (<code class="language-plaintext highlighter-rouge">-C</code>) to change execution directory. Pull request #6180
by gustavothecoder</li>
<li>Installs bundler 2.4.2 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.2.tgz<br />
619a61177dfbe219dd159f7790058b1829bcabcfc433727154600e337b31d01a</li>
<li>rubygems-3.4.2.zip<br />
93427f7414fd4159579d8a46565450c62091e54372b317e5afb25edb0ffcd461</li>
<li>rubygems-update-3.4.2.gem<br />
bdd229665ce2135d8c709a46ce3aac0d7f35bbfe0847f6c698775134b8bc9509</li>
</ul>
3.4.1 Released2022-12-24T00:00:00+00:00http://blog.rubygems.org/2022/12/24/3.4.1-released<p>RubyGems 3.4.1 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.4.1 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.1.tgz<br />
b51f300437085a7847dd9f3d986256591d690d3dc31bb0efc9417f9bf8958a20</li>
<li>rubygems-3.4.1.zip<br />
5845615fbd388c0f3cb27c3adc9af75c3317ad08ec4d2b2d04b9056634fc9a4f</li>
<li>rubygems-update-3.4.1.gem<br />
838281405be0824d50b487774e54288a1688261cb5eb9102039532f94d87e364</li>
</ul>
3.4.0 Released2022-12-24T00:00:00+00:00http://blog.rubygems.org/2022/12/24/3.4.0-released<p>RubyGems 3.4.0 includes nice improvements such as:</p>
<ul>
<li>It will unobstrusively inform you when it’s out of date.</li>
<li>It will cleanup intermediate files after building and installing extensions, saving disk space.</li>
</ul>
<p>It also drops support for Ruby 2.3, Ruby 2.4 and Ruby 2.5. Time to move on!</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>This is the full changelog for more details:</p>
<p><em>## Breaking changes:</em></p>
<ul>
<li>Drop support for Ruby 2.3, 2.4, 2.5 and RubyGems 2.5, 2.6, 2.7. Pull
request #6107 by deivid-rodriguez</li>
<li>Remove support for deprecated OS. Pull request #6041 by peterzhu2118</li>
</ul>
<p><em>## Features:</em></p>
<ul>
<li>Add ‘call for update’ to RubyGems install command. Pull request #5922 by
simi</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add <code class="language-plaintext highlighter-rouge">mswin</code> support for cargo builder. Pull request #6167 by ianks</li>
<li>Validate Cargo.lock is present for Rust based extensions. Pull request
#6151 by simi</li>
<li>Clean built artifacts after building extensions. Pull request #6133 by
deivid-rodriguez</li>
<li>Installs bundler 2.4.0 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix crash due to <code class="language-plaintext highlighter-rouge">BundlerVersionFinder</code> not defined. Pull request #6152
by deivid-rodriguez</li>
<li>Don’t leave corrupted partial package download around when running out
of disk space. Pull request #5681 by duckinator</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.4.0.tgz<br />
1436e75a53873d154db6c1a6c7a4e021de94d9431237d27b95d54bf4590568eb</li>
<li>rubygems-3.4.0.zip<br />
5e9682a1db13d4e95f0c15cc15e309c1a4f4ae00a3b6caa802279ffb3cf36988</li>
<li>rubygems-update-3.4.0.gem<br />
04d5056c453ebcdf9d43deecc9d8d5beb64e6314be7f1b2ba218f409aba547c1</li>
</ul>
Introducing Hardware Security Token & Passkey support2022-12-21T00:00:00+00:00http://blog.rubygems.org/2022/12/21/introducing-hardware-security-token-and-passkey-support<p>Hello everyone!</p>
<p>I’m excited to share two new features that will further safeguard the security of your rubygems.org account – hardware security token &
Passkey (aka WebAuthn) support.</p>
<p>In recent years, authors of popular language packages have become prime targets of attackers with the aim of <a href="https://arxiv.org/pdf/2002.01139.pdf">publishing code to distribute malware</a>. In more severe cases, package authors are targeted specifically with the objective of targeting <a href="https://www.bleepingcomputer.com/news/security/npm-packages-used-by-crypto-exchanges-compromised/">a particular company for further attack</a>.</p>
<p>In response to these new trends, RubyGems.org and the wider community have <a href="https://rubycentral.org/news/ruby-shield/">focused heavily on investing in its security & policies</a> to ensure accounts are safeguarded from takeover attacks. In 2018 RubyGems.org added support for 2FA, allowing users to require a One Time Password when signing in. I’m pleased to share that in addition to One-Time Passwords, authors can now protect their RubyGems.org accounts with Two-Factor Authentication via a Hardware Security Token & Passkey.</p>
<h3 id="what-is-a-hardware-security-token">What is a Hardware Security Token?</h3>
<p>A hardware security token is a small physical device that plugs into your computer, holding a secure private/public key. Once registered in RubyGems.org, the hardware token can be used as a second authentication step to verify your identity. The benefit of Hardware Security Tokens is that they are tough to duplicate and require the device to be physically present to sign into your account, but with the tradeoff, they can become lost. We recommend having a second backup token somewhere safe for users looking to adopt Hardware Security Tokens.</p>
<p>Hardware Security Tokens can be purchased from various vendors that conform to the <a href="https://www.yubico.com/authentication-standards/fido-u2f/">U2F standard</a>. Some of the vendors we recommend:</p>
<ul>
<li><a href="https://www.yubico.com/products/">Yubico</a></li>
<li><a href="https://cloud.google.com/titan-security-key">Google Titan Security Key</a></li>
</ul>
<h3 id="what-is-passkey-aka-webauthn">What is Passkey aka WebAuthN?</h3>
<p><a href="https://webauthn.guide">WebAuthn</a> is a relatively new standard that builds on top of the Hardware Security Token (U2F) standard without needing a separate physical device. Known more recently as Passkey, WebAuthn allows you to register a virtual security token using your existing device to hold the public/private key inside a secure location.</p>
<p>The great thing about Passkey is that you can use it without purchasing a separate physical device. It can be synced across multiple devices, making it easy to recover if you lose your computer.</p>
<p>Passkey is a relatively new standard, so not all devices or browsers currently support it. Check your Browser’s documentation for more information.</p>
<h3 id="how-do-i-register-a-hardware-security-token-or-passkey">How do I register a Hardware Security Token or Passkey?</h3>
<p>You can register your Hardware Security Token or Passkey on your <a href="https://rubygems.org/settings/edit">RubyGems.org account settings page</a> under “Security Device”, and follow the instructions on how to add a new Hardware Security Token or Passkey to your account.</p>
<h3 id="cli-support-coming-soon">CLI support coming soon</h3>
<p>One important note is that the RubyGems CLI does not support Hardware Security Tokens or Passkey when signing in, but work has begun to support this soon. You can work around this by generating an API key via the Web UI and using this key in your development environment.</p>
<p>Lastly, a special thanks to everyone involved in working on <a href="https://github.com/rubygems/rubygems.org/pull/2865">making & testing this feature.</a> ❤️</p>
<p>Colby</p>
November 2022 RubyGems Updates2022-12-15T00:00:00+00:00http://blog.rubygems.org/2022/12/15/november-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in November.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3325--2022-11-02">3.3.25</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3326--2022-11-16">3.3.26</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2325-november-2-2022">2.3.25</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2326-november-16-2022">2.3.26</a>.</p>
<p>The following improvements and fixes are included in these releases (see the changelog for more information:</p>
<ul>
<li>improved some test times and fix warning by not installing documentation. - <a href="https://github.com/rubygems/rubygems/pull/6074">#6074</a>.</li>
<li>fixed a broken link in <code class="language-plaintext highlighter-rouge">bundle-platform</code> man page - <a href="https://github.com/rubygems/rubygems/pull/6071">#6071</a>.</li>
<li>added permission restrictions to GitHub actions - <a href="https://github.com/rubygems/rubygems/pull/6081">#6081</a>.</li>
<li>removed reference to RVM documentation in the message returned when you run <code class="language-plaintext highlighter-rouge">bundler outdated</code> - <a href="https://github.com/rubygems/rubygems/pull/6083">#6083</a>.</li>
<li>added a test to ensure that global gemspecs do not confuse Bundler - <a href="https://github.com/rubygems/rubygems/pull/6086">#6086</a>.</li>
<li>fixed an issue that occurs when a lockfile gem does not resolve on the current platform - <a href="https://github.com/rubygems/rubygems/pull/6070">#6070</a>.</li>
<li>updated the docs for <code class="language-plaintext highlighter-rouge">gemfile</code> man page - <a href="https://github.com/rubygems/rubygems/pull/6007">#6007</a>.</li>
<li>improved resolution messages when some platform gems are missing - <a href="https://github.com/rubygems/rubygems/pull/6068">#6068</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">asdf</code>, a ruby version manager option that contributors can utilize - <a href="https://github.com/rubygems/rubygems/pull/6066">#6066</a>.</li>
<li>upgraded <code class="language-plaintext highlighter-rouge">rb-sys</code> to version 0.9.37 - <a href="https://github.com/rubygems/rubygems/pull/6047">#6047</a>.</li>
</ul>
<p>In November, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-11-01%7D...master@%7B2022-11-31%7D">116 new commits</a>, contributed by 15 authors. There were 3,719 additions and 3,370 deletions across 141 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In November, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>added tests to cover scenarios where an API key is not saved after being created or updated - <a href="https://github.com/rubygems/rubygems.org/pull/3280">#3280</a>.</li>
<li>merged a PR to avoid filling the template with the gem name automatically - <a href="https://github.com/rubygems/rubygems/pull/6093">#6093</a>.</li>
<li>merged a PR to protect the gem placeholder name to prevent misuse of the package name.- <a href="https://github.com/rubygems/rubygems.org/pull/3275">#3275</a>.</li>
<li>used <code class="language-plaintext highlighter-rouge">DelayedJob</code> as an active job adapter - <a href="https://github.com/rubygems/rubygems.org/pull/3266">#3266</a>.</li>
<li>increased the maximum size of the memcached entry to 2MB - <a href="https://github.com/rubygems/rubygems.org/pull/3260">#3260</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">ossf/scorecards</code> to assist in detecting non-secure configurations related to GitHub and GitHub Actions - <a href="https://github.com/rubygems/rubygems.org/pull/3258">#3258</a>.</li>
<li>updated to the latest versions of RubyGems (3.3.25) and Bundler (2.3.25) - <a href="https://github.com/rubygems/rubygems.org/pull/3250">#3250</a>.</li>
</ul>
<p>In November, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-11-01%7D...master@%7B2022-11-31%7D">46 new commits</a>, contributed by 6 authors. There were 108 additions and 36 deletions across 10 files.</p>
<h2 id="related-news">Related News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<ul>
<li>This month, we released a new version of <a href="https://rubycentral.org/news/">Ruby Central News</a>.</li>
</ul>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<h2 id="thank-you">Thank you</h2>
<p>Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.</p>
<p>Contributors to RubyGems:</p>
<ul>
<li><a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a> David Rodríguez</li>
<li><a href="https://github.com/peterzhu2118">@peterzhu2118</a> Peter Zhu</li>
<li><a href="https://github.com/ianks">@ianks</a> Ian Ker-Seymer</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/syohex">@syohex</a> Shohei YOSHIDA</li>
<li><a href="https://github.com/Bo98">@Bo98</a> Bo Anderson</li>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/gustavothecoder">@gustavothecoder</a> Gustavo Ribeiro</li>
<li><a href="https://github.com/JuanVqz">@JuanVqz</a> Juan Vásquez</li>
<li><a href="https://github.com/nobu">@nobu</a> Nobuyoshi Nakada</li>
</ul>
<p>Contributors to RubyGems.org:</p>
<ul>
<li><a href="https://github.com/hsbt">@hsbt</a> Hiroshi SHIBATA</li>
<li><a href="https://github.com/simi">@simi</a> Josef Šimánek</li>
<li><a href="https://github.com/tnir">@tnir</a> Takuya N</li>
<li><a href="https://github.com/sonalkr132">@sonalkr132</a> Aditya Prakash</li>
</ul>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.26 Released2022-11-17T00:00:00+00:00http://blog.rubygems.org/2022/11/17/3.3.26-released<p>RubyGems 3.3.26 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Upgrade rb-sys to 0.9.37. Pull request #6047 by ianks</li>
<li>Installs bundler 2.3.26 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.26.tgz<br />
9b17a53a000a599926cf1ef19e9d2a35f87b436ae6500225eebe55db320dc68c</li>
<li>rubygems-3.3.26.zip<br />
2247a1860cc6bb7c1204ef57e1c982ef01c1fdbe86058aed8fca6a38957360ed</li>
<li>rubygems-update-3.3.26.gem<br />
944f84d83d25e26965a668959462c30e1c22fef2624ba69a84f0262567159a04</li>
</ul>
October 2022 RubyGems Updates2022-11-15T00:00:00+00:00http://blog.rubygems.org/2022/11/15/october-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3323--2022-10-05">3.3.23</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3324--2022-10-17">3.3.24</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2323-october-5-2022">2.3.23</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2324-october-17-2022">2.3.24</a>.</p>
<p>The following improvements and fixes are also included in these releases (see the changelog for more information):</p>
<ul>
<li>added a small development environment that was contributed to make our <code class="language-plaintext highlighter-rouge">util/rubocop</code> script use “in-tree” Bundler - <a href="https://github.com/rubygems/rubygems/pull/5979">#5979</a>.</li>
<li>improved resolution performance and correctness by adding resolver spec groups for Ruby platform only when necessary. This is in preparation for the upcoming migration to Pub Grub - <a href="https://github.com/rubygems/rubygems/pull/5698">#5698</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">SHA256</code> in test certificates - <a href="https://github.com/rubygems/rubygems/pull/5982">#5982</a>.</li>
<li>made an update to allow JRuby to pass keywords to <code class="language-plaintext highlighter-rouge">Kernel#warn</code> - <a href="https://github.com/rubygems/rubygems/pull/6002">#6002</a>.</li>
<li>unified source code and documentation to always use HTTPS under the hood with dealing with GitHub sources. - <a href="https://github.com/rubygems/rubygems/pull/5993">#5993</a> and <a href="https://github.com/rubygems/rubygems/pull/6026">#6026</a>.</li>
<li>fixed several issues with <code class="language-plaintext highlighter-rouge">Gem::Platform</code> handling in musl platforms <a href="https://github.com/rubygems/rubygems/pull/5915">#5915</a>, in arm platforms with eabi modifiers <a href="https://github.com/rubygems/rubygems/pull/5957">#5957</a>, and to properly deal with string parameters when comparing <a href="https://github.com/rubygems/rubygems/pull/5939">#5939</a>.</li>
<li>improved handling of permanent redirect responses when pushing gems - <a href="https://github.com/rubygems/rubygems/pull/5931">#5931</a>.</li>
<li>fixed an obscure issue affecting file extraction of some specific <code class="language-plaintext highlighter-rouge">.gem</code> packages - <a href="https://github.com/rubygems/rubygems/pull/5906">#5906</a>.</li>
<li>migrated the GitLab CI template generated by <code class="language-plaintext highlighter-rouge">bundle gem</code> to be the one now recommended by GitLab.</li>
</ul>
<p>In October, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-10-01%7D...master@%7B2022-10-31%7D">74 new commits</a>, contributed by 11 authors. There were 1,594 additions and 833 deletions across 125 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>There was minor maintenance work on RubyGems.org this month which included triaging issues, reviewing pull requests, and updating dependencies.</p>
<p>In October, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-10-01%7D...master@%7B2022-10-31%7D">30 new commits</a>, contributed by 3 authors. There were 22 additions and 22 deletions across 1 file.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.25 Released2022-11-02T00:00:00+00:00http://blog.rubygems.org/2022/11/02/3.3.25-released<p>RubyGems 3.3.25 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Github source should default to secure protocol. Pull request #6026 by
jasonkarns</li>
<li>Allow upcoming JRuby to pass keywords to Kernel#warn. Pull request #6002
by enebo</li>
<li>Installs bundler 2.3.25 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.25.tgz<br />
79f0f8594a3b856cdd37215128aa86cc6ab5ab26d4fed0d9ded4117e9a66d8cd</li>
<li>rubygems-3.3.25.zip<br />
5da25797744ff99ee9a94f18bf6b29b855760772b9018549cc15d0b4cb44b733</li>
<li>rubygems-update-3.3.25.gem<br />
b8ea3be0be8cd52869b10ae997dd87f2281bfd2396a8cfa94faae510785066a2</li>
</ul>
Septemeber 2022 RubyGems Updates2022-10-18T00:00:00+00:00http://blog.rubygems.org/2022/10/18/septemeber-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in September.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3322--2022-09-07">v3.3.22</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2322-september-7-2022">v2.3.22</a>.</p>
<p>The following improvements and fixes are also included in these releases (see the changelog for more information):</p>
<ul>
<li>added <code class="language-plaintext highlighter-rouge">bundle-console</code> command in Bundler’s documentation - <a href="https://github.com/rubygems/rubygems/pull/5901">#5901</a>.</li>
<li>updated the Bundler metadata source code URI for accuracy in gemspec - <a href="https://github.com/rubygems/rubygems/pull/5896">#5896</a>.</li>
<li>removed warning for old TLS version connections - <a href="https://github.com/rubygems/rubygems/pull/5928">#5928</a>.</li>
<li>removed no longer needed <code class="language-plaintext highlighter-rouge">fiddle</code> hacks since RubyInstaller released patch versions to not load <code class="language-plaintext highlighter-rouge">fiddle</code> on boot - <a href="https://github.com/rubygems/rubygems/pull/5902">#5902</a>.</li>
</ul>
<p>In addition, this month we’ve been working on migrating Bundler’s internal resolver engine to use PubGrub, which should result in much better error messages and resolution performance. We hope to release this work soon.</p>
<p>We have also removed the feature of auto-sudo’ing when there are not enough permissions to perform certain operations, because it was considered harmful and hardly useful. This removal will be released with Bundler 2.4.0</p>
<p>In September, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-09-01%7D...master@%7B2022-09-31%7D">94 new commits</a>, contributed by 19 authors. There were 1,678 additions and 1,869 deletions across 161 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In September, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>merged a feature that allows users to delete all scoped <code class="language-plaintext highlighter-rouge">API</code> keys on password reset - <a href="https://github.com/rubygems/rubygems.org/pull/3202">#3202</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">rake task</code> to migrate MFA <code class="language-plaintext highlighter-rouge">ui_only</code> users to <code class="language-plaintext highlighter-rouge">ui_and_gem_signin</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3217">#3217</a>.</li>
<li>fixed MFA status label on owners index page - <a href="https://github.com/rubygems/rubygems.org/pull/3206">#3206</a>.</li>
<li>added a fix to include missing i18n API Keys - <a href="https://github.com/rubygems/rubygems.org/pull/3208">#3208</a>.</li>
<li>implemented a fix to allow users to delete all scoped <code class="language-plaintext highlighter-rouge">API keys</code> on password reset - <a href="https://github.com/rubygems/rubygems.org/pull/3202">#3202</a>.</li>
<li>added recommended <code class="language-plaintext highlighter-rouge">to_utf8</code> method when comparing certificates subject - <a href="https://github.com/rubygems/rubygems.org/pull/3197">#3197</a>.</li>
</ul>
<p>This month, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-09-01%7D...master@%7B2022-09-31%7D">45 new commits</a>, contributed by 11 authors. There were 621 additions and 212 deletions across 65 files.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.24 Released2022-10-17T00:00:00+00:00http://blog.rubygems.org/2022/10/17/3.3.24-released<p>RubyGems 3.3.24 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.24 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.24.tgz<br />
15e2bc2625843fe7328db41156b556b54d7af9cd57438e33de11e9b8177d9102</li>
<li>rubygems-3.3.24.zip<br />
48bac6f4f600ef3970f3e09c250c7f69c42db1e00165bde31446c3fde9de7ba2</li>
<li>rubygems-update-3.3.24.gem<br />
fff6969d6e37b9a74bd2a45ae9ec5ad563cd3be15e611cf0cb92e0a396aa5616</li>
</ul>
3.3.23 Released2022-10-05T00:00:00+00:00http://blog.rubygems.org/2022/10/05/3.3.23-released<p>RubyGems 3.3.23 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add better error handling for permanent redirect responses. Pull request
#5931 by jenshenny</li>
<li>Installs bundler 2.3.23 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix generic arm platform matching against runtime arm platforms with
eabi modifiers. Pull request #5957 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">Gem::Platform.match</code> not handling String argument properly. Pull
request #5939 by flavorjones</li>
<li>Fix resolution on non-musl platforms. Pull request #5915 by
deivid-rodriguez</li>
<li>Mask the file mode when extracting files. Pull request #5906 by
kddnewton</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.23.tgz<br />
56c635df30b0fec362915e2597c59a6bb7581e9ddcc891cc3aa5d34eea486264</li>
<li>rubygems-3.3.23.zip<br />
8c6acb01383583b71bfddd3ec97fc5dab5a8b6fa220e000d79b284569ba87818</li>
<li>rubygems-update-3.3.23.gem<br />
ae5966711cc2d1625acd8dd1967c8fdc0621f222a43d6472d9a8c1ef2cc48ec6</li>
</ul>
August 2022 RubyGems Updates2022-09-17T00:00:00+00:00http://blog.rubygems.org/2022/09/17/august-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in August.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions of RubyGems (<a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3320--2022-08-10">3.3.20</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3321--2022-08-24">3.3.21</a>) and Bundler(<a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2320-august-10-2022">2.3.20</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2321-august-24-2022">2.3.21</a>).</p>
<p>The following are the main improvements shipped during this month (see the changelog for more improvements and fixes):</p>
<ul>
<li>added full support in RubyGems and Bundler for <code class="language-plaintext highlighter-rouge">musl</code> variants - <a href="https://github.com/rubygems/rubygems/pull/4488">#4488</a>, <a href="https://github.com/rubygems/rubygems/pull/5852">#5852</a>.</li>
<li>implemented <code class="language-plaintext highlighter-rouge">Bundler.settings[:only]</code> to install gems of the only specified groups (a longstanding feature request we finally decided to add) - <a href="https://github.com/rubygems/rubygems/pull/5759">#5759</a>.</li>
<li>restored previous performance of private RubyGems servers; it had gotten very slow after some correctness fixes - <a href="https://github.com/rubygems/rubygems/pull/5826">#5826</a>.</li>
</ul>
<p>In August, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-08-01%7D...master@%7B2022-08-31%7D">142 new commits</a>, contributed by 10 authors. There were 2,296 additions and 866 deletions across 214 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In August, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>set up email to announce MFA is required for maintainers of gems with 180M+ downloads - <a href="https://github.com/rubygems/rubygems.org/pull/3171">#3171</a>.</li>
<li>removed MFA required (Phase 3) feature flag cookie - <a href="https://github.com/rubygems/rubygems.org/pull/3170">#3170</a>.</li>
<li>simplified the API v1 GH scanning endpoint tests - <a href="https://github.com/rubygems/rubygems.org/pull/3196">#3196</a>.</li>
<li>added superscript star for a RubyGem version date with a tooltip - <a href="https://github.com/rubygems/rubygems.org/pull/3193">#3193</a>.</li>
<li>set up autocomplete value for OTP text field - <a href="https://github.com/rubygems/rubygems.org/pull/3187">#3187</a>.</li>
<li>added a redirect uri to MFA setup and upgrade page that lets the user return to the settings page - <a href="https://github.com/rubygems/rubygems.org/pull/3185">#3185</a>.</li>
<li>blocked <code class="language-plaintext highlighter-rouge">push</code>, <code class="language-plaintext highlighter-rouge">yank</code>, <code class="language-plaintext highlighter-rouge">a/r owners</code>, <code class="language-plaintext highlighter-rouge">gem signin</code> if the user requires MFA and has it disabled or at a weak level - <a href="https://github.com/rubygems/rubygems.org/pull/3155">#3155</a>.</li>
</ul>
<p>This month, RubyGems gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-08-01%7D...master@%7B2022-08-31%7D">88 new commits</a>, contributed by 14 authors. There were 2,684 additions and 510 deletions across 68 files.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.22 Released2022-09-07T00:00:00+00:00http://blog.rubygems.org/2022/09/07/3.3.22-released<p>RubyGems 3.3.22 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Support non gnu libc arm-linux-eabi platforms. Pull request #5889 by
ntkme</li>
<li>Installs bundler 2.3.22 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem info</code> with explicit <code class="language-plaintext highlighter-rouge">--version</code>. Pull request #5884 by
tonyaraujop</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.22.tgz<br />
3845f162831b8ca42d6b66db5b1da1f220c72abde0ca8fa65d11c3879d9a8848</li>
<li>rubygems-3.3.22.zip<br />
d529362bf7134089d755117b6ded6a7575f2b21eb38850ee908a9097e6b00f77</li>
<li>rubygems-update-3.3.22.gem<br />
d7c5e95f0b2efef1dbc3c8ae3eff86d31984de73f8c81a665a487640edf95200</li>
</ul>
3.3.21 Released2022-08-24T00:00:00+00:00http://blog.rubygems.org/2022/08/24/3.3.21-released<p>RubyGems 3.3.21 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Support non gnu libc linux platforms. Pull request #5852 by
deivid-rodriguez</li>
<li>Installs bundler 2.3.21 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.21.tgz<br />
80892a59eb9c0430c172b7b8bc57c564ba776b659a7af8b71831bcf198350258</li>
<li>rubygems-3.3.21.zip<br />
7a45d0e570eb902c198c58fa0b41c364cc0eea5579c389d23cd0bb7e3cc5266b</li>
<li>rubygems-update-3.3.21.gem<br />
3d826fdfd8042253cc2678a6e7558c0f7b9f698b0f06e0797ba998bc6536be1e</li>
</ul>
An Update to RubyGems MFA Levels2022-08-22T00:00:00+00:00http://blog.rubygems.org/2022/08/22/mfa-ui-only-removed<h1 id="summary">Summary</h1>
<p>The <code class="language-plaintext highlighter-rouge">UI only</code> multi-factor authentication level is being removed.
Users who remain on the <code class="language-plaintext highlighter-rouge">UI only</code> MFA level will be migrated to the <code class="language-plaintext highlighter-rouge">UI and gem signin</code> level on September 22nd, 2022.</p>
<h1 id="why-is-this-happening">Why is this happening?</h1>
<p>In essence, the <code class="language-plaintext highlighter-rouge">UI and gem signin</code> level is the same as the <code class="language-plaintext highlighter-rouge">UI only</code> level, but it also requires that the <code class="language-plaintext highlighter-rouge">gem signin</code> command is verified with multi-factor authentication.
This ensures that accounts with MFA protection are not impacted by compromised passwords.</p>
<h1 id="what-is-going-to-change">What is going to change?</h1>
<p>After the migration, users who were on the <code class="language-plaintext highlighter-rouge">UI only</code> level will need to enter a one-time password when using <code class="language-plaintext highlighter-rouge">gem signin</code>. For everyone else, nothing will change.</p>
<p>If you are using <code class="language-plaintext highlighter-rouge">gem signin</code> in automated builds, we recommend that you migrate to using a pre-generated API key for authentication. You can either set the <code class="language-plaintext highlighter-rouge">API_KEY</code> environment variable to the value of your API key or write the key to <code class="language-plaintext highlighter-rouge">credentials</code> file:</p>
<p><code class="language-plaintext highlighter-rouge">echo "https://rubygems.org: YOUR_API_KEY" > ~/.gem/credentials</code></p>
<p>Check out the <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#authentication-levels">guides</a> for more information on RubyGems MFA levels.</p>
Requiring MFA on popular gem maintainers2022-08-15T00:00:00+00:00http://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems<p align="center">
<img src="/images/gem-with-thumbs-up-mfa-dropshadow.png" alt="Doodle of a RubyGem wearing a MFA hat, giving a thumbs up" width="300" />
</p>
<p>Two months ago, we outlined our <a href="https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html">commitment</a> to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require multi-factor authentication (MFA) on at least the top-100 RubyGems packages.</p>
<p>Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the <code class="language-plaintext highlighter-rouge">UI and API</code> or <code class="language-plaintext highlighter-rouge">UI and gem signin</code> level will not be able to edit their profile on the web, perform <a href="https://guides.rubygems.org/mfa-requirement-opt-in/#privileged-operations">privileged actions</a> (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/">configure MFA</a>.</p>
<p>Maintainers of gems that surpass 165 million total downloads will continue to receive recommendation reminders on the UI and CLI until the gem reaches 180 million total downloads. At that point, MFA will be required.</p>
<p>This policy would bring us in line with the policies made by other package ecosystems. We have plans to increase MFA adoption on RubyGems. If you have ideas on how future rollouts should be approached, join this <a href="https://github.com/rubygems/rfcs/issues/42">discussion</a> in our RFC repository!</p>
<p>In addition, we are also currently working on adding support for <a href="https://webauthn.guide/">WebAuthn</a>. Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice.</p>
<p>Be sure to stay tuned for updates! As always, if you have any feedback, questions or ideas on how to make RubyGems better and more secure, please contact us in the <a href="https://slack.bundler.io/">Bundler Slack workspace</a> or open a <a href="https://github.com/rubygems/rubygems.org/issues">GitHub issue</a>. If you require account assistance based on the changes rolled out today, please reach out to <a href="mailto:support@rubygems.org">support@rubygems.org</a>.</p>
3.3.20 Released2022-08-10T00:00:00+00:00http://blog.rubygems.org/2022/08/10/3.3.20-released<p>RubyGems 3.3.20 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Include backtrace with crashes by default. Pull request #5811 by
deivid-rodriguez</li>
<li>Don’t create broken symlinks when a gem includes them, but print a
warning instead. Pull request #5801 by deivid-rodriguez</li>
<li>Warn (rather than crash) when setting <code class="language-plaintext highlighter-rouge">nil</code> specification versions. Pull
request #5794 by deivid-rodriguez</li>
<li>Installs bundler 2.3.20 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Always consider installed specs for resolution, even if prereleases.
Pull request #5821 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install</code> with <code class="language-plaintext highlighter-rouge">--platform</code> flag not matching simulated platform
correctly. Pull request #5820 by deivid-rodriguez</li>
<li>Fix platform matching for index specs. Pull request #5795 by Ilushkanama</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.20.tgz<br />
55350c6769aa6ecccceee5ce615e86ae0edd91e1801955d88c15f4840fef3938</li>
<li>rubygems-3.3.20.zip<br />
b1914a51e14fdde79143d9b05d2a14385764f4e46d228af655bd7686dd6ab5c6</li>
<li>rubygems-update-3.3.20.gem<br />
1ac9b0c73ef1c5006e6273f8a9b4aeed4c6ad2ff5ab823400b067317410c1e56</li>
</ul>
July 2022 RubyGems Updates2022-08-08T00:00:00+00:00http://blog.rubygems.org/2022/08/08/july-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in July.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>This month in RubyGems, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3318--2022-07-14">3.3.18</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3319--2022-07-27">3.3.19</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2318-july-14-2022">2.3.18</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2319-july-27-2022">2.3.19</a>.</p>
<p>The following is a non-exhaustive list of other improvements included in the above releases (see the changelog for further information):</p>
<ul>
<li>updated the CLI to display MFA warnings on <code class="language-plaintext highlighter-rouge">gem signin</code>, to support work done on the RubyGems.org side - <a href="https://github.com/rubygems/rubygems/pull/5590">#5590</a>.</li>
<li>added the long-requested feature of allowing to gem install from specific groups only - <a href="https://github.com/rubygems/rubygems/pull/5759">#5579</a>.</li>
<li>extended the <code class="language-plaintext highlighter-rouge">gem</code> DSL with a <code class="language-plaintext highlighter-rouge">force_ruby_platform</code> option - <a href="https://github.com/rubygems/rubygems/pull/4049">#4049</a>.</li>
<li>fixed an issue with Bundler on Windows that allows the new <code class="language-plaintext highlighter-rouge">x64-mingw-ucrt</code>, the default on <strong>Ruby 3.1</strong>, to work seamlessly with the existing <code class="language-plaintext highlighter-rouge">platforms DSL</code> - <a href="https://github.com/rubygems/rubygems/pull/5655">#5655</a>.</li>
<li>improved performance of <code class="language-plaintext highlighter-rouge">bundler/setup</code> - <a href="https://github.com/rubygems/rubygems/pull/5546">#5546</a>, <a href="https://github.com/rubygems/rubygems/pull/5695">#5695</a>.</li>
<li>fixed several TruffleRuby issues - <a href="https://github.com/rubygems/rubygems/pull/5711">#5711</a>, <a href="https://github.com/rubygems/rubygems/pull/5694">#5694</a>, <a href="https://github.com/rubygems/rubygems/pull/5746">#5746</a>.</li>
<li>fixed a confusing permission error when copying compact index cache - <a href="https://github.com/rubygems/rubygems/pull/5709">#5709</a>.</li>
<li>fixed an issue with Bundler printing the bug report template so that it gives a better error rather than suggesting a bug - <a href="https://github.com/rubygems/rubygems/pull/5726">#5726</a>.</li>
<li>improved <code class="language-plaintext highlighter-rouge">gem not found</code> error messages to include the expected source - <a href="https://github.com/rubygems/rubygems/pull/5729">#5729</a>.</li>
<li>merged a PR to fix <code class="language-plaintext highlighter-rouge">gem update --system</code> errors in some edge cases - <a href="https://github.com/rubygems/rubygems/pull/5728">#5728</a>, <a href="https://github.com/rubygems/rubygems/pull/5737">#5737</a>.</li>
</ul>
<p>In July, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-07-01%7D...master@%7B2022-07-31%7D">150 new commits</a>, contributed by 15 authors. There were 8,654 additions and 7,904 deletions across 410 files.</p>
<h1 id="rubygemsorg-news">RubyGems.org News</h1>
<p>In July, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>added an <code class="language-plaintext highlighter-rouge">mfa_required</code> function to check when a user needs to enable MFA due to one of the packages they own passing the MFA-required downloads threshold - <a href="https://github.com/rubygems/rubygems.org/pull/3135">#3135</a>.</li>
<li>merged a PR to reorganize locales by running <code class="language-plaintext highlighter-rouge">bill/fill-locales</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3134">#3134</a>.</li>
<li>updated the <code class="language-plaintext highlighter-rouge">TargetRubyVersion</code> for Rubocop - <a href="https://github.com/rubygems/rubygems.org/pull/3139">#3139</a>.</li>
<li>added an update to skip sending email when a user has no email address present - <a href="https://github.com/rubygems/rubygems.org/pull/3150">#3150</a>.</li>
<li>fixed webhooks for users with multiple API keys - <a href="https://github.com/rubygems/rubygems.org/pull/3151">#3151</a>.</li>
</ul>
<p>This month, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-06-01%7D...master@%7B2022-06-31%7D">74 new commits</a>, contributed by 13 authors. There were 1,015 additions and 263 deletions across 63 files.</p>
<p>As always, we continue to fix bugs, review and merge PRs and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.19 Released2022-07-28T00:00:00+00:00http://blog.rubygems.org/2022/07/28/3.3.19-released<p>RubyGems 3.3.19 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Display mfa warnings on <code class="language-plaintext highlighter-rouge">gem signin</code>. Pull request #5590 by aellispierce</li>
<li>Require fileutils more lazily when installing gems. Pull request #5738
by deivid-rodriguez</li>
<li>Fix upgrading RubyGems with a customized <code class="language-plaintext highlighter-rouge">Gem.default_dir</code>. Pull request
#5728 by deivid-rodriguez</li>
<li>Stop using <code class="language-plaintext highlighter-rouge">/dev/null</code> for silent ui for WASI platform. Pull request
#5703 by kateinoigakukun</li>
<li>Unify loading <code class="language-plaintext highlighter-rouge">Gem::Requirement</code>. Pull request #5596 by deivid-rodriguez</li>
<li>Installs bundler 2.3.19 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> with <code class="language-plaintext highlighter-rouge">--destdir</code> writing outside of <code class="language-plaintext highlighter-rouge">--destdir</code>.
Pull request #5737 by deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix wrong information about default RubyGems source. Pull request #5723
by tnir</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.19.tgz<br />
9ab4b18e9166ff5686e4175c56dc2e285b90cee2a3bc9a182c9017dff1746c1e</li>
<li>rubygems-3.3.19.zip<br />
be8997c8888d610af6d6e7e4f929d25b287184244384d435c8ea8ebc8698f7d2</li>
<li>rubygems-update-3.3.19.gem<br />
d3bfa40c2f451723fff42f59096f84cd4ca55777d2da40e7ddd8f5cacec8bb38</li>
</ul>
3.3.18 Released2022-07-14T00:00:00+00:00http://blog.rubygems.org/2022/07/14/3.3.18-released<p>RubyGems 3.3.18 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Make platform <code class="language-plaintext highlighter-rouge">universal-mingw32</code> match “x64-mingw-ucrt”. Pull request
#5655 by johnnyshields</li>
<li>Add more descriptive messages when <code class="language-plaintext highlighter-rouge">gem update</code> fails to update some
gems. Pull request #5676 by brianleshopify</li>
<li>Installs bundler 2.3.18 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Make sure RubyGems prints no warnings when loading plugins. Pull request
#5607 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.18.tgz<br />
e262bf4331ec67f658c29f940d01f0b2547f41d39bfa90bf1902a3a76896fdc1</li>
<li>rubygems-3.3.18.zip<br />
2ac9fd51f1c6fef3df56bdb77815c14514e0572f42d4e69e3c769fa2537451ca</li>
<li>rubygems-update-3.3.18.gem<br />
5831b2c63c09867a26929c6079da020c80acfd3263e1b60740f1d9f48b772c8c</li>
</ul>
June 2022 RubyGems Updates2022-07-08T00:00:00+00:00http://blog.rubygems.org/2022/07/08/june-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in June.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>This month in RubyGems, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3316--2022-06-15">3.3.16</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3317--2022-06-29">3.3.17</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2316-june-15-2022">2.3.16</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2317-june-29-2022">2.3.17</a>.</p>
<p>The following is a non-exhaustive list of other improvements included in the above releases (see the changelog for further information):</p>
<ul>
<li>fixed a regression when loading old marshaled specs - <a href="https://github.com/rubygems/rubygems/pull/5610">#5610</a>.</li>
<li>improved performance of installing gems from gem server sources - <a href="https://github.com/rubygems/rubygems/pull/5614">#5614</a>.</li>
<li>fixed incorrect password redaction when there’s an error in <code class="language-plaintext highlighter-rouge">gem source -a</code> - <a href="https://github.com/rubygems/rubygems/pull/5623">#5623</a>.</li>
<li>fixed some errors being printed twice in <code class="language-plaintext highlighter-rouge">--verbose</code> mode - <a href="https://github.com/rubygems/rubygems/pull/5654">#5654</a>.</li>
<li>created documentation on how to run <code class="language-plaintext highlighter-rouge">rake setup</code> as a regular user - <a href="https://github.com/rubygems/rubygems/pull/5662">#5662</a>.</li>
<li>added clear and descriptive messages when <code class="language-plaintext highlighter-rouge">gem update</code> fails to update some gems - <a href="https://github.com/rubygems/rubygems/pull/5676">#5676</a>.</li>
</ul>
<p>In June, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-06-01%7D...master@%7B2022-06-31%7D">168 new commits</a>, contributed by 13 authors. There were 1,610 additions and 1,233 deletions across 165 files.</p>
<h1 id="rubygemsorg-news">RubyGems.org News</h1>
<p>In June, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>fixed confusion in MFA behaviour - <a href="https://github.com/rubygems/rubygems.org/pull/3079">#3079</a>.</li>
<li>added a prompt to notify users leaving without copying MFA recovery codes - <a href="https://github.com/rubygems/rubygems.org/pull/3082">#3082</a>.</li>
<li>removed API key <code class="language-plaintext highlighter-rouge">rubygems_id</code> from the form url query string - <a href="https://github.com/rubygems/rubygems.org/pull/3085">#3085</a>.</li>
<li>separated MFA methods from <code class="language-plaintext highlighter-rouge">User.rb</code> to its own concern <code class="language-plaintext highlighter-rouge">UserMultifactorMethods</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3108">#3108</a>.</li>
<li>added case insensitive uniqueness validation to user handles - <a href="https://github.com/rubygems/rubygems.org/pull/3120">#3120</a>.</li>
<li>added a per user rate limit to the <code class="language-plaintext highlighter-rouge">gem push</code> command - <a href="https://github.com/rubygems/rubygems.org/pull/3121">#3121</a>.</li>
<li>added a Capybara find method to wait for page to load when running tests - <a href="https://github.com/rubygems/rubygems.org/pull/3124">#3124</a>.</li>
</ul>
<p>This month, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-06-01%7D...master@%7B2022-06-31%7D">74 new commits</a>, contributed by 13 authors. There were 1,015 additions and 263 deletions across 63 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.17 Released2022-06-29T00:00:00+00:00http://blog.rubygems.org/2022/06/29/3.3.17-released<p>RubyGems 3.3.17 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Document <code class="language-plaintext highlighter-rouge">gem env</code> argument aliases and add <code class="language-plaintext highlighter-rouge">gem env user_gemhome</code> and
<code class="language-plaintext highlighter-rouge">gem env user_gemdir</code>. Pull request #5644 by deivid-rodriguez</li>
<li>Improve error message when <code class="language-plaintext highlighter-rouge">operating_system.rb</code> fails to load. Pull
request #5658 by deivid-rodriguez</li>
<li>Clean up temporary directory after <code class="language-plaintext highlighter-rouge">generate_index --update</code>. Pull
request #5653 by graywolf-at-work</li>
<li>Simplify extension builder. Pull request #5626 by deivid-rodriguez</li>
<li>Installs bundler 2.3.17 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Modify RubyGems issue template to be like the one for Bundler. Pull
request #5643 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.17.tgz<br />
5ef482154c203211d7c23449ae7a02cf02b56ac58288c48bf3fde9ce83d23484</li>
<li>rubygems-3.3.17.zip<br />
d25ec5dac8e16e9b11af09833102bb88d47699902b684922f487623a95f67321</li>
<li>rubygems-update-3.3.17.gem<br />
abb27423ffcf4c33fce46fb7d0aa0fc4b832ca541bbdfe5858e025cfbbc6d7f9</li>
</ul>
3.3.16 Released2022-06-15T00:00:00+00:00http://blog.rubygems.org/2022/06/15/3.3.16-released<p>RubyGems 3.3.16 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Auto-fix and warn gem packages including a gemspec with <code class="language-plaintext highlighter-rouge">require_paths</code>
as an array of arrays. Pull request #5615 by deivid-rodriguez</li>
<li>Misc cargo builder improvements. Pull request #5459 by ianks</li>
<li>Installs bundler 2.3.16 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix incorrect password redaction when there’s an error in <code class="language-plaintext highlighter-rouge">gem source
-a</code>. Pull request #5623 by deivid-rodriguez</li>
<li>Fix another regression when loading old marshaled specs. Pull request
#5610 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.16.tgz<br />
c005e85a90f7f49d9ac9c0b815d250a6096b096d34e958988487d74c11f7cdf1</li>
<li>rubygems-3.3.16.zip<br />
03450d2b51e9ea54ca26a3dda5f9b4840d40f1c187f9636bd6ca39548b05aafc</li>
<li>rubygems-update-3.3.16.gem<br />
e07ed965b5cb62d85e7ad457c2f1fac6859605ed0dc9bee7b41a3129d5e9a502</li>
</ul>
May 2022 RubyGems Updates2022-06-14T00:00:00+00:00http://blog.rubygems.org/2022/06/14/may-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in May.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>This month in RubyGems, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3314--2022-05-18">3.3.14</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3315--2022-06-01">3.3.15</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2314-may-18-2022">2.3.14</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2315-june-1-2022">2.3.15</a>.</p>
<p>The following is a non-exhaustive list of other improvements included in the above releases (see the changelog for further information):</p>
<ul>
<li>fixed a regression causing an error message when an incompatible Ruby version is used - <a href="https://github.com/rubygems/rubygems/pull/5525">#5525</a>.</li>
<li>fixed an issue with inline mode install output printing information about previously locked gems - <a href="https://github.com/rubygems/rubygems/pull/5529">#5529</a>, <a href="https://github.com/rubygems/rubygems/pull/5530">#5530</a>.</li>
<li>fixed a regression when printing resolution conflicts on metadata requirements - <a href="https://github.com/rubygems/rubygems/pull/5562">#3362</a>.</li>
<li>refactored the code that handles finding a target version in <code class="language-plaintext highlighter-rouge">gem update --system</code> - <a href="https://github.com/rubygems/rubygems/pull/5568">#5568</a>.</li>
<li>made an update to display better error messaging when previous installation fails to be removed -<a href="https://github.com/rubygems/rubygems/pull/5564">#5664</a>.</li>
<li>improved exception reporting in bug report template - <a href="https://github.com/rubygems/rubygems/pull/5563">#5563</a>.</li>
</ul>
<p>In May, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-05-01%7D...master@%7B2022-05-31%7D">84 new commits</a>, contributed by 9 authors. There were 851 additions and 472 deletions across 123 files.</p>
<h1 id="rubygemsorg-news">RubyGems.org News</h1>
<p>In May, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>fixed access to undefined variable version in <code class="language-plaintext highlighter-rouge">GemcutterTaskshelper</code>- <a href="https://github.com/rubygems/rubygems.org/pull/3068">#3068</a>.</li>
<li>fixed some lint failure issues - <a href="https://github.com/rubygems/rubygems.org/pull/3069">#3069</a>.</li>
<li>set UTC date format in <code class="language-plaintext highlighter-rouge">update_version_file_test</code> rake task - <a href="https://github.com/rubygems/rubygems.org/pull/3066">#3066</a>.</li>
<li>re-designed dependencies list on RubyGems UI - <a href="https://github.com/rubygems/rubygems.org/pull/3062">#3062</a>.</li>
<li>added a fix to find versions explicitly by name & platform - <a href="https://github.com/rubygems/rubygems.org/pull/3060">#3060</a>.</li>
</ul>
<p>This month, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-05-01%7D...master@%7B2022-05-31%7D">51 new commits</a>, contributed by 15 authors. There were 580 additions and 91 deletions across 35 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
Making popular Ruby packages more secure2022-06-13T00:00:00+00:00http://blog.rubygems.org/2022/06/13/making-packages-more-secure<p align="center">
<img src="/images/gem-with-mfa-flag-dropshadow.png" alt="Doodle of a RubyGem wearing an MFA hat, holding a flag with a checkmark" width="300" />
</p>
<p>Attacks on the software supply chain are increasing and our community has not gone unscathed. RubyGems has been affected by supply chain attacks in the past, so it’s important for us to mitigate these risks as much as possible. Recommending stronger security practices like enabling multi-factor authentication (MFA) on popular packages is a first step towards improving the security of the RubyGems ecosystem.</p>
<p>Account takeovers are the <a href="https://arxiv.org/abs/2002.01139">second most common</a> attack on software supply chains. The countermeasure against this type of attack is simple: enabling MFA. Doing so can <a href="https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/">prevent 99.9 percent</a> of account takeover attacks.</p>
<p>As proposed in the <a href="https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-rollout.md">MFA rollout RFC</a>, RubyGems is beginning to move towards greater adoption of multi-factor authentication for gem maintainers.</p>
<p>Starting today (June 13, 2022), the maintainers of at least the top 100 RubyGems packages will begin to see warnings on the RubyGems command-line tool and website if MFA is not enabled on their accounts. Anybody who maintains a gem with more than 165 million downloads will see this recommendation.</p>
<p>Although this is currently just a recommendation, in two months’ time (August 15, 2022), we will begin to enforce MFA for owners of gems with more than 180 million downloads. This policy will bring us in line with other package ecosystems (e.g. <a href="https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security/">npm</a>) as well as <a href="https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/">GitHub</a>.</p>
<p>Maintainers affected by this policy will receive email reminders to enable MFA one month before, and again one week before, the enforcement goes into effect. We recommend that maintainers set their MFA <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#authentication-levels">authentication level</a> to <code class="language-plaintext highlighter-rouge">UI and API</code>. However, <code class="language-plaintext highlighter-rouge">UI and gem signin</code> is acceptable too.</p>
<p>Once these policy changes are fully complete for maintainers of the most popular gems, we intend to increase coverage by extending the MFA requirement to more gems in future. We’ll communicate any proposed changes in advance, but in the meantime please contact us in the <a href="https://slack.bundler.io/">Bundler Slack workspace</a> or open a <a href="https://github.com/rubygems/rubygems.org/issues">GitHub issue</a> if you have any feedback, questions or concerns.</p>
<p>We are committed to fostering a safer, more secure ecosystem for Rubyists. This is one of many steps we plan to take over the coming months in order to maintain a healthy, reliable ecosystem for everyone. Stay tuned!</p>
3.3.15 Released2022-06-01T00:00:00+00:00http://blog.rubygems.org/2022/06/01/3.3.15-released<p>RubyGems 3.3.15 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Support the change of did_you_mean about <code class="language-plaintext highlighter-rouge">Exception#detailed_message</code>.
Pull request #5560 by mame</li>
<li>Installs bundler 2.3.15 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix loading old marshaled specs including <code class="language-plaintext highlighter-rouge">YAML::PrivateType</code> constant.
Pull request #5415 by deivid-rodriguez</li>
<li>Fix rubygems update when non default <code class="language-plaintext highlighter-rouge">--install-dir</code> is configured. Pull
request #5566 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.15.tgz<br />
2a9671b9d26ffcb49ad3bc3f57fd2c99923bbf650e3cfac41ce1f85ab79152ba</li>
<li>rubygems-3.3.15.zip<br />
42647dbdc6ef0218e34eb091201f2f10b0ce57c1fcf9f0db7cd20dc5dfbd68c8</li>
<li>rubygems-update-3.3.15.gem<br />
f426fdda684fa9c2eb968daff5f9089014312c6b3827cdbd95d1078449d29dea</li>
</ul>
3.3.14 Released2022-05-18T00:00:00+00:00http://blog.rubygems.org/2022/05/18/3.3.14-released<p>RubyGems 3.3.14 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.14 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.14.tgz<br />
81e83c2f42c5335457b7209aa965143654d4dce660e2fa4ded47c63dac3b11b9</li>
<li>rubygems-3.3.14.zip<br />
b1fac5481605de4082f7d553d8ea07f6391db6a892f8a7c131809893fd09e860</li>
<li>rubygems-update-3.3.14.gem<br />
5c5a8b3c39d1e38f3dd5d2562a7e4d30eda50635d3b590390c7c893736032972</li>
</ul>
April 2022 RubyGems Updates2022-05-08T00:00:00+00:00http://blog.rubygems.org/2022/05/08/april-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in April.</p>
<h1 id="rubygems-news">RubyGems News</h1>
<p>In April, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3311--2022-04-07">3.3.11</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3312--2022-04-20">3.3.12</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2311-april-7-2022">2.3.11</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2312-april-20-2022">2.3.12</a>.</p>
<p>The main highlight of this month’s update is that RubyGems now has experimental built-in support for Rust extensions, thanks to the work done on <a href="https://github.com/rubygems/rubygems/pull/5175">#5175</a>.</p>
<p>The following is a non-exhaustive list of other improvements included in the above releases (see the changelog for further information):</p>
<ul>
<li>added modern versions of Ruby as valid platform values in Gemfile DSL Spec file - <a href="https://github.com/rubygems/rubygems/pull/5469">#5469</a>.</li>
<li>stopped considering <code class="language-plaintext highlighter-rouge">RUBY_PATCHLEVEL</code> for resolution - <a href="https://github.com/rubygems/rubygems/pull/5472">#5472</a>.</li>
<li>enabled multi-factor authentication on specific keys during <code class="language-plaintext highlighter-rouge">gem signin</code> - <a href="https://github.com/rubygems/rubygems/pull/5305">#5305</a>.</li>
</ul>
<p>This month, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-04-01%7D...master@%7B2022-04-30%7D">86 new commits</a>, contributed by 13 authors. There were 977 additions and 599 deletions across 64 files.</p>
<h1 id="rubygemsorg-news">RubyGems.org News</h1>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>replaced instances of <code class="language-plaintext highlighter-rouge">blacklist</code> with <code class="language-plaintext highlighter-rouge">blocklist</code>, and <code class="language-plaintext highlighter-rouge">whitelist</code> with <code class="language-plaintext highlighter-rouge">allowlist</code> - <a href="https://github.com/rubygems/rubygems.org/pull/3033">#3033</a>.</li>
<li>updated ERD diagram to reflect the current database structure - <a href="https://github.com/rubygems/rubygems.org/pull/3032">#3032</a>.</li>
<li>updated <code class="language-plaintext highlighter-rouge">elasticsearch-rails</code> gems - <a href="https://github.com/rubygems/rubygems.org/pull/3028">#3028</a>.</li>
<li>migrated from using <code class="language-plaintext highlighter-rouge">kubernetes-deploy</code> to krane - <a href="https://github.com/rubygems/rubygems.org/pull/3018">#3018</a>.</li>
<li>added a validation step prior to updating unconfirmed email - <a href="https://github.com/rubygems/rubygems.org/pull/3009">#3009</a>.</li>
</ul>
<p>In April, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-04-01%7D...master@%7B2022-04-31%7D">88 new commits</a>, contributed by 12 authors. There were 1,266 additions and 733 deletions across 79 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.13 Released2022-05-04T00:00:00+00:00http://blog.rubygems.org/2022/05/04/3.3.13-released<p>RubyGems 3.3.13 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.13 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix regression when resolving ruby constraints. Pull request #5486 by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Clarify description of owner-flags. Pull request #5497 by kronn</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.13.tgz<br />
f40b995eaa06c32ca0db3de90ed3e76df10d3cb59eb5764773db525487391eb6</li>
<li>rubygems-3.3.13.zip<br />
a60bdd10b8c5093946330e49c3d51758a35f5b520dacb92e6e773b9bb08c1166</li>
<li>rubygems-update-3.3.13.gem<br />
ff1fadba6c293e02bc8561bea6162a6bbbc917439ed2bed985bae29ccde590b1</li>
</ul>
3.3.12 Released2022-04-20T00:00:00+00:00http://blog.rubygems.org/2022/04/20/3.3.12-released<p>RubyGems 3.3.12 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Less error swallowing when installing gems. Pull request #5475 by
deivid-rodriguez</li>
<li>Stop considering <code class="language-plaintext highlighter-rouge">RUBY_PATCHLEVEL</code> for resolution. Pull request #5472 by
deivid-rodriguez</li>
<li>Bump vendored optparse to latest master. Pull request #5466 by
deivid-rodriguez</li>
<li>Installs bundler 2.3.12 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix formatting in docs. Pull request #5470 by peterzhu2118</li>
<li>Fix a typo. Pull request #5401 by znz</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.12.tgz<br />
a01524382bc6f912c494cde2581280ab93abd388379bd1046118adc896e8149e</li>
<li>rubygems-3.3.12.zip<br />
4df5da2e4cbe3ed83150c499937dea8a8d5ffdda9a767a677e210339732cfe7d</li>
<li>rubygems-update-3.3.12.gem<br />
b181de2cf00da34304ea1e7752985137201828df8f843e00a264ec5366ccbc4a</li>
</ul>
3.3.11 Released2022-04-07T00:00:00+00:00http://blog.rubygems.org/2022/04/07/3.3.11-released<p>RubyGems 3.3.11 includes enhancements and documentation.</p>
<p>In particular, it includes <strong>experimental</strong> supppot for Rust extensions. We
will gradually ship improvements to this in the next releases, but we’re
releasing it now to get early feedback from the community.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Enable mfa on specific keys during gem signin. Pull request #5305 by
aellispierce</li>
<li>Prefer <code class="language-plaintext highlighter-rouge">__dir__</code> to <code class="language-plaintext highlighter-rouge">__FILE__</code>. Pull request #5444 by deivid-rodriguez</li>
<li>Add cargo builder for rust extensions. Pull request #5175 by ianks</li>
<li>Installs bundler 2.3.11 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Improve RDoc setup. Pull request #5398 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.11.tgz<br />
64184aec5bf3d4314eca3b8bae2085c5ddec50564b822340035187431dc1c074</li>
<li>rubygems-3.3.11.zip<br />
8bc74d1021a68141c9145cee50ac4ed55c3341145c7890e471b5bc168f4a83a3</li>
<li>rubygems-update-3.3.11.gem<br />
baa62338f2894e4cfdf14aaeea7dcf7dadf2268f07b415c60e193966df78431a</li>
</ul>
March 2022 RubyGems Updates2022-04-03T00:00:00+00:00http://blog.rubygems.org/2022/04/03/march-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in March.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, we released new versions of RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#339--2022-03-09">3.3.9</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3310--2022-03-23">3.3.10</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#239-march-9-2022">2.3.9</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2310-march-23-2022">2.3.10</a>.</p>
<p>The following is a non-exhaustive list of the improvements included in the above releases (see the changelog for further information):</p>
<ul>
<li>worked on a small regression in Bundler 2.3.7 and released a fix with Bundler 2.3.9 - <a href="https://github.com/rubygems/rubygems/pull/5386">#5386</a>.</li>
<li>merged some improvements to RDoc documentation - <a href="https://github.com/rubygems/rubygems/pull/5396">#5396</a>, <a href="https://github.com/rubygems/rubygems/pull/5398">#5398</a>, <a href="https://github.com/rubygems/rubygems/pull/5399">#5399</a>.</li>
<li>enabled <code class="language-plaintext highlighter-rouge">net-http-persistent</code> to get in sync with the version we use in vendor - <a href="https://github.com/rubygems/rubygems/pull/5394">#5394</a>.</li>
<li>merged a PR that reports Github Actions as a CI provider within the user agent string by checking the <code class="language-plaintext highlighter-rouge">GITHUB_ACTIONS</code> env variable - <a href="https://github.com/rubygems/rubygems/pull/5400">#5400</a>.</li>
</ul>
<p>In March, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-03-01%7D...master@%7B2022-03-31%7D">145 new commits</a>, contributed by 14 authors. There were 1,622 additions and 167 deletions across 88 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>increased <code class="language-plaintext highlighter-rouge">GEM_REQUEST_LIMIT</code> to fix the 422 response with <code class="language-plaintext highlighter-rouge">aws gem install</code> - <a href="https://github.com/rubygems/rubygems.org/pull/2991">#2991</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">Toxiproxy</code> to <code class="language-plaintext highlighter-rouge">docker-compose</code> in host network mode - <a href="https://github.com/rubygems/rubygems.org/pull/2981">#2981</a>.</li>
<li>refactored <code class="language-plaintext highlighter-rouge">link_to_github</code> code - <a href="https://github.com/rubygems/rubygems.org/pull/2980">#2980</a>.</li>
<li>fixed deprecations recording when running tests - <a href="https://github.com/rubygems/rubygems.org/pull/2979">#2979</a>.</li>
</ul>
<p>In March, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-03-01%7D...master@%7B2022-03-31%7D">38 new commits</a>, contributed by 6 authors. There were 811 additions and 531 deletions across 30 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.10 Released2022-03-23T00:00:00+00:00http://blog.rubygems.org/2022/03/23/3.3.10-released<p>RubyGems 3.3.10 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.10 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Enable <code class="language-plaintext highlighter-rouge">Gem::Package</code> example in RDoc documentation. Pull request #5399
by nobu</li>
<li>Unhide RDoc documentation from top level <code class="language-plaintext highlighter-rouge">Gem</code> module. Pull request
#5396 by nobu</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.10.tgz<br />
0d15a2bf577db17ebf034caaa7ba9cbd9f9b0cc1b569998964cdef741def8acf</li>
<li>rubygems-3.3.10.zip<br />
83ecb888e3b694393cfa09789a3b3e361050f1a0ca44a82172fc97ec4604aecf</li>
<li>rubygems-update-3.3.10.gem<br />
a5e4fe18b9c3abedc9287b29fa9245dc588adeff11bd7a3e871bd17698eb9e72</li>
</ul>
3.3.9 Released2022-03-09T00:00:00+00:00http://blog.rubygems.org/2022/03/09/3.3.9-released<p>RubyGems 3.3.9 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.9 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.9.tgz<br />
c7036dfb5623d17470a36a3e54692d03e74c59c06287ac919a33e2c4ae8c2416</li>
<li>rubygems-3.3.9.zip<br />
7e25b019675fbc4db09ac85a7e9a2ed346ac575d40c6c5ba580fb46abfefc2a8</li>
<li>rubygems-update-3.3.9.gem<br />
3e314fa7a70b5ee00387217f5ef9d29baf1ff6acbfca95a677a8c733d01c75ff</li>
</ul>
February 2022 RubyGems Updates2022-03-07T00:00:00+00:00http://blog.rubygems.org/2022/03/07/february-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in February.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions for RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#337--2022-02-09">3.3.7</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#338--2022-02-23">3.3.8</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#237-february-9-2022">2.3.7</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#238-february-23-2022">2.3.8</a>.</p>
<p>The following is a non-exhaustive list of the improvements included in the above releases (see changelogs for further information):</p>
<ul>
<li>resolved some long-standing issues with our CI workflow and worked on some long-standing configuration issues - <a href="https://github.com/rubygems/rubygems/pull/5324">#5324</a>.</li>
<li>fixed an issue with a corrupt lockfile that occured when running <code class="language-plaintext highlighter-rouge">bundle check</code> and re-resolving locally - <a href="https://github.com/rubygems/rubygems/pull/5344">#5344</a>.</li>
<li>fixed a typo in the multiple gemfiles warning - <a href="https://github.com/rubygems/rubygems/pull/5342">#5342</a>.</li>
<li>added clarification for <code class="language-plaintext highlighter-rouge">bundle-config</code> <code class="language-plaintext highlighter-rouge">"with"</code> option - <a href="https://github.com/rubygems/rubygems/pull/5346">#5346</a>.</li>
<li>fixed an issue with <code class="language-plaintext highlighter-rouge">BUNDLE_WITH</code> and <code class="language-plaintext highlighter-rouge">BUNDLE_WITHOUT</code> environment variables being silently persisted locally - <a href="https://github.com/rubygems/rubygems/pull/5335">#5335</a>.</li>
<li><code class="language-plaintext highlighter-rouge">bundle config</code> now saves configuration locally by default when run inside an application context - <a href="https://github.com/rubygems/rubygems/pull/4152">#4512</a>.</li>
</ul>
<p>In February, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-02-01%7D...master@%7B2022-02-31%7D">45 new commits</a>, contributed by 9 authors. There were 252 additions and 160 deletions across 58 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>enabled <strong>Rails 6.1</strong> default in <code class="language-plaintext highlighter-rouge">application.rb</code> - <a href="https://github.com/rubygems/rubygems.org/pull/2966">#2966</a>.</li>
<li>disabled <code class="language-plaintext highlighter-rouge">mfa_required_since</code> usage - <a href="https://github.com/rubygems/rubygems.org/pull/2965">#2965</a>.</li>
<li>fixed Rubocop warning by re-enabling Ruby and excluding some files - <a href="https://github.com/rubygems/rubygems.org/pull/2955">#2955</a>.</li>
</ul>
<p>In February, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-02-01%7D...master@%7B2022-02-31%7D">60 new commits</a>, contributed by 6 authors. There were 350 additions and 208 deletions across 28 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.8 Released2022-02-23T00:00:00+00:00http://blog.rubygems.org/2022/02/23/3.3.8-released<p>RubyGems 3.3.8 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.8 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.8.tgz<br />
786206b1d733bafafc46a1d00c19822238c4de09ecbfac1dfa131455b1766f22</li>
<li>rubygems-3.3.8.zip<br />
2dba1d2e0ab97a077a40367dc69de6cc6c67f88b4a426d537315c32985c94251</li>
<li>rubygems-update-3.3.8.gem<br />
2e8b2d292b50c53823c01238578e405f39b0db2045e8aea011a9044cfb88f2fc</li>
</ul>
3.3.7 Released2022-02-09T00:00:00+00:00http://blog.rubygems.org/2022/02/09/3.3.7-released<p>RubyGems 3.3.7 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.7 as a default gem.</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix missing rdoc for <code class="language-plaintext highlighter-rouge">Gem::Version</code>. Pull request #5299 by nevans</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.7.tgz<br />
537475b3a75d4989a9f61c552c7249001a617e84e6cdfb533ff19ecfdeeaf183</li>
<li>rubygems-3.3.7.zip<br />
16a1d2f3bb582f81e92bec3c4822ba6ce20508b1e43b7bb4ff691d6589f09808</li>
<li>rubygems-update-3.3.7.gem<br />
c2111261c993f95a4c523b37c8744fb9401de7c5df85a8146930017c188a2b64</li>
</ul>
January 2022 RubyGems Updates2022-02-08T00:00:00+00:00http://blog.rubygems.org/2022/02/08/january-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in January.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions for RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#335--2022-01-12">3.3.5</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#336--2022-01-26">3.3.6</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#235-january-12-2022">2.3.5</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#236-january-26-2022">2.3.6</a>.</p>
<p>The following is a non-exhaustive list of the improvements included in the above releases (see changelogs for more details):</p>
<ul>
<li>merged tentative support for <code class="language-plaintext highlighter-rouge">--enable-load-relative</code> Ruby configuration flag in our bin stubs to fix some <code class="language-plaintext highlighter-rouge">gem install</code> issues on Windows - <a href="https://github.com/rubygems/rubygems/pull/2929">#2929</a>.</li>
<li>published a blog post about <a href="https://bundler.io/blog/2022/01/23/bundler-v2-3.html">Bundler Version Switching</a> and released documentation for Bundler 2.3 on bundler.io.</li>
<li>fixed regression with old marshaled specs having null <code class="language-plaintext highlighter-rouge">required_rubygems_version</code> - <a href="https://github.com/rubygems/rubygems/pull/5291">#5291</a>.</li>
</ul>
<p>In January, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2022-01-01%7D...master@%7B2022-01-31%7D">113 new commits</a>, contributed by 14 authors. There were 1,623 additions and 864 deletions across 139 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>enabled <code class="language-plaintext highlighter-rouge">Rails 6.1</code> defaults - <a href="https://github.com/rubygems/rubygems.org/pull/2917">#2917</a>.</li>
<li>added <code class="language-plaintext highlighter-rouge">rake task</code> to send <a href="https://github.com/rubygems/rubygems.org/commit/4cb656a9cc342af171379915835a977c3e88ea91">ownership request notification</a>.</li>
<li>verified <a href="https://github.com/rubygems/rubygems.org/commit/8368872dea4907d9c39b3f5125f4ea7b17df1232">session for Gem owners</a> before showing adoptions page.</li>
<li>published <a href="https://blog.rubygems.org/2022/01/19/rubygems-adoptions.html">RubyGems adoptions blog post</a>.</li>
</ul>
<p>In January, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2022-01-01%7D...master@%7B2022-01-31%7D">48 new commits</a>, contributed by 5 authors. There were 443 additions and 121 deletions across 37 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.6 Released2022-01-26T00:00:00+00:00http://blog.rubygems.org/2022/01/26/3.3.6-released<p>RubyGems 3.3.6 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Forbid downgrading past the originally shipped version on Ruby 3.1. Pull
request #5301 by deivid-rodriguez</li>
<li>Support <code class="language-plaintext highlighter-rouge">--enable-load-relative</code> inside binstubs. Pull request #2929 by
deivid-rodriguez</li>
<li>Let <code class="language-plaintext highlighter-rouge">Version#<=></code> accept a String. Pull request #5275 by amatsuda</li>
<li>Installs bundler 2.3.6 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Avoid <code class="language-plaintext highlighter-rouge">flock</code> on non Windows systems, since it causing issues on NFS
file systems. Pull request #5278 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> for already installed version of
<code class="language-plaintext highlighter-rouge">rubygems-update</code>. Pull request #5285 by loadkpi</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.6.tgz<br />
af977b4036663a2acf2ab2a21f96ba4db824c3913f533db1de4b24281fc64b66</li>
<li>rubygems-3.3.6.zip<br />
692a94c5b919196d18766f5c9e1178ebefe810bcf64a8e450207db15c561868b</li>
<li>rubygems-update-3.3.6.gem<br />
f4203a7438120a899b6ab3b96f1aeee95b936d2659845e2899634a439e1f565f</li>
</ul>
Rubygems Adoptions2022-01-19T00:00:00+00:00http://blog.rubygems.org/2022/01/19/rubygems-adoptions<p><strong>Important note: this article describe a feature which has since been <a href="https://github.com/rubygems/rubygems.org/pull/5356">removed from rubygems.org</a> (see the <a href="https://github.com/rubygems/rfcs/blob/master/text/0017-remove-adoptions.md">corresponding RFC</a>). It is kept for posterity.</strong></p>
<p>Original article:</p>
<hr />
<p>No matter how near and dear a project was once to your heart, we all know that with time priorities change. You may no longer have the time or enthusiasm toward solving the issues of strangers on the internet as you once used to. It is reasonable for you to expect that the members of the community who have benefited from your work all this time will step up and carry your legacy (pun intended) forward. After all, it is in everyone’s interest that a project used by the wider community doesn’t get stalled.</p>
<p>We are trying to introduce a formal process to deal with scenarios where owners may be interested in handing over the stewardship of a gem to new members or just need more helping hands. <a href="https://github.com/bootstrap-ruby/bootstrap_form/issues/577">Github issues</a>, <a href="https://twitter.com/yugui/status/22490349662">Twitter posts</a>, Mailing lists, <a href="https://www.codeshelter.co/projects/">Codeshelter</a>, and <a href="https://github.com/pickhardt/maintainers-wanted">maintainer-wanted</a> are great ways to reach out to the community. However, they may not have the visibility needed to find new maintainers quickly. RubyGems.org can be of great help here.</p>
<p>At the same time, we are also trying to allow users to request the reuse of an abandoned namespace by contacting the gem owner directly. We routinely receive <a href="https://help.rubygems.org/search?utf8=%E2%9C%93&q=abandoned&t=d&scope=all&category_id=&recommend=1">support tickets</a> requesting access to an abandoned namespace that hasn’t seen a release in quite a while. Finding the contact details of the owners can be a time-consuming process with limited scope for success. Recently we also decided that we will not show <a href="https://github.com/rubygems/rubygems.org/pull/2663">user email publically by default</a>, which users may have used in the past to contact owners. Using “Ownership requests”, users will be able to submit such requests to gem owners using rubygems.org.</p>
<h2 id="ownership-calls">Ownership calls</h2>
<p>Gem owners will be able to create “Ownership calls” by clicking on the adoption link from the gem page sidebar. It will indicate that you are looking for new maintainers to join your project. You are encouraged to add details about your plan using the “note” field. For example, you should mention whether you intend to pass the bastion or you just need more helping hands.</p>
<p><img src="/images/adoptions/adoptions-01.png" width="100%" /></p>
<p>All gems with ownership calls will be listed on <a href="https://rubygems.org/ownership_calls">a site-wide index page</a>.</p>
<p><img src="/images/adoptions/adoptions-02.png" width="100%" /></p>
<p>Any registered user can apply for these ownership calls by creating an ownership request.</p>
<p><img src="/images/adoptions/adoptions-03.png" width="100%" /></p>
<p>Gem owners will receive a batched email of ownership requests created within the last 24 hours. You can visit the gem adoption page to approve or close ownership requests. If approved, the requester will be added as the owner of the gem. Owners can choose to disable these email notifications.</p>
<p><img src="/images/adoptions/adoptions-04.png" width="100%" /></p>
<h2 id="ownership-requests">Ownership requests</h2>
<p>As mentioned previously, users will also be able to submit an ownership request without a corresponding ownership call if the gem has not received any update in the last year and has fewer than 10k total downloads.</p>
<p><img src="/images/adoptions/adoptions-05.png" width="100%" /></p>
<p>You are welcome to share contact details in your request. Only gem owners and the user who created the ownership request will be able to see the requests. Note that the owner can disable email notifications and may not receive your request.</p>
<h2 id="enhancements">Enhancements</h2>
<p>In the future, we may want to expose ownership calls information to users of the gem, which would print something like “n gems are looking for maintainers” after bundle install (similar to <a href="https://github.com/rubygems/rubygems/pull/3390">funding needed</a>). We may also want to support creating ownership calls using gemspec metadata.
Goes without saying that none of this will be of any help if the owners are unresponsive. We are having an ongoing discussion about how can we better deal with such cases on <a href="https://github.com/rubygems/rfcs/pull/33">this RFC</a>.</p>
<h2 id="credits">Credits</h2>
<p>The idea was originally proposed by <a href="https://github.com/bf4">bf4</a> in this <a href="https://github.com/rubygems/rubygems.org/issues/725">RFC</a>. You can also check <a href="https://groups.google.com/g/rubygems-org/c/niS5ZO9DNgk/m/SHUzS-8Qx68J">this thread</a> for the previous discussions. We tried to implement this with <a href="https://github.com/vachhanihpavan">vachhanihpavan</a> during GSoC 2020. <a href="https://github.com/rubygems/rfcs/pull/25">RFC</a> he created and his <a href="https://github.com/vachhanihpavan/rubygems.org/pull/22">initial work</a> were pivotal in getting this shipped.</p>
December 2021 RubyGems Updates2022-01-18T00:00:00+00:00http://blog.rubygems.org/2022/01/18/december-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Central</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in December.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In December, we released new versions for RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#330--2021-12-21">3.3.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#331--2021-12-22">3.3.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#332--2021-12-23">3.3.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#333--2021-12-24">3.3.3</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#334--2021-12-29">3.3.4</a> and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2233-december-7-2021">2.2.33</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#230-december-21-2021">2.3.0</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#231-december-22-2021">2.3.1</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#232-december-23-2021">2.3.2</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#233-december-24-2021">2.3.3</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#234-december-29-2021">2.3.4</a>.</p>
<p>With this batch of releases, we finally shipped the Bundler version switching feature, which had been planned for some time now, and provided final versions to be included with new Ruby 3.1 release.</p>
<p>This month, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-12-01%7D...master@%7B2021-12-31%7D">209 new commits</a>, contributed by 18 authors. There were 1825 additions and 1086 deletions across 190 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In December, we enabled multifactor authenticator on specific <code class="language-plaintext highlighter-rouge">api_keys</code> and updated the website UI to reflect the change - <a href="https://github.com/rubygems/rubygems.org/pull/2846">#2846</a>.</p>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-12-01%7D...master@%7B2021-12-31%7D">36 new commits</a>, contributed by 6 authors. There were 2693 additions and 139 deletions across 89 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.3.5 Released2022-01-12T00:00:00+00:00http://blog.rubygems.org/2022/01/12/3.3.5-released<p>RubyGems 3.3.5 includes enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t activate <code class="language-plaintext highlighter-rouge">yaml</code> gem from RubyGems. Pull request #5266 by
deivid-rodriguez</li>
<li>Let <code class="language-plaintext highlighter-rouge">gem fetch</code> understand <code class="language-plaintext highlighter-rouge"><gem>:<version></code> syntax and
<code class="language-plaintext highlighter-rouge">--[no-]suggestions</code> flag. Pull request #5242 by ximenasandoval</li>
<li>Installs bundler 2.3.5 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install <non-existent-gem> --force</code> crash. Pull request #5262
by deivid-rodriguez</li>
<li>Fix longstanding <code class="language-plaintext highlighter-rouge">gem install</code> failure on JRuby. Pull request #5228 by
deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Markup <code class="language-plaintext highlighter-rouge">Gem::Specification</code> documentation with RDoc notations. Pull
request #5268 by nobu</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.5.tgz<br />
3de97c7635ce7bc8a91f575b83952c9fc50d244e744459817c7af49b5507480e</li>
<li>rubygems-3.3.5.zip<br />
896c817286d331743db66ba1d9fa91f22c63431c3af952466f8bb28ae9280991</li>
<li>rubygems-update-3.3.5.gem<br />
7d202c7cf0e1c704c3991128de1e4ab51fc012c0c6e3cdecd0f8455c466d8c18</li>
</ul>
3.3.4 Released2021-12-29T00:00:00+00:00http://blog.rubygems.org/2021/12/29/3.3.4-released<p>RubyGems 3.3.4 includes enhancements, bug fixes and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t redownload <code class="language-plaintext highlighter-rouge">rubygems-update</code> package if already there. Pull
request #5230 by deivid-rodriguez</li>
<li>Installs bundler 2.3.4 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> crashing when latest version not supported.
Pull request #5191 by deivid-rodriguez</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Make SpecificationPolicy autoload constant. Pull request #5222 by pocke</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.4.tgz<br />
efbe846f26332c39bad90956189ad465b88736369f80399c85a716b4650b3834</li>
<li>rubygems-3.3.4.zip<br />
f5d7cd4e9547e715b4d97658ab87f8c225811c469b0c809970fd24d079f37bb2</li>
<li>rubygems-update-3.3.4.gem<br />
df98672e59c80628ebc2c5c5391675f23f1dbe37357998be44125b3a9dba21c5</li>
</ul>
3.3.3 Released2021-12-24T00:00:00+00:00http://blog.rubygems.org/2021/12/24/3.3.3-released<p>RubyGems 3.3.3 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Installs bundler 2.3.3 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix gem installation failing in Solaris due to bad <code class="language-plaintext highlighter-rouge">IO#flock</code> usage.
Pull request #5216 by mame</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.3.tgz<br />
92dbe63e8bd2f937d61e9db2d407ed6891f44fdfcb5faf4683a3f88afc7a5363</li>
<li>rubygems-3.3.3.zip<br />
0da9df52ebb2e658f80127a19dac596381e5a6dabdfaf54fbc7514d017b4fc5a</li>
<li>rubygems-update-3.3.3.gem<br />
610aef544e0c15ff3cd5492dff3f5f46bd2062896f4f62c7191432c6f1d681c9</li>
</ul>
3.3.2 Released2021-12-24T00:00:00+00:00http://blog.rubygems.org/2021/12/24/3.3.2-released<p>RubyGems 3.3.2 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix deprecations when activating DidYouMean for misspelled command
suggestions. Pull request #5211 by yuki24</li>
<li>Installs bundler 2.3.2 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix gemspec truncation. Pull request #5208 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.2.tgz<br />
7d63ce645273faf61a87be5354297da43eeed3b314acdc825ad38b2f0bf837eb</li>
<li>rubygems-3.3.2.zip<br />
526d0796c72a5e59295aca191a3d645fb3ee6b2cb449205293450108f620d268</li>
<li>rubygems-update-3.3.2.gem<br />
532b353e1696646e228004c130c81cc839d8ead25b65f5cc6ca1a65a8e56e0df</li>
</ul>
3.3.1 Released2021-12-22T00:00:00+00:00http://blog.rubygems.org/2021/12/22/3.3.1-released<p>RubyGems 3.3.1 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix compatibility with OpenSSL 3.0. Pull request #5196 by rhenium</li>
<li>Remove hard errors when matching major bundler not found. Pull request
#5181 by deivid-rodriguez</li>
<li>Installs bundler 2.3.1 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.1.tgz<br />
e7ff8afce2b003eb18e8c468ebd2cd8d81fde6cd788d096dad9efe2513997d66</li>
<li>rubygems-3.3.1.zip<br />
47a6597f923f2cc95640279de0683da9a8bfd57c2208532e4c6dc841804ef8e9</li>
<li>rubygems-update-3.3.1.gem<br />
7249104e68e7dc6f5b927d5287062be9c54ad8c660848e7284ee250a8beb5817</li>
</ul>
3.3.0 Released2021-12-21T00:00:00+00:00http://blog.rubygems.org/2021/12/21/3.3.0-released<p>RubyGems 3.3.0 includes breaking changes, features, performance, enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Breaking changes:</em></p>
<ul>
<li>Removed deprecated <code class="language-plaintext highlighter-rouge">gem server</code> command. Pull request #5034 by hsbt</li>
<li>Remove MacOS specific gem layout. Pull request #4833 by deivid-rodriguez</li>
<li>Default <code class="language-plaintext highlighter-rouge">gem update</code> documentation format is now only <code class="language-plaintext highlighter-rouge">ri</code>. Pull request
#3888 by hsbt</li>
</ul>
<p><em>## Features:</em></p>
<ul>
<li>Give command misspelled suggestions via <code class="language-plaintext highlighter-rouge">did_you_mean</code> gem. Pull request
#3904 by hsbt</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Avoid some unnecessary stat calls. Pull request #3887 by kares</li>
<li>Improve spell checking suggestion performance by
vendoring<code class="language-plaintext highlighter-rouge">DidYouMean::Levenshtein.distance</code> from <code class="language-plaintext highlighter-rouge">did_you_mean-1.4.0</code>.
Pull request #3856 by austinpray</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Set <code class="language-plaintext highlighter-rouge">BUNDLER_VERSION</code> when <code class="language-plaintext highlighter-rouge">bundle _<version>_</code> is passed. Pull request
#5180 by deivid-rodriguez</li>
<li>Don’t require <code class="language-plaintext highlighter-rouge">rdoc</code> for <code class="language-plaintext highlighter-rouge">gem uninstall</code>. Pull request #4691 by ndren</li>
<li>More focused rescue on extension builder exception to get more
information on errors. Pull request #4189 by deivid-rodriguez</li>
<li>Installs bundler 2.3.0 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix encoding mismatch issues when writing gem packages. Pull request
#5162 by deivid-rodriguez</li>
<li>Fix broken brew formula due to loading <code class="language-plaintext highlighter-rouge">operating_system.rb</code>
customizations too late. Pull request #5154 by deivid-rodriguez</li>
<li>Properly fetch <code class="language-plaintext highlighter-rouge">Gem#latest_spec_for</code> with multiple sources. Pull request
#2764 by kevlogan90</li>
<li>Fix upgrade crashing when multiple versions of <code class="language-plaintext highlighter-rouge">fileutils</code> installed.
Pull request #5140 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.3.0.tgz<br />
70b75be9ee1546f4d953377ca0156cb323ab237f13b02b2a07c2e3984fcd13e0</li>
<li>rubygems-3.3.0.zip<br />
810ac5d1ab24820d3f6c9c49c04cd0c38bf9e9228c237be47997c6fa46cd0215</li>
<li>rubygems-update-3.3.0.gem<br />
bf310ced488fc3abcc00f643488bf0d9f9431f81efd8c169c8c752f8f5d81c7e</li>
</ul>
November 2021 RubyGems Updates2021-12-09T00:00:00+00:00http://blog.rubygems.org/2021/12/09/november-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in November.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, we released new versions for RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3231--2021-11-08">3.2.31</a>, and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3232--2021-11-23">3.2.32</a>, and Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2231-november-8-2021">2.2.31</a>, and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2232-november-23-2021">2.2.32</a>.</p>
<p>The following is a non-exhaustive list of the improvements included in the above releases for RubyGems and Bundler (see the changelogs for more details):</p>
<ul>
<li>fixed a <code class="language-plaintext highlighter-rouge">gem fetch</code> vs. <code class="language-plaintext highlighter-rouge">gem install</code> inconsistency about platform-specific gems - <a href="https://github.com/rubygems/rubygems/pull/5037">#5037</a>.</li>
<li>fixed issues with <code class="language-plaintext highlighter-rouge">--destdir</code> and <code class="language-plaintext highlighter-rouge">--prefix</code> options to RubyGems installer to help OS packagers.</li>
<li>improved an error message about git being missing - <a href="https://github.com/rubygems/rubygems/pull/5036">#5036</a>, and fixed an issue where Bundler hid the system man pages - <a href="https://github.com/rubygems/rubygems/pull/5039">#5039</a>.</li>
<li>adapted both clients to a recent gemification of some libraries (<code class="language-plaintext highlighter-rouge">optparse,</code> <code class="language-plaintext highlighter-rouge">pathname</code>).</li>
<li>improved <code class="language-plaintext highlighter-rouge">bundle install</code> usability by automatically unlocking dependencies if a lock file got expired by Gemfile changes, instead of logging an error message - <a href="https://github.com/rubygems/rubygems/pull/5068">#5068</a>.</li>
<li>fixed a <code class="language-plaintext highlighter-rouge">bundle update</code> issue related to not being able to downgrade Gemfile dependencies properly, and worked on some promising refactorings of Bundler internals in the context of ensuring we never generate corrupted lock files - <a href="https://github.com/rubygems/rubygems/pull/5078">#5078</a>.</li>
<li>started doing work on Bundle version switching.</li>
</ul>
<p>In November, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-11-01%7D...master@%7B2021-11-30%7D">134 new commits</a>, contributed by 12 authors. There were 3,815 additions and 743 deletions across 137 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>updated and released support for ownership calls and requests - <a href="https://github.com/rubygems/rubygems.org/pull/2748">#2748</a>.</li>
<li>wrote a blog post for gem adoption - <a href="https://github.com/rubygems/rubygems.github.io/pull/95">#95</a>.</li>
<li>tested Ruby 3.0.3 for memory leak and deployed an update to Ruby 3 - <a href="https://github.com/rubygems/rubygems.org/pull/2876">#2876</a>.</li>
<li>debugged high CPU alert on Postgres.</li>
</ul>
<p>In November, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-11-01%7D...master@%7B2021-11-30%7D">52 new commits</a>, contributed by 8 authors. There were 438 additions and 308 deletions across 63 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.33 Released2021-12-07T00:00:00+00:00http://blog.rubygems.org/2021/12/07/3.2.33-released<p>RubyGems 3.2.33 includes deprecations, enhancements, bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Deprecations:</em></p>
<ul>
<li>Deprecate typo name. Pull request #5109 by nobu</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add login & logout alias for the signin & signout commands. Pull request
#5133 by colby-swandale</li>
<li>Fix race conditions when reading & writing gemspecs concurrently. Pull
request #4408 by deivid-rodriguez</li>
<li>Installs bundler 2.2.33 as a default gem.</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> trying to write outside of <code class="language-plaintext highlighter-rouge">--destdir</code>. Pull request
#5053 by deivid-rodriguez</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Move required_ruby_version gemspec attribute to recommended section.
Pull request #5130 by simi</li>
<li>Ignore to generate the documentation from vendored libraries. Pull
request #5118 by hsbt</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.33.tgz<br />
6c8408cd2e05dc8770c317661f48d59cd29cacbcd18e2f0aed5d4baa889b902d</li>
<li>rubygems-3.2.33.zip<br />
99d5e106ff68cc5aef2846009b840750db205305119127a74b894a0934b72516</li>
<li>rubygems-update-3.2.33.gem<br />
46862bd39dd078789d1cc7e2359772e50b33880a28b3eb83f80d42eec7e5a7e2</li>
</ul>
3.2.32 Released2021-11-23T00:00:00+00:00http://blog.rubygems.org/2021/11/23/3.2.32-released<p>RubyGems 3.2.32 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Refactor installer thread safety protections. Pull request #5050 by
deivid-rodriguez</li>
<li>Allow gem activation from <code class="language-plaintext highlighter-rouge">operating_system.rb</code>. Pull request #5044 by
deivid-rodriguez</li>
<li>Installs bundler 2.2.32 as a default gem.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.32.tgz<br />
1a8223ad81c442badc4735df35d92a642401419fd107942966d4f0468a500b9c</li>
<li>rubygems-3.2.32.zip<br />
e852f3087a4f4f67ef2398e0785f96d645f1772c4d2c775696e70fdb6e4a63ae</li>
<li>rubygems-update-3.2.32.gem<br />
8a6de61e080bf7275c93319c81fcf65689f849133318719065a55df58e833fde</li>
</ul>
October 2021 RubyGems Updates2021-11-09T00:00:00+00:00http://blog.rubygems.org/2021/11/09/october-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in October.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In October, we released new versions of RubyGems: <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3229--2021-10-08">3.2.29</a>, <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3230--2021-10-26">3.2.30</a> and Bundler: <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2229-october-8-2021">2.2.29</a>, <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2230-october-26-2021">2.2.30</a>.</p>
<p>The following is a non-exhaustive list of the improvements included in the above releases (see changelogs for more details):</p>
<ul>
<li>made gem install noticeably faster on Windows - <a href="https://github.com/rubygems/rubygems/pull/4960">#4960</a>.</li>
<li>made <code class="language-plaintext highlighter-rouge">bundle install</code> automatically reinstall deleted gems even when the lockfile is up to date - <a href="https://github.com/rubygems/rubygems/pull/4974">#4974</a>.</li>
<li>fixed an issue where lockfile checks were making Bundler crash - <a href="https://github.com/rubygems/rubygems/pull/4941">#4941</a>.</li>
<li>improved some errors when <code class="language-plaintext highlighter-rouge">bundle install</code> crashes due to permission issues, and also when gem tasks fail to run gem commands under the hood - <a href="https://github.com/rubygems/rubygems/pull/4965">#4965</a>.</li>
<li>added a couple of load improvements, like using <code class="language-plaintext highlighter-rouge">require_relative</code> in more places - <a href="https://github.com/rubygems/rubygems/pull/4978">#4978</a>, and avoiding activating the digest gem from RubyGems - <a href="https://github.com/rubygems/rubygems/pull/4979">#4979</a>.</li>
</ul>
<p>This month, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-10-01%7D...master@%7B2021-10-31%7D">133 new commits</a>, contributed by 16 authors. There were 27,317 additions and 82,207 deletions across 2,572 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>updated and released MFA requirement opt-in - <a href="https://github.com/rubygems/rubygems.org/pull/2242">#2242</a>.</li>
<li>wrote a guide for MFA requirement opt-in feature - <a href="https://github.com/rubygems/guides/pull/297">#297</a>.</li>
<li>debugged memory leaks after update to Ruby 3 was made, and reverted update - <a href="https://github.com/rubygems/rubygems.org/issues/2843">#2843</a>.</li>
<li>fixed race condition between version file update and version release - <a href="https://github.com/rubygems/rubygems.org/pull/2811">#2811</a>.</li>
<li>fixed broken transitive dependencies page for non-ruby platform versions - <a href="https://github.com/rubygems/rubygems.org/pull/2816">#2816</a>.</li>
<li>responded to pager calls for the database being overloaded by bot traffic and updated UI rate limit - <a href="https://github.com/rubygems/rubygems.org/pull/2835">#2835</a>.</li>
</ul>
<p>In October, RubyGems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-10-01%7D...master@%7B2021-10-31%7D">49 new commits</a>, contributed by 7 authors. There were 873 additions and 120 deletions across 61 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.31 Released2021-11-08T00:00:00+00:00http://blog.rubygems.org/2021/11/08/3.2.31-released<p>RubyGems 3.2.31 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t pass empty <code class="language-plaintext highlighter-rouge">DESTDIR</code> to <code class="language-plaintext highlighter-rouge">nmake</code> since it works differently from
standard <code class="language-plaintext highlighter-rouge">make</code>. Pull request #5057 by hsbt</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install</code> vs <code class="language-plaintext highlighter-rouge">gem fetch</code> inconsistency. Pull request #5037 by
deivid-rodriguez</li>
<li>Lazily load and vendor <code class="language-plaintext highlighter-rouge">optparse</code>. Pull request #4881 by
deivid-rodriguez</li>
<li>Use a vendored copy of <code class="language-plaintext highlighter-rouge">tsort</code> internally. Pull request #5027 by
deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> when <code class="language-plaintext highlighter-rouge">--prefix</code> is passed. Pull request #5051 by
deivid-rodriguez</li>
<li>Don’t apply <code class="language-plaintext highlighter-rouge">--destdir</code> twice when running <code class="language-plaintext highlighter-rouge">setup.rb</code>. Pull request
#2768 by alyssais</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.31.tgz<br />
7c2623aeed99eb30fd38ec1ae81776d6dce33039ebcd94f763a4ab3d45c23fcb</li>
<li>rubygems-3.2.31.zip<br />
b950c92efcf0e8643dd273d3269e9e1ae650623fa873f41f88849f9b0ec7b6b1</li>
<li>rubygems-update-3.2.31.gem<br />
d1b9c76a5b733ab437120774800e026caba2ff4ae51dbbc7e6df6906b517b0ad</li>
</ul>
3.2.30 Released2021-10-26T00:00:00+00:00http://blog.rubygems.org/2021/10/26/3.2.30-released<p>RubyGems 3.2.30 includes enhancements and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add support to build and sign certificates with multiple key algorithms.
Pull request #4991 by doodzik</li>
<li>Avoid loading the <code class="language-plaintext highlighter-rouge">digest</code> gem unnecessarily. Pull request #4979 by
deivid-rodriguez</li>
<li>Prefer <code class="language-plaintext highlighter-rouge">require_relative</code> for all internal requires. Pull request #4978
by deivid-rodriguez</li>
<li>Add missing <code class="language-plaintext highlighter-rouge">require</code> of <code class="language-plaintext highlighter-rouge">time</code> within
<code class="language-plaintext highlighter-rouge">Gem::Request.verify_certificate_message</code>. Pull request #4975 by nobu</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Speed up <code class="language-plaintext highlighter-rouge">gem install</code>, specially under Windows. Pull request #4960 by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.30.tgz<br />
ae0c06fa076f90ad920737142f34abfae4c7df06bd6b799fed73ff5675cafbae</li>
<li>rubygems-3.2.30.zip<br />
ffd5f25206e6517f2baeed0e0d499e30314e4f966073259b651e94db665a64fd</li>
<li>rubygems-update-3.2.30.gem<br />
8ba81c688344500418380ce8f4be247c9e8c3a41bdf8d678474b7094fdfbf6c2</li>
</ul>
September 2021 RubyGems Updates2021-10-13T00:00:00+00:00http://blog.rubygems.org/2021/10/13/september-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in September.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we saw some updates and fixes on the RubyGems and Bundler projects. Some of those changes include the following:</p>
<ul>
<li>released a new version for RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3227--2021-09-03"><code class="language-plaintext highlighter-rouge">3.2.27</code></a>, which included:
<ul>
<li>fixing an issue when installing some gems from GitHub private gem servers</li>
<li>setting some unredacted credentials in verbose mode</li>
<li>improving loading the library by using <code class="language-plaintext highlighter-rouge">require_relative</code> for internal requires.</li>
</ul>
</li>
<li>released version <code class="language-plaintext highlighter-rouge">3.2.28</code> for RubyGems, which included:
<ul>
<li>fixing a regression introduced by the redaction fix in <code class="language-plaintext highlighter-rouge">3.2.27</code>, which adds support for the MINGW-UCRT platform</li>
<li>making sure not to load the Uri gem unnecessarily</li>
<li>relaxing gem spec validations to allow descriptions that include the “TODO” string.</li>
</ul>
</li>
<li>made progress on a gem rebuild command that will allow exactly reproducing existing package builds (still unreleased).</li>
<li>released Bundler version <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2227-september-3-2021"><code class="language-plaintext highlighter-rouge">2.2.27</code></a>, which fixed a couple of bundle check regressions, as well as issues with plugins and syntax errors on the generated Github Actions configuration in new gems. It also optimizes some requires and adds support for redacting credentials using the <code class="language-plaintext highlighter-rouge">x-oauth-basic</code> form.</li>
<li>released Bundler version <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2228-september-22-2021"><code class="language-plaintext highlighter-rouge">2.2.28</code></a>, which made sure <code class="language-plaintext highlighter-rouge">bundle remove</code> automatically regenerates the lock file — deprecating the <code class="language-plaintext highlighter-rouge">--install</code> flag — and also updates the gemspec generated on new gems to use example.com as the sample gem server (instead of the potentially malicious mygemserver.com).</li>
<li>made progress on the Bundler version locking RFC implementation (still to be released).</li>
</ul>
<p>In September, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-09-01%7D...master@%7B2021-09-30%7D">36 new commits</a>, contributed by 10 authors. There were 154 additions and 21 deletions across 24 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In September, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>investigated increased traffic and deployed a fix for tarpitting abusive clients.</li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/2769">updated Capybara</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2794"><code class="language-plaintext highlighter-rouge">faraday_middleware-aws-sigv4</code></a>, and <a href="https://github.com/rubygems/rubygems.org/pull/2344"><code class="language-plaintext highlighter-rouge">aws-sdk</code> dependencies</a> in preparation for the Ruby 3 update.</li>
<li>fixed versions and v1/deps fastly cache not being purged on gem push - <a href="https://github.com/rubygems/rubygems.org/pull/2793">#2793</a>.</li>
<li>updated the ownerships call PR to fix styling and add authorization - <a href="https://github.com/rubygems/rubygems.org/pull/2748">#2748</a>.</li>
<li>thanks to <a href="https://github.com/matiaskorhonen">@matiaskorhonen</a>, we are now storing the certificate chain used to sign the published versions - <a href="https://github.com/rubygems/rubygems.org/pull/2444">#2444</a>.</li>
</ul>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-09-01%7D...master@%7B2021-09-30%7D">75 new commits</a>, contributed by 7 authors. There were 579 additions and 112 deletions across 53 files.</p>
<h2 id="related-news">Related News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<h3 id="ruby-toolbox">Ruby Toolbox</h3>
<p>In September, we added the ability to browse a project’s reverse dependencies (the list of gems that declare that project as a dependency) based on the Rubygem dependency data added to the Ruby Toolbox earlier this year. Read more about the latest from Ruby Toolbox in the upcoming monthly update. You can sign up to <a href="https://www.getdrip.com/forms/6239290/submissions/new">receive updates every month as soon as they are released</a>.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.29 Released2021-10-08T00:00:00+00:00http://blog.rubygems.org/2021/10/08/3.2.29-released<p>RubyGems 3.2.29 includes enhancements, bug fixes and performance.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Only disallow FIXME/TODO for first word of gemspec description. Pull
request #4937 by duckinator</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">wordy</code> method in <code class="language-plaintext highlighter-rouge">SourceFetchProblem</code> changing the password of
source. Pull request #4910 by Huangxiaodui</li>
</ul>
<p><em>## Performance:</em></p>
<ul>
<li>Improve <code class="language-plaintext highlighter-rouge">require</code> performance, particularly on systems with a lot of
gems installed. Pull request #4951 by pocke</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.29.tgz<br />
878ed074fab60e148401dd8772c4e993d8cd44eadd565e1ce20c91d45eec4850</li>
<li>rubygems-3.2.29.zip<br />
7c9281a033e44d315214f9ae5dcefbb2f538e0d52203699f6d27b35b88b30579</li>
<li>rubygems-update-3.2.29.gem<br />
c51870f2bcd52d33930ea3bcba43bf197e1d7b90434d48fab717618ea2d695dd</li>
</ul>
3.2.28 Released2021-09-23T00:00:00+00:00http://blog.rubygems.org/2021/09/23/3.2.28-released<p>RubyGems 3.2.28 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Support MINGW-UCRT. Pull request #4925 by hsbt</li>
<li>Only check if descriptions <em>start with</em> FIXME/TODO. Pull request #4841
by duckinator</li>
<li>Avoid loading <code class="language-plaintext highlighter-rouge">uri</code> unnecessarily when activating gems. Pull request
#4897 by deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix redacted credentials being sent to gemserver. Pull request #4919 by
jdliss</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.28.tgz<br />
898905523343f4055f3f49d61793d889a8f287195c3342b4ef9a85022de487d6</li>
<li>rubygems-3.2.28.zip<br />
276257d91fe7bc0e7052dc1cadc07dad18a8eba56ce2a48aec17dad556692c29</li>
<li>rubygems-update-3.2.28.gem<br />
b08d6d89c33a7433171b10748dfa023055b4cd278dcbb825b47688bf47485a6c</li>
</ul>
August 2021 RubyGems Updates2021-09-10T00:00:00+00:00http://blog.rubygems.org/2021/09/10/august-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in August.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, We released a new version of RubyGems - <em><a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.26">3.2.36</a></em>. This release features experimental support for the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> environment variable, which allows using locked versions of executables without the need of prepending <code class="language-plaintext highlighter-rouge">bundle exec</code> to them. It also fixes an issue with the loading of RubyGems plugin and improves reporting of errors inside operating system customizations of RubyGems.</p>
<p>On Bundler, we released Bundler <a href="https://rubygems.org/gems/bundler/versions/2.2.26">2.2.26</a>, which includes several small fixes and improvements further <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2226-august-17-2021">details in the changelog</a>.</p>
<p>In August, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-08-01%7D...master@%7B2021-08-31%7D">133 new commits</a>, contributed by 11 authors. There were 1299 additions and 896 deletions across 192 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In August, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>drafted a PR for Ruby 3 update to evaluate changes required - <a href="https://github.com/rubygems/rubygems.org/pull/2760">#2760</a>.</li>
<li>reduced Docker build time up to 5 minutes by caching <code class="language-plaintext highlighter-rouge">bundle install</code> command -<a href="https://github.com/rubygems/rubygems.org/pull/2761">#2761</a>.</li>
<li>updated Rubocop as part of the updates for Ruby 3 - <a href="https://github.com/rubygems/rubygems.org/pull/2768">#2768</a>.</li>
<li>debugged increased CPU usage on Postgres and added rate limit on the <code class="language-plaintext highlighter-rouge">reverse_dependencies</code> page - <a href="https://github.com/rubygems/rubygems.org/pull/2754">#2754</a>.</li>
<li>contacted Zendesk support about spam mails and enabled beta version of <code class="language-plaintext highlighter-rouge">Rspamd</code> spam filter system.</li>
<li>evaluated performance impact on our database in <code class="language-plaintext highlighter-rouge">Gem Signature Verification</code> PR - <a href="https://github.com/rubygems/rubygems.org/pull/2444">#2444</a>.</li>
</ul>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-08-01%7D...master@%7B2021-08-31%7D">34 new commits</a>, contributed by 3 authors. There were 135 additions and 129 deletions across 14 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.27 Released2021-09-03T00:00:00+00:00http://blog.rubygems.org/2021/09/03/3.2.27-released<p>RubyGems 3.2.27 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Redact credentails when printing URI. Pull request #4868 by intuxicated</li>
<li>Prefer <code class="language-plaintext highlighter-rouge">require_relative</code> to <code class="language-plaintext highlighter-rouge">require</code> for internal requires. Pull
request #4858 by deivid-rodriguez</li>
<li>Prioritise gems with higher version for fetching metadata, and stop
fetching once we find a valid candidate. Pull request #4843 by intuxicated</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.27.tgz<br />
5bbc6ee95d570dadbf7972cb6dbe1dd612cfa57ec8ecab77055e5dcf27296f39</li>
<li>rubygems-3.2.27.zip<br />
b03641d930e76828b11339c8521ef073d3041e284399569d008bf16fdcba3bdb</li>
<li>rubygems-update-3.2.27.gem<br />
c659585857bebfc63901c9871c7d58760fe74d39d272a21051f238908d60e79b</li>
</ul>
3.2.26 Released2021-08-17T00:00:00+00:00http://blog.rubygems.org/2021/08/17/3.2.26-released<p>RubyGems 3.2.26 includes enhancements and bug fixes.</p>
<p>In particular, it includes some fixes to the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> experimental
mode that allows automatically launching the specific version of binstubs locked
in your <code class="language-plaintext highlighter-rouge">Gemfile.lock</code> file without using <code class="language-plaintext highlighter-rouge">bundle exec</code>.</p>
<p>To use it, set the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> environment variable with the value <code class="language-plaintext highlighter-rouge">-</code>,
or to the specific name of your <code class="language-plaintext highlighter-rouge">Gemfile</code> file if you’re not using standard
names (either <code class="language-plaintext highlighter-rouge">Gemfile</code> or <code class="language-plaintext highlighter-rouge">gems.rb</code>).</p>
<p>We encourage users to try this experimental mode and give us feedback.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Enhance the error handling for loading the
<code class="language-plaintext highlighter-rouge">rubygems/defaults/operating_system</code> file. Pull request #4824 by
intuxicated</li>
<li>Ignore <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> for the bundler gem. Pull request #4532 by
deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Also load user installed rubygems plugins. Pull request #4829 by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.26.tgz<br />
f706ba94e5a7b9af3305b9502918238e24d53d8a764d6d27ed73af816eeed5ef</li>
<li>rubygems-3.2.26.zip<br />
a8b81d5f5ffdaaee3483a6d5727c23fd29404170ed67b0257c8b3e2b44970646</li>
<li>rubygems-update-3.2.26.gem<br />
65319c4ed44f0922ce468b0244af522d42df3d88d87feac0453669ad4e2c7576</li>
</ul>
July 2021 RubyGems Updates2021-08-11T00:00:00+00:00http://blog.rubygems.org/2021/08/11/july-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in July.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, We released new versions of RubyGems (<a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.22">3.2.22</a>, <a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.23">3.2.23</a>, <a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.24">3.2.24</a>, and <a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.25">3.2.25</a>) and Bundler (<a href="https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.22">2.2.22</a>, <a href="https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.23">2.2.23</a>, <a href="https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.24">2.2.24</a>, and <a href="https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.25">2.2.25</a>).</p>
<p>In addition to that, RubyGems saw several bug fixes and updates this month, some of which include the following:</p>
<ul>
<li>investigated various RubyGems and Bundler issues on GitHub such as <a href="https://github.com/rubygems/rubygems/pull/4717">#4717</a> and <a href="https://github.com/rubygems/rubygems/pull/4719">#4719</a>.</li>
<li>worked on the Bundler Version Locking RFC - <a href="https://github.com/rubygems/rfcs/pull/29">#29</a>.</li>
<li>merged an enhancement that will make setting the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> environment variable used for avoiding the need to use the<code class="language-plaintext highlighter-rouge">bundle exec</code> command.</li>
<li>worked on automating the process of reproducing builds for gems - <a href="https://github.com/rubygems/rubygems/issues/3118">#3118</a>.</li>
<li>fixed several outdated definition issues (detecting whether there are Gemfile changes over the lockfile or not, to potentially reuse the information in the lockfile and avoid having to resolve dependencies at all)</li>
<li>fixed the <code class="language-plaintext highlighter-rouge">--conservative</code> flag to allow finer-grained bundle updates.</li>
<li>worked on smoothing the transition to secure RubyGems sources fully and fixed the regressions we create as we proceed.</li>
</ul>
<p>While working on these changes, we also simplified bundler internals and achieved faster bundler/setup performance.</p>
<p>In July, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-07-01%7D...master@%7B2021-07-31%7D">169 new commits</a>, contributed by 14 authors. There were 1,878 additions and 1,237 deletions across 152 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In July, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>updated Kubernetes from version <code class="language-plaintext highlighter-rouge">1.16</code> to <code class="language-plaintext highlighter-rouge">1.20</code>.</li>
<li>debugged and resolved CPU spikes on the database by removing page entries info from the gem index page - <a href="https://github.com/rubygems/rubygems.org/pull/2738">#2738</a>.</li>
<li>enabled <code class="language-plaintext highlighter-rouge">rails 6.1</code> default <code class="language-plaintext highlighter-rouge">preload_links_header</code> - <a href="https://github.com/rubygems/rubygems.org/pull/2737">#3737</a>.</li>
</ul>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-07-01%7D...master@%7B2021-07-31%7D">27 new commits</a>, contributed by 3 authors. There were 865 additions and 747 deletions across 13 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.25 Released2021-07-30T00:00:00+00:00http://blog.rubygems.org/2021/07/30/3.2.25-released<p>RubyGems 3.2.25 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t load the <code class="language-plaintext highlighter-rouge">base64</code> library since it’s not used. Pull request #4785
by deivid-rodriguez</li>
<li>Don’t load the <code class="language-plaintext highlighter-rouge">resolv</code> library since it’s not used. Pull request #4784
by deivid-rodriguez</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">shellwords</code> library. Pull request #4783 by deivid-rodriguez</li>
<li>Check requirements class before loading marshalled requirements. Pull
request #4651 by nobu</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Add missing <code class="language-plaintext highlighter-rouge">require 'fileutils'</code> in <code class="language-plaintext highlighter-rouge">Gem::ConfigFile</code>. Pull request
#4768 by ybiquitous</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.25.tgz<br />
2ff02ad8fd2818065215be10150b8231046cb80b38f03cc5933c0e3081d993a7</li>
<li>rubygems-3.2.25.zip<br />
918c4a0ca395929b3cb87b7ea3b2ca918db1c5bdd0a3308a7408b20ed8a6af9c</li>
<li>rubygems-update-3.2.25.gem<br />
528165781ded53cb5d37ec3d66db41f6a54a4225910ecd01254afc5f9a1030b4</li>
</ul>
3.2.24 Released2021-07-15T00:00:00+00:00http://blog.rubygems.org/2021/07/15/3.2.24-released<p>RubyGems 3.2.24 includes bug fixes and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix contradictory message about deletion of default gem. Pull request
#4739 by jaredbeck</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Add a description about <code class="language-plaintext highlighter-rouge">GEM_HOST_OTP_CODE</code> to help text. Pull request
#4742 by ybiquitous</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.24.tgz<br />
94e9f8f8f5177df461037aeb1f968bd7b952e6781a82348e367e10a0c040ce25</li>
<li>rubygems-3.2.24.zip<br />
57a20237fb7937be2fe4bbd7ebf8c7562da11700db156c1efa1cad2b09ca59c8</li>
<li>rubygems-update-3.2.24.gem<br />
c87ae12e7de8ecdd655ffcd59675cc901aa564d2488c332dc7b39fc61f233d8d</li>
</ul>
June 2021 RubyGems Updates2021-07-09T00:00:00+00:00http://blog.rubygems.org/2021/07/09/june-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in June.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions for <strong>Bundler <code class="language-plaintext highlighter-rouge">2.2.20</code> and <code class="language-plaintext highlighter-rouge">2.2.21</code></strong> and <strong>RubyGems <code class="language-plaintext highlighter-rouge">3.2.20</code> and <code class="language-plaintext highlighter-rouge">3.2.21</code></strong>. The release for RubyGems included a security fix contributed by <a href="https://github.com/sonalkr132">Aditya</a>, and Bundler release ships with several fixes and improvements.</p>
<p>We also worked on improving the seamless migration of insecure lock files by automatically dealing with them when possible instead of printing a warning and still installing them - <a href="https://github.com/rubygems/rubygems/pull/4647">#4647</a> and <a href="https://github.com/rubygems/rubygems/pull/4683">#4683</a>.</p>
<p>We also kept discussing how to improve the experience when bundler needs <code class="language-plaintext highlighter-rouge">sudo</code> access, making the behaviour less upsetting for our users -<a href="https://github.com/rubygems/rubygems/issues/4031">#4031</a>.</p>
<p>In June, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-06-01%7D...master@%7B2021-06-30%7D">98 new commits</a>, contributed by 10 authors. There were 993 additions and 480 deletions across 231 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In June, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>updated ElasticSearch to version 7.</li>
<li>refactored and deployed autocomplete search feature - <a href="https://github.com/rubygems/rubygems.org/pull/2047">#2047</a>.</li>
<li>resolved reports with pending bounties on HackerOne.</li>
<li>implemented platform verification in <code class="language-plaintext highlighter-rouge">gemspec</code> to avoid potential RCE - <a href="https://github.com/rubygems/rubygems/pull/4667">#4667</a></li>
</ul>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-06-01%7D...master@%7B2021-06-30%7D">25 new commits</a>, contributed by 7 authors. There were 490 additions and 169 deletions across 30 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.23 Released2021-07-09T00:00:00+00:00http://blog.rubygems.org/2021/07/09/3.2.23-released<p>RubyGems 3.2.23 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Rewind IO source to allow working with contents in memory. Pull request
#4729 by drcapulet</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.23.tgz<br />
7a35de5be271b2c18076e87a2a9b50a7f2aefe3e0219aa9f028af05b45870a48</li>
<li>rubygems-3.2.23.zip<br />
8877b316493345f447d19e3cdab3e6e6e9503752cb178a11cd4c3a7672fdd92e</li>
<li>rubygems-update-3.2.23.gem<br />
5c62672fbd7d785a5d1c5fa2104ebb3779b64c5e654713b58f8733308610df2b</li>
</ul>
3.2.22 Released2021-07-06T00:00:00+00:00http://blog.rubygems.org/2021/07/06/3.2.22-released<p>RubyGems 3.2.22 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Allow setting <code class="language-plaintext highlighter-rouge">--otp</code> via <code class="language-plaintext highlighter-rouge">GEM_HOST_OTP_CODE</code>. Pull request #4697 by
CGA1123</li>
<li>Fixes for the edge case when openssl library is missing. Pull request
#4695 by rhenium</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.22.tgz<br />
368979ef8103b550a98fc6479543831f0d55c3567d5ee4622d5aa569ee17418b</li>
<li>rubygems-3.2.22.zip<br />
911a8d06d6925b318ad0f8a768f665cb27c55614d4a1bfc6ad71593667b7c68f</li>
<li>rubygems-update-3.2.22.gem<br />
b418f56e6df5035a5851f3b21c8b63090e76277e0c88deda2d03640ca31b59bd</li>
</ul>
3.2.21 Released2021-06-23T00:00:00+00:00http://blog.rubygems.org/2021/06/23/3.2.21-released<p>RubyGems 3.2.21 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix typo in OpenSSL detection. Pull request #4679 by osyoyu</li>
<li>Add the most recent licenses from spdx.org. Pull request #4662 by nobu</li>
<li>Simplify setup.rb code to allow installing rubygems from source on
truffleruby 21.0 and 21.1. Pull request #4624 by deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Create credentials folder when setting API keys if not there yet. Pull
request #4665 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.21.tgz<br />
4d718c460aac06ee2c8b533e4b31fe9e5950aaec2489138b117bd5677dd29271</li>
<li>rubygems-3.2.21.zip<br />
8a3e0c54b307222171a1301cb697d2d0c8c48b48efb71a91226bf78ace0e3737</li>
<li>rubygems-update-3.2.21.gem<br />
6cd9dd8216841d35bf723e1f9d6edf58fbf5d99ae37412e63f1069c6f835ddd4</li>
</ul>
3.2.20 Released2021-06-11T00:00:00+00:00http://blog.rubygems.org/2021/06/11/3.2.20-released<p>RubyGems 3.2.20 includes security fixes and enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Security fixes:</em></p>
<ul>
<li>Verify plaform before installing to avoid potential remote code
execution. Pull request #4667 by sonalkr132</li>
</ul>
<p><em>## Enhancements:</em></p>
<ul>
<li>Add better specification policy error description. Pull request #4658 by
ceritium</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.20.tgz<br />
0c4d73a0554f53980e996a14053a57e2611b49dbc1d4140f6b0f1226a252a24f</li>
<li>rubygems-3.2.20.zip<br />
536bd92110ad5a1491e8ad704b3ebf67f101de5f1af01d2bdc4317157c18d80a</li>
<li>rubygems-update-3.2.20.gem<br />
4f0cd0d3f83243d84bb0c5edf46eec5f34558c76a33bd070b71a0ecc798f044d</li>
</ul>
May 2021 RubyGems Updates2021-06-10T00:00:00+00:00http://blog.rubygems.org/2021/06/10/may-rubygems-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in May.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions for Bundler <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021"><code class="language-plaintext highlighter-rouge">2.2.18</code>, <code class="language-plaintext highlighter-rouge">2.2.19</code></a> and RubyGems <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3218--2021-05-25"><code class="language-plaintext highlighter-rouge">3.2.18</code>, <code class="language-plaintext highlighter-rouge">3.2.19</code></a> and focused on shipping a definitive fix for the dependency confusion issues that have been affecting Bundler for years. We finally managed to provide a fix (<a href="https://github.com/rubygems/rubygems/pull/4609">#4609</a>) with <code class="language-plaintext highlighter-rouge">bundler 2.2.18</code>.</p>
<p>In addition to that, RubyGems saw several bug fixes and updates this month, some of which include the following:</p>
<ul>
<li>fixed a resolution issue where gems were being unintentionally removed from the lockfile - <a href="https://github.com/rubygems/rubygems/pull/4580">#4580</a>.</li>
<li>shipped a fix in RubyGems to improve the reproducibility of building packages - <a href="https://github.com/rubygems/rubygems/pull/4610">#4610</a>.</li>
<li>shipped other minor improvements, and some internal changes to our development environment like moving away from <code class="language-plaintext highlighter-rouge">minitest</code> in favor of <code class="language-plaintext highlighter-rouge">test-unit</code>.</li>
</ul>
<p>Checkout <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#3218--2021-05-25">RubyGems</a> and <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021">Bundler</a> for the full changelog of the new versions shipped this month!</p>
<p>In May, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-05-01%7D...master@%7B2021-05-31%7D">132 new commits</a>, contributed by 10 authors. There were 2419 additions and 2118 deletions across 228 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In May, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>investigated and fixed cache poisoning by using <code class="language-plaintext highlighter-rouge">x-forwarded-scheme</code> header. The issue was reported on HackerOne.</li>
<li>set form-action and frame-ancestor CSP policy to mitigate bypass of X-Frame-Options using a proxy - <a href="https://github.com/rubygems/rubygems.org/pull/2718">#2718</a>.</li>
<li>researched verified publisher implementation for package manager - <a href="https://github.com/rubygems/rubygems.org/pull/2698#issuecomment-846356370">#2698</a>.</li>
<li>added copy link to recovery code page and disabled continue link - <a href="https://github.com/rubygems/rubygems.org/pull/2717">#2717</a>.</li>
<li>tested upgrade of Elasticsearch 7 on staging environment and estimated downtime requirements.</li>
</ul>
<p>For this month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-05-01%7D...master@%7B2021-05-31%7D">23 new commits</a>, contributed by 3 authors. There were 155 additions and 100 deletions across 11 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<h2 id="related-news">Related News</h2>
<p>Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.</p>
<p>We launched <code class="language-plaintext highlighter-rouge">gem dependencies</code> in the <a href="https://github.com/rubytoolbox/rubytoolbox">Ruby Toolbox</a> Project Page. You can now explore the dependencies for each project on RubyGems.</p>
<p>A specialty of this feature is that right next to the dependency you can also find the corresponding project health indicators so if you’re looking at a library you can also see an indication of the status of it’s dependencies as well.</p>
<p>Read more about this on the upcoming monthly update. You can sign up to <a href="https://www.getdrip.com/forms/6239290/submissions/new">receive updates every month as soon as they are released!</a></p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.19 Released2021-05-31T00:00:00+00:00http://blog.rubygems.org/2021/05/31/3.2.19-released<p>RubyGems 3.2.19 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem help build</code> output format. Pull request #4613 by tnir</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.19.tgz<br />
785c3eee9eb6f9081ae22b803a402b84e09567b2484cb36290d0c82ecdd050e5</li>
<li>rubygems-3.2.19.zip<br />
d7d5d435e7559e3436c954f2262adb7fb60c9a1db2d52abdbf318e9290f72572</li>
<li>rubygems-update-3.2.19.gem<br />
252d6e96a1b8857b3e2d027523407a2ed498d623dcdc2b67e5e5965da460b71a</li>
</ul>
3.2.18 Released2021-05-25T00:00:00+00:00http://blog.rubygems.org/2021/05/25/3.2.18-released<p>RubyGems 3.2.18 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Don’t leave temporary directory around when building extensions to
improve build reproducibility. Pull request #4610 by baloo</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.18.tgz<br />
745715dba662237345a5c1fd893cde2d58c08f5874961c05c7b0d9d2be340323</li>
<li>rubygems-3.2.18.zip<br />
920670887c43ee1e3440e9ef654182ce7b4694caa69e9344c1d74502401f667e</li>
<li>rubygems-update-3.2.18.gem<br />
92c6a06ff1a960b5fe82c0a4e06f368a92e8702d7732fa34b0f12cce1fc511d9</li>
</ul>
April 2021 RubyGems Updates2021-05-11T00:00:00+00:00http://blog.rubygems.org/2021/05/11/april-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in April.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month in RubyGems, we released new versions for <strong>RubyGems</strong> <a href="https://github.com/rubygems/rubygems/blob/bb93b974100e9ddff7043e648d762e8a412be04e/CHANGELOG.md#3216--2021-04-08">v3.2.16</a>, <a href="https://github.com/rubygems/rubygems/blob/bb93b974100e9ddff7043e648d762e8a412be04e/CHANGELOG.md#3217--2021-05-05">v3.2.17</a> and corresponding versions for <strong>Bundler</strong> (<a href="https://github.com/rubygems/rubygems/blob/bb93b974100e9ddff7043e648d762e8a412be04e/bundler/CHANGELOG.md#2216-april-8-2021">v2.2.16</a> and <a href="https://github.com/rubygems/rubygems/blob/bb93b974100e9ddff7043e648d762e8a412be04e/bundler/CHANGELOG.md#2217-may-5-2021">v2.2.17</a>).</p>
<p>As part of those releases, we made the following improvements and fixes:</p>
<ul>
<li>fixed an issue affecting custom <code class="language-plaintext highlighter-rouge">sidekiq-pro</code> gem servers, which was preventing users from upgrading their sidekiq-pro version - <a href="https://github.com/rubygems/rubygems/pull/4563">#4563</a>.</li>
<li>made Bundler more secure by preventing any credentials from being logged to the screen, thus potentially preventing users from unintentionally leaking them when pasting them to a Github issue or similar situations - <a href="https://github.com/rubygems/rubygems/pull/4564">#4564</a>, <a href="https://github.com/rubygems/rubygems/pull/4566">#4566</a>.</li>
<li>fixed a few resolution and materialization issues in Bundler - <a href="https://github.com/rubygems/rubygems/pull/4556">#4556</a>, <a href="https://github.com/rubygems/rubygems/pull/4562">#4562</a>, and also improved RubyGems handling of repositories including symlinks - <a href="https://github.com/rubygems/rubygems/pull/2836">#2836</a>.</li>
</ul>
<p>In April, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-04-01%7D...master@%7B2021-04-30%7D">101 new commits</a>, contributed by 15 authors. There were 1,591 additions and 391 deletions across 134 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In April, RubyGems.org saw several bug fixes and updates, some of which include the following:</p>
<ul>
<li>enabled support of non-SNI traffic on rubygems.org by migration of fastly endpoints to a dedicated IP - <a href="https://github.com/rubygems/rubygems/issues/4228">#4228</a>.</li>
<li><a href="https://github.com/rubygems/rubygems.org/commit/da99700a6c727a4381648e4b687d4d3f08f67a25">enabled auth. requirement for URL purge requests to Fastly</a>.</li>
<li>fixed failing background jobs for sending the email confirmation - <a href="https://github.com/rubygems/rubygems.org/pull/2694">#2694</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2695">#2695</a>.</li>
<li>added validation for <code class="language-plaintext highlighter-rouge">unconfirmed_email</code> regex - <a href="https://github.com/rubygems/rubygems.org/pull/2694">#2694</a>.</li>
<li>reduced abusers rate limit to 30 rps - <a href="https://github.com/rubygems/rubygems.org/pull/2703">#2703</a>.</li>
<li>enabled Multi-Factor Authentication (MFA) instruction only if <code class="language-plaintext highlighter-rouge">current_user</code> has MFA disabled - <a href="https://github.com/rubygems/rubygems.org/pull/2705">#2705</a>.</li>
<li>thanks to <a href="https://github.com/arthurnn">@arthurnn</a> and <a href="https://github.com/greysteil">@greysteil</a>, we now support automatic revocation of API keys committed to GitHub repositories - <a href="https://github.com/rubygems/rubygems.org/pull/2687">#2687</a>. Note that this is only supported for new API key format. Please check our <a href="https://guides.rubygems.org/api-key-scopes/#migration-from-legacy-api-key">guide for migration from legacy API key</a>.</li>
</ul>
<p>For this month, <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-04-01%7D...master@%7B2021-04-30%7D">45 new commits</a>, contributed by 9 authors. There were 424 additions and 52 deletions across 34 files.</p>
<h2 id="ruby-toolbox-and-api-news">Ruby Toolbox and API News</h2>
<p>In April, we focused on maintenance work that involved fixing random failures in the Ruby Toolbox visual regression CI tests, dependency upgrades, fixes on a webhook reception, and renaming default git branches to main across all Ruby Toolbox repositories.</p>
<p>On Ruby API, we worked on importing the core Ruby type signatures using the <code class="language-plaintext highlighter-rouge">RBS gem</code> where the current definitions are being maintained. Our aim is for the type signatures be parsed inside Ruby API so they can be presented to the user in an easy to understand and digestible fashion.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.17 Released2021-05-05T00:00:00+00:00http://blog.rubygems.org/2021/05/05/3.2.17-released<p>RubyGems 3.2.17 includes enhancements and documentation.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Only print month & year in deprecation messages. Pull request #3085 by
Schwad</li>
<li>Make deprecate method support ruby3’s keyword arguments. Pull request
#4558 by mame</li>
<li>Update the default bindir on macOS. Pull request #4524 by nobu</li>
<li>Prefer File.open instead of Kernel#open. Pull request #4529 by mame</li>
</ul>
<p><em>## Documentation:</em></p>
<ul>
<li>Fix usage messages to reflect the current POSIX-compatible behaviour.
Pull request #4551 by graywolf-at-work</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.17.tgz<br />
bf0a04844e3cda290d6f48a8a8d99a4c49fc838bf85b26b5f80b34fd61a1b12f</li>
<li>rubygems-3.2.17.zip<br />
bd0560695ed5c9b6c16fd4fb6c42282626dd7442fa6aeca410fc651e2d3722f2</li>
<li>rubygems-update-3.2.17.gem<br />
43ae87369c83f56b9fd3a70e5ecd8ebb8d083c888cf81a111c8192314b3616b3</li>
</ul>
3.2.16 Released2021-04-09T00:00:00+00:00http://blog.rubygems.org/2021/04/09/3.2.16-released<p>RubyGems 3.2.16 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Correctly handle symlinks. Pull request #2836 by voxik</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.16.tgz<br />
40db1609fbc6132c1d1491c912526bb30bdfc3f49d758e37ce7131c86021f6ae</li>
<li>rubygems-3.2.16.zip<br />
7fe58cee2d7f88e060f679561789e00a02b3cf74d860efae3e7d44150cc3c745</li>
<li>rubygems-update-3.2.16.gem<br />
117c52869b434f60ef71ab8a55bd9f5e65c64cf8efd1cc3ca8fbacbeaa4e8576</li>
</ul>
March 2021 RubyGems Updates2021-04-07T00:00:00+00:00http://blog.rubygems.org/2021/04/07/march-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to <a href="https://github.com/rubygems/rubygems">RubyGems</a> and <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> in March.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In March, we released new versions for RubyGems <a href="https://rubygems.org/gems/rubygems-update/versions">(from 3.2.12 to 3.2.15)</a> and Bundler <a href="https://rubygems.org/gems/bundler/versions">(from 2.2.12 to 2.2.15)</a>. Additionally, we worked on making the client tools more secure, and making Git sources faster and more disk efficient.</p>
<p>For this Month, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-03-01%7D...master@%7B2021-03-31%7D">150 new commits</a>, contributed by 10 authors. There were 2124 additions and 753 deletions across 107 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month in RubyGems.org, we <a href="https://github.com/rubygems/rubygems.org/pull/2674">enabled Rails v6.0 defaults</a> and <a href="https://github.com/rubygems/rubygems.org/pull/2675">deployed an update to Rails 6.1.3</a>.</p>
<p>RubyGems.org saw several bug fixes and updates this month, some of which include the following:</p>
<ul>
<li>fixed upload of test coverage report to code climate. - <a href="https://github.com/rubygems/rubygems.org/pull/2673">#2673</a></li>
<li>made users’ emails private by default and updated existing accounts to hide emails. - <a href="https://github.com/rubygems/rubygems.org/pull/2663">#2663</a></li>
<li>added text-only versions of emails to support more email clients. - <a href="https://github.com/rubygems/rubygems.org/pull/2652">#2652</a></li>
<li>upgraded ES instance type and storage, and added a strict rate limit on the Search API endpoint. - <a href="https://github.com/rubygems/rubygems.org/pull/2665">#2665</a></li>
<li>updated nginx to latest mainline to fix <code class="language-plaintext highlighter-rouge">cache file .. has too long header</code> issue that landed in <code class="language-plaintext highlighter-rouge">v1.19.3</code>. - <a href="https://github.com/rubygems/rubygems.org/pull/2660">#2660</a></li>
<li>replied to support tickets on Zendesk and Tenderapp.</li>
</ul>
<p>For this Month, <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-03-01%7D...master@%7B2021-03-31%7D">60 new commits</a>, contributed by 8 authors. There were 546 additions and 515 deletions across 48 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.15 Released2021-03-19T00:00:00+00:00http://blog.rubygems.org/2021/03/19/3.2.15-released<p>RubyGems 3.2.15 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Prevent downgrades to untested rubygems versions. Pull request #4460 by
deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix missing require breaking <code class="language-plaintext highlighter-rouge">gem cert</code>. Pull request #4464 by lukehinds</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.15.tgz<br />
110f1c8e0d35b5646559b3d8f66a80b7dfdbef6aa736f532a276d1d2be7cf05c</li>
<li>rubygems-3.2.15.zip<br />
e94ee75ba8afd0c9a0ded2d85572e92eec28b8fb2c2aa08f235628a7db2b757a</li>
<li>rubygems-update-3.2.15.gem<br />
d62c7481350acb55da736855972c7904e60f02cf4bd057549120f868a307b794</li>
</ul>
February 2021 RubyGems Updates2021-03-12T00:00:00+00:00http://blog.rubygems.org/2021/03/12/february-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month on RubyGems, we worked on fixing an issue about source priority that received attention due to a <a href="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610">popular blog post</a>. In particular, the lockfile now has separated RubyGems sources, limiting the issue to fresh installs without a lockfile and allowing for a workaround in the other cases (running <code class="language-plaintext highlighter-rouge">bundle lock</code> and reviewing the result before installing).</p>
<p>In February, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-02-01%7D...master@%7B2021-02-28%7D">114 new commits</a>, contributed by 12 authors. There were 743 additions and 204 deletions across 56 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month on RubyGems.org, we reduced the ngix rate limit to mitigate the load on Postgres - <a href="https://github.com/rubygems/rubygems.org/pull/2634">#2634</a> and evaluated the impact of reducing <code class="language-plaintext highlighter-rouge">random_page_post</code> in Postgres config.</p>
<p>In addition to that, we made the following improvement and fixes:</p>
<ul>
<li>updated Elasticsearch to <strong>v6.8</strong>.</li>
<li>setup notifications for AWS health events.</li>
<li>updated script to block a user from resetting API keys - <a href="https://github.com/rubygems/rubygems.org/pull/2647">#2647</a></li>
<li>reduced font size of title and subtitle on reverse dep page - <a href="https://github.com/rubygems/rubygems.org/pull/2637">#2637</a></li>
<li>enabled safe-site lax cookie policy - <a href="https://github.com/rubygems/rubygems.org/pull/2638">#2638</a></li>
<li>enabled <code class="language-plaintext highlighter-rouge">return_only_media_type_on_content_type</code> rails 6.0 default - <a href="https://github.com/rubygems/rubygems.org/pull/2639">#2639</a></li>
<li>thanks to <a href="https://github.com/simi">simi</a>, we significantly improved the delay in our build time by migrating from Travis to Github Actions. - <a href="https://github.com/rubygems/rubygems.org/pull/2626">#2626</a>.</li>
</ul>
<p>In February, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-02-01%7D...master@%7B2021-02-28%7D">52 new commits</a>, contributed by 3 authors. There were 249 additions and 168 deletions across 23 files.</p>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.14 Released2021-03-08T00:00:00+00:00http://blog.rubygems.org/2021/03/08/3.2.14-released<p>RubyGems 3.2.14 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Less wrapping of network errors. Pull request #4064 by deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Revert addition of support for <code class="language-plaintext highlighter-rouge">musl</code> variants to restore graceful
fallback on Alpine. Pull request #4434 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.14.tgz<br />
cd81bef7e726f76992d31983318029cb621c05062f3768051c354a1d561c9c2d</li>
<li>rubygems-3.2.14.zip<br />
0e1cfba87fdd4b45965f61e550e80500562e704ce60d9e11e36ced175faaf439</li>
<li>rubygems-update-3.2.14.gem<br />
6f48d434431dc03d7b822dfe0cf5b2a3448ebfd9926112aa3ded8b0afa44b07c</li>
</ul>
3.2.13 Released2021-03-03T00:00:00+00:00http://blog.rubygems.org/2021/03/03/3.2.13-released<p>RubyGems 3.2.13 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Support non-gnu libc linux platforms. Pull request #4082 by lloeki</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.13.tgz<br />
6b8b2666f068dbaca376da794b767a9b2c37d8f30b09b612931ff938c8471403</li>
<li>rubygems-3.2.13.zip<br />
4164507064e5a56f9162a2d80a86a7dfa8d1882a2cb9a2f764edc611ee6c87d6</li>
<li>rubygems-update-3.2.13.gem<br />
6afba2d705a6c9c3a58486c4d7f24c90a2342d8bc9308018a2b74588fee8a77a</li>
</ul>
3.2.12 Released2021-03-01T00:00:00+00:00http://blog.rubygems.org/2021/03/01/3.2.12-released<p>RubyGems 3.2.12 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Restore the ability to manually install extension gems. Pull request
#4384 by cfis</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.12.tgz<br />
b069177ca78878fbcd08e74b3ebd38b1e1b8b164f1d22b4726a60a5299830344</li>
<li>rubygems-3.2.12.zip<br />
c2abef085cf275403c1466b3f316d49b6e85d30ab1d6f4c24c32feeb70c8d774</li>
<li>rubygems-update-3.2.12.gem<br />
92f34de00b5cf4ece5c3ea52c59abd8e80c563ab409cf9e8c42c0ad1b050d4da</li>
</ul>
3.2.11 Released2021-02-17T00:00:00+00:00http://blog.rubygems.org/2021/02/17/3.2.11-released<p>RubyGems 3.2.11 includes enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Optionally fallback to IPv4 when IPv6 is unreachable. Pull request #2662
by sonalkr132</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.11.tgz<br />
fee5620d279d51c85816b8c7a5a27a1e704bacabaedffb25b31b6c161d071053</li>
<li>rubygems-3.2.11.zip<br />
ba3f8432a1a99f51424a15a819eae04cd25750c754680183c09c4231404282a8</li>
<li>rubygems-update-3.2.11.gem<br />
9bdcf17a4da02deab2a604fdc5148af9438012b5823980c29ac3f51e17eba58f</li>
</ul>
3.2.10 Released2021-02-15T00:00:00+00:00http://blog.rubygems.org/2021/02/15/3.2.10-released<p>Installing rubygems 3.2.10 also installs bundler 2.2.10 as a default gem, which
includes a fix to a security problem regarding source priority. Have a look at
<a href="https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html">bundler’s blog post</a> for more information.</p>
<p>RubyGems 3.2.10 also includes documentation improvements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Documentation:</em></p>
<ul>
<li>Add a <code class="language-plaintext highlighter-rouge">gem push</code> example to <code class="language-plaintext highlighter-rouge">gem help</code>. Pull request #4373 by
deivid-rodriguez</li>
<li>Improve documentation for <code class="language-plaintext highlighter-rouge">required_ruby_version</code>. Pull request #4343 by
AlexWayfer</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.10.tgz<br />
ff311b8b86f1ebf5a8c7a0d51aa0f6013ec701eb9b44f4a19f1d9362a634c39e</li>
<li>rubygems-3.2.10.zip<br />
4e3af12f9dec4a0ec0403996792580a62a8e1a3fd7dedfefbf569523281d7f88</li>
<li>rubygems-update-3.2.10.gem<br />
eb41e875697cf2c6c93b10250e52f64192efe6577387a7c33c8aca7515e688c2</li>
</ul>
January 2021 RubyGems Updates2021-02-09T00:00:00+00:00http://blog.rubygems.org/2021/02/09/january-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In January, we released new versions of Bundler <code class="language-plaintext highlighter-rouge">v2.2.5</code>, <code class="language-plaintext highlighter-rouge">v2.2.6</code>, <code class="language-plaintext highlighter-rouge">v2.2.7</code>, and <code class="language-plaintext highlighter-rouge">v2.2.8</code>, and corresponding versions of RubyGems <code class="language-plaintext highlighter-rouge">v3.2.5</code>, <code class="language-plaintext highlighter-rouge">v3.2.6</code>, <code class="language-plaintext highlighter-rouge">v3.2.7</code>, and <code class="language-plaintext highlighter-rouge">v3.2.8</code>. The main improvements in these releases are <strong>resolver correctness</strong> and <strong>better performance</strong>. Learn more about specific changes made from the changelogs: <a href="https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#228-february-2-2021">Bundler Changelog</a> and <a href="https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#328--2021-02-02">RubyGems Changelog</a>. We’re refining our RFC for Bundler Version Locking -<a href="https://github.com/rubygems/rfcs/pull/29">#29</a> and plan to move on to the implementation soon.</p>
<p>As usual, we’re routinely triaging new issues and reviewing pull requests from contributors.</p>
<p>This month, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2021-01-02%7D...master@%7B2021-01-31%7D">172 new commits</a>, contributed by 12 authors. There were 53323 additions and 1646 deletions across 2565 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month on RubyGems.org, we reduced delay in update of versions endpoint after <code class="language-plaintext highlighter-rouge">gem push</code> from the worst-case of <strong>3,660 seconds</strong> to <strong>60 seconds</strong> - <a href="https://github.com/rubygems/rubygems.org/pull/2612">#2612</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2614">#2614</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2616">#2616</a>.</p>
<p>In addition to that, we made the following improvement and fixes:</p>
<ul>
<li>debugged delay in versions endpoint update on <code class="language-plaintext highlighter-rouge">gem push</code> and set surrogate key on versions to reduce Fastly cache expiry. - <a href="https://github.com/rubygems/rubygems.org/pull/2612">#2612</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2614">#2614</a></li>
<li>worked on pre-update changes for <strong>Rails 6.1</strong> and updated and deployed <strong>Rails 6.1</strong> update. -<a href="https://github.com/rubygems/rubygems.org/pull/2607">#2607</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2597">#2597</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2598">#2598</a></li>
<li>created Fastly support tickets for dedicated IPs and incorrect status code on matching If-None-Match.</li>
<li>worked on updating RubyGems-terraform root files to sync with current state.</li>
<li>thanks to <a href="https://github.com/iMacTia">@iMacTia</a>, we added a new MFA level UI and <code class="language-plaintext highlighter-rouge">gem signin</code> - <a href="https://github.com/rubygems/rubygems.org#2601">#2601</a> - find out more about this on <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#authentication-levels">RubyGems Guides</a>.</li>
</ul>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<p>In January, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2021-01-01%7D...master@%7B2021-01-31%7D">89 new commits</a>, contributed by 8 authors. There were 651 additions and 377 deletions across 70 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.9 Released2021-02-08T00:00:00+00:00http://blog.rubygems.org/2021/02/08/3.2.9-released<p>RubyGems 3.2.9 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix error message when underscore selection can’t find bundler. Pull
request #4363 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">Gem::Specification.stubs_for</code> returning wrong named specs. Pull
request #4356 by tompng</li>
<li>Don’t error out when activating a binstub unless necessary. Pull request
#4351 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem outdated</code> incorrectly handling platform specific gems. Pull
request #4248 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.9.tgz<br />
93143b4c74625078eaceb0dbe795c93dab8f7af45e8901a70dff337fb1c2fe6c</li>
<li>rubygems-3.2.9.zip<br />
dd9627ddb6b2d9f7a8c49b6472349045e9e5cb14a9429d10ca6f7dddbbc52f65</li>
<li>rubygems-update-3.2.9.gem<br />
d13aa93200f40674466a39ed5f738ca024e843b2a453fefbe5d54193c773fa9d</li>
</ul>
3.2.8 Released2021-02-02T00:00:00+00:00http://blog.rubygems.org/2021/02/02/3.2.8-released<p>RubyGems 3.2.8 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem install</code> crashing on gemspec with nil required_ruby_version.
Pull request #4334 by pbernays</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.8.tgz<br />
89cea1d27919a9b961cb59bd0eed025d1b005a4d1cad9722b45b752e4cbdb893</li>
<li>rubygems-3.2.8.zip<br />
039fe277d263e8f33ee738d4d5d288402e7712cc1b3dff1382d1a041a735af94</li>
<li>rubygems-update-3.2.8.gem<br />
e71b9b4f4f00061b060c63714590a1cccd33012cef71f7ff752165d33cc37c16</li>
</ul>
3.2.7 Released2021-01-27T00:00:00+00:00http://blog.rubygems.org/2021/01/27/3.2.7-released<p>RubyGems 3.2.7 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Generate plugin wrappers with relative requires. Pull request #4317 by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.7.tgz<br />
d17233b20f032abed23b22bdf0921373f735f21bfa3ba7c212cf0db85d59aa57</li>
<li>rubygems-3.2.7.zip<br />
3c5910ea2e24f0fb5bd02c83bd1147e0cd3477778adf401402793ed764f56d55</li>
<li>rubygems-update-3.2.7.gem<br />
bd1ada7315a09a55ea65d92ce3fb52ac45721779fcb17b419aff624bd21834a5</li>
</ul>
3.1.6 Released2021-01-26T00:00:00+00:00http://blog.rubygems.org/2021/01/26/3.1.6-released<p>RubyGems 3.1.6 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Improve require. Pull request #3133 by David Rodríguez.</li>
<li>Simplify nested gem activation exceptions. Pull request #3450 by David Rodríguez.</li>
<li>Fix correctness and performance regression in <code class="language-plaintext highlighter-rouge">require</code>. Pull request #3639 by David Rodríguez.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.6.tgz<br />
bac291f74a81f1ad382294e34a4871afaccd519185bbef0de0142d7e0637130e</li>
<li>rubygems-3.1.6.zip<br />
343756cb254e8db0dda595ad10c99b7392e939d982fa9e82f8111802a73134a1</li>
<li>rubygems-update-3.1.6.gem<br />
86a58af399928d5e365a356ada40c6acc5572f0e00cef6bceb6b27f0b06bf598</li>
</ul>
3.2.6 Released2021-01-19T00:00:00+00:00http://blog.rubygems.org/2021/01/19/3.2.6-released<p>RubyGems 3.2.6 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">Gem::Platform#inspect</code> showing duplicate information. Pull request
#4276 by deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Swallow any system call error in <code class="language-plaintext highlighter-rouge">ensure_gem_subdirs</code> to support jruby
embedded paths. Pull request #4291 by kares</li>
<li>Restore accepting custom make command with extra options as the <code class="language-plaintext highlighter-rouge">make</code>
env variable. Pull request #4271 by terceiro</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.6.tgz<br />
7ec722c811a36961dcf048b83ed135f71e617ea105f1d8772299958351059866</li>
<li>rubygems-3.2.6.zip<br />
2164a6f2eac20bab5ec0c827699628d0e1ee94cbce829d113137144172261404</li>
<li>rubygems-update-3.2.6.gem<br />
7df0a0cd0504e1cd40295dd1a298910969c677f5c9f84a6d1779e290e3d6996e</li>
</ul>
December 2020 RubyGems Updates2021-01-13T00:00:00+00:00http://blog.rubygems.org/2021/01/13/december-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In December, we finally released <code class="language-plaintext highlighter-rouge">bundler 2.2</code> and <code class="language-plaintext highlighter-rouge">Rubygems 3.2</code> 🎉. On the Bundler side, this minor release provides some major enhancements in how Bundler treats platforms, and also a few extra features. Check <a href="https://bundler.io/blog/2020/12/09/bundler-v2-2.html">this blog post about bundler-v2-2 release</a> for details. On the RubyGems side, the release provides a lot of bug fixes, a noticeable boot time speed-up, better integration in ruby-core and alternative implementations, and adds support for a change in the server side that allows using scoped API keys.</p>
<p>After the releases, we also received the corresponding feedback and regression reports, and addressed almost everything reported through 4 patch level releases of each library. In particular, we made it on time for Ruby’s Christmas release and managed to include <code class="language-plaintext highlighter-rouge">rubygems 3.2.3</code> and <code class="language-plaintext highlighter-rouge">bundler 2.2.3</code> with the final release of <code class="language-plaintext highlighter-rouge">ruby 3.0</code>.</p>
<p>This month, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-12-01%7D...master@%7B2020-12-21%7D">203 new commits</a>, contributed by 13 authors. There were 4191 additions and 2066 deletions across 1184 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, we published a guide on RubyGems.org about <a href="https://guides.rubygems.org/api-key-scopes/">API keys, their scopes, and CLI usage</a> - <a href="https://github.com/rubygems/guides/pull/275">#275</a>. We also investigated and removed <code class="language-plaintext highlighter-rouge">ruby-bitcoin</code> and <code class="language-plaintext highlighter-rouge">pretty_color</code> gems for containing malicious code which could steal sensitive information; this issue was reported by <a href="https://github.com/mensfeld">@mensfeld</a> for obfuscated code. - <a href="https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#14-dec-2020">Gems yanked and Accounts Locked Wiki</a></p>
<p>In addition to that, we made the following improvements and fixes:</p>
<ul>
<li>deployed a PR to update <code class="language-plaintext highlighter-rouge">versions_downloads</code> in elastic search and reindex to fix the mismatch in downloads count. <a href="https://github.com/rubygems/rubygems.org/pull/2534">#2534</a></li>
<li>deployed an API key with scopes and migrated legacy per account keys to the new API keys with encrypted storage. <a href="https://github.com/rubygems/rubygems.org/pull/1962">#1962</a></li>
<li>setup insecure.rubygems.org to not redirect dependency endpoints to HTTPS. <a href="https://github.com/rubygems/rubygems.org/pull/2590">#2590</a></li>
<li>worked on a PR to block throw-away domains from signup. <a href="https://github.com/rubygems/rubygems.org/pull/2579">#2579</a></li>
<li>merged a PR to update a failing test on ruby 2.7. <a href="https://github.com/rubygems/rubygems.org/pull/2580">#2580</a></li>
<li>worked on a PR to update to Rails 6.1. <a href="https://github.com/rubygems/rubygems.org/pull/2584">#2584</a></li>
<li>worked on a PR to update gem dependencies to support elastic search 6. <a href="https://github.com/rubygems/rubygems.org/pull/2585">#2585</a></li>
<li>updated a PR to update clearance. <a href="https://github.com/rubygems/rubygems.org/pull/2446">#2446</a></li>
<li>enabled a few more Rails 6 defaults. <a href="https://github.com/rubygems/rubygems.org/pull/2583">#2583</a></li>
<li>
<p>updated the rubygems.org TLS certificate to support TLS 1.3.</p>
</li>
<li>deployed a PR and backfilled <code class="language-plaintext highlighter-rouge">canonical_versions</code> to disallow publishing of duplicate canonical version numbers. It resolves the issue of clients installing potentially malicious versions of existing releases. <a href="https://github.com/rubygems/rubygems.org/pull/2559">#2559</a></li>
<li>updated <code class="language-plaintext highlighter-rouge">version_downloads</code> to use the most_recent version implementation. <a href="https://github.com/rubygems/rubygems.org/pull/2534">#2534</a></li>
<li>fixed a script to block users with handles that had uppercase letters. <a href="https://github.com/rubygems/rubygems.org/pull/2570">#2570</a></li>
<li>merged a PR to enable Rails 6 default for <code class="language-plaintext highlighter-rouge">return_false_on_aborted_enqueue</code>. <a href="https://github.com/rubygems/rubygems.org/pull/2571">#2571</a></li>
</ul>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<p>In total, <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-12-01%7D...master@%7B2020-12-31%7D">77 new commits</a>, contributed by 10 authors. There were 2154 additions and 596 deletions across 96 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.2.5 Released2021-01-11T00:00:00+00:00http://blog.rubygems.org/2021/01/11/3.2.5-released<p>RubyGems 3.2.5 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Don’t load more specs after the whole set of specs has been setup. Pull
request #4262 by deivid-rodriguez</li>
<li>Fix broken <code class="language-plaintext highlighter-rouge">bundler</code> executable after <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull
request #4221 by deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.5.tgz<br />
25a9532b8ed089e375a9e99c891e96ed7bcda09c7f571613fc694440a96fb925</li>
<li>rubygems-3.2.5.zip<br />
7f32b9afc7f0cf8061d4edd0578fedf773832b67fb42e00d6a1e9e643e9575f8</li>
<li>rubygems-update-3.2.5.gem<br />
320fa2bd18ae621d604a50de57c6ab4bb3a74b03f723b9c6570013e7699d147f</li>
</ul>
3.2.4 Released2020-12-31T00:00:00+00:00http://blog.rubygems.org/2020/12/31/3.2.4-released<p>RubyGems 3.2.4 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>## Enhancements:</em></p>
<ul>
<li>Use a CHANGELOG in markdown for rubygems. Pull request #4168 by
deivid-rodriguez</li>
<li>Never spawn subshells when building extensions. Pull request #4190 by
deivid-rodriguez</li>
</ul>
<p><em>## Bug fixes:</em></p>
<ul>
<li>Fix fallback to the old index and installation from it not working. Pull
request #4213 by deivid-rodriguez</li>
<li>Fix installing from source on truffleruby. Pull request #4201 by
deivid-rodriguez</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.4.tgz<br />
6053d6fa8ebcf53ac7c733bd103cffb08cfd3c466a421a134ad8e886ae255073</li>
<li>rubygems-3.2.4.zip<br />
05550e04f895f154adebb5d971f5d4820c0342e8c4bf5df20dfd567d4c900c86</li>
<li>rubygems-update-3.2.4.gem<br />
32ab922684692cc07cb1e9e29ad62741dd9c1305a34241cac66709d472efe297</li>
</ul>
3.2.3 Released2020-12-22T00:00:00+00:00http://blog.rubygems.org/2020/12/22/3.2.3-released<p>RubyGems 3.2.3 fixes a long standing bug in the gem client.</p>
<p><code class="language-plaintext highlighter-rouge">gem install</code> now doesn’t try to forcefully install the latest version of the
target gem if the current ruby or rubygems version doesn’t meet its
<code class="language-plaintext highlighter-rouge">required_ruby_version</code> or <code class="language-plaintext highlighter-rouge">required_rubygems_version</code> requirements,
respectively. Instead, it will try to install the newest version that supports
those.</p>
<p>As a result, running <code class="language-plaintext highlighter-rouge">gem install rails</code> on ruby 2.4 now installs rails 5.2.4.4,
the latest rails that supports ruby 2.4, instead of raising an error.</p>
<p>You may have needed to update your workflows running old rubies with something
like the following to workaround this issue:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install bundler -v '~> 1.17'
</code></pre></div></div>
<p>Indeed, when we dropped support for old rubies in bundler and released bundler 2,
that meant <code class="language-plaintext highlighter-rouge">gem install bundler</code> suddenly started failing for people still
running those rubies.</p>
<p>If you update rubygems in those workflows using</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>You can go back to the previous <code class="language-plaintext highlighter-rouge">gem install bundler</code> and rubygems will do the
right thing.</p>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Fix misspellings in default API key name. Pull request #4177 by hsbt</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Respect <code class="language-plaintext highlighter-rouge">required_ruby_version</code> and <code class="language-plaintext highlighter-rouge">required_rubygems_version</code>
constraints when looking for <code class="language-plaintext highlighter-rouge">gem install</code> candidates. Pull request #4110
by deivid-rodriguez</li>
</ul>
<p>=== 3.2.2 / 2020-12-17</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix issue where CLI commands making more than one request to
rubygems.org needing an OTP code would crash or ask for the code twice.
Pull request #4162 by sonalkr132</li>
<li>Fix building rake extensions that require openssl. Pull request #4165 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> displaying too many changelog entries. Pull
request #4145 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.1 / 2020-12-14</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Added help message for gem i webrick in gem server command. Pull request
#4117 by hsbt</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added the missing loading of fileutils same as load_specs. Pull request
#4124 by hsbt</li>
<li>Fix Resolver::APISet to always include prereleases when necessary. Pull
request #4113 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0 / 2020-12-07</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Do not override Kernel#warn when there is no need. Pull request #4075 by
eregon</li>
<li>Update endpoint of gem signin command. Pull request #3840 by sonalkr132</li>
<li>Omit deprecated commands from command help output. Pull request #4023 by
landongrindheim</li>
<li>Suggest alternatives in <code class="language-plaintext highlighter-rouge">gem query</code> deprecation. Pull request #4021 by
landongrindheim</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">time</code>, <code class="language-plaintext highlighter-rouge">cgi</code>, and <code class="language-plaintext highlighter-rouge">zlib</code>. Pull request #4010 by
deivid-rodriguez</li>
<li>Don’t hit the network when installing dependencyless local gemspec. Pull
request #3968 by deivid-rodriguez</li>
<li>Add <code class="language-plaintext highlighter-rouge">--force</code> option to <code class="language-plaintext highlighter-rouge">gem sources</code> command. Pull request #3956 by
andy-smith-msm</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">openssl</code>. Pull request #3850 by deivid-rodriguez</li>
<li>Pass more information when comparing platforms. Pull request #3817 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use better owner & group for files in rubygems package. Pull request
#4065 by deivid-rodriguez</li>
<li>Improve gem build -C flag. Pull request #3983 by bronzdoc</li>
<li>Handle unexpected behavior with URI#merge and subpaths missing trailing
slashes. Pull request #3123 by drcapulet</li>
<li>Add missing <code class="language-plaintext highlighter-rouge">fileutils</code> require in rubygems installer. Pull request
#4036 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">gem specification</code> being ignored. Pull
request #4043 by deivid-rodriguez</li>
<li>Expose <code class="language-plaintext highlighter-rouge">--no-minimal-deps</code> flag to install the latest version of
dependencies. Pull request #4030 by deivid-rodriguez</li>
<li>Fix “stack level too deep” error when overriding <code class="language-plaintext highlighter-rouge">Warning.warn</code>. Pull
request #3987 by eregon</li>
<li>Append ‘.gemspec’ extension only when it is not present. Pull request
#3988 by voxik</li>
<li>Install to correct plugins dir when using <code class="language-plaintext highlighter-rouge">--build-root</code>. Pull request
#3972 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--build-root</code> flag under Windows. Pull request #3975 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">typo_squatting?</code> false positive for <code class="language-plaintext highlighter-rouge">rubygems.org</code> itself. Pull
request #3951 by andy-smith-msm</li>
<li>Make <code class="language-plaintext highlighter-rouge">--default</code> and <code class="language-plaintext highlighter-rouge">--install-dir</code> options to <code class="language-plaintext highlighter-rouge">gem install</code> play nice
together. Pull request #3906 by deivid-rodriguez</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Deprecate server command. Pull request #3868 by bronzdoc</li>
</ul>
<p>Performance:</p>
<ul>
<li>Don’t change ruby process CWD when building extensions. Pull request
#3498 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0.rc.2 / 2020-10-08</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Make –dry-run flag consistent across rubygems commands. Pull request
#3867 by bronzdoc</li>
<li>Disallow downgrades to too old versions. Pull request #3566 by
deivid-rodriguez</li>
<li>Added <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">build</code> command. Pull request #3079 by nobu</li>
<li>Have “gem update –system” pass through the <code class="language-plaintext highlighter-rouge">--silent</code> flag. Pull
request #3789 by duckinator</li>
<li>Add writable check for cache dir. Pull request #3876 by xndcn</li>
<li>Warn on duplicate dependency in a specification. Pull request #3864 by
bronzdoc</li>
<li>Fix indentation in <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request #3861 by colby-swandale</li>
<li>Let more exceptions flow. Pull request #3819 by deivid-rodriguez</li>
<li>Ignore internal frames in RubyGems’ Kernel#warn. Pull request #3810 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Add missing fileutils require. Pull request #3911 by deivid-rodriguez</li>
<li>Fix false positive warning on Windows when PATH has
<code class="language-plaintext highlighter-rouge">File::ALT_SEPARATOR</code>. Pull request #3829 by deivid-rodriguez</li>
<li>Fix Kernel#warn override to handle backtrace location with nil path.
Pull request #3852 by jeremyevans</li>
<li>Don’t format executables on <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3811 by
deivid-rodriguez</li>
<li><code class="language-plaintext highlighter-rouge">gem install --user</code> fails with <code class="language-plaintext highlighter-rouge">Gem::FilePermissionError</code> on the system
plugins directory. Pull request #3804 by nobu</li>
</ul>
<p>Performance:</p>
<ul>
<li>Avoid duplicated generation of APISpecification objects. Pull request
#3940 by mame</li>
<li>Eval defaults with frozen_string_literal: true. Pull request #3847 by
casperisfine</li>
<li>Deduplicate the requirement operators in memory. Pull request #3846 by
casperisfine</li>
<li>Optimize Gem.already_loaded?. Pull request #3793 by casperisfine</li>
</ul>
<p>=== 3.2.0.rc.1 / 2020-07-04</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Test TruffleRuby in CI. Pull request #2797 by Benoit Daloze.</li>
<li>Rework plugins system and speed up rubygems. Pull request #3108 by David
Rodríguez.</li>
<li>Specify explicit separator not to be affected by $;. Pull request #3424
by Nobuyoshi Nakada.</li>
<li>Enable <code class="language-plaintext highlighter-rouge">Layout/ExtraSpacing</code> cop. Pull request #3449 by David Rodríguez.</li>
<li>Rollback gem deprecate. Pull request #3530 by Luis Sagastume.</li>
<li>Normalize heredoc delimiters. Pull request #3533 by David Rodríguez.</li>
<li>Log messages to stdout in <code class="language-plaintext highlighter-rouge">rake package</code>. Pull request #3632 by David
Rodríguez.</li>
<li>Remove explicit <code class="language-plaintext highlighter-rouge">psych</code> activation. Pull request #3636 by David
Rodríguez.</li>
<li>Delay <code class="language-plaintext highlighter-rouge">fileutils</code> loading to fix some warnings. Pull request #3637 by
David Rodríguez.</li>
<li>Make sure rubygems/package can be directly required reliably. Pull
request #3670 by Luis Sagastume.</li>
<li>Make sure <code class="language-plaintext highlighter-rouge">tmp</code> folder exists before calling <code class="language-plaintext highlighter-rouge">Dir.tmpdir</code>. Pull request
#3711 by David Rodríguez.</li>
<li>Add Gem.disable_system_update_message to disable gem update –system if
needed. Pull request #3720 by Josef Šimánek.</li>
<li>Tweaks to play nice with ruby-core setup. Pull request #3733 by David
Rodríguez.</li>
<li>Remove explicit require for auto-loaded constant. Pull request #3751 by
Karol Bucek.</li>
<li>Test files should not be included in spec.files. Pull request #3758 by
Marc-André Lafortune.</li>
<li>Remove TODO comment about warning on setting instead of pushing. Pull
request #2823 by Luis Sagastume.</li>
<li>Add deprecate command method. Pull request #2935 by Luis Sagastume.</li>
<li>Simplify deprecate command method. Pull request #2974 by Luis Sagastume.</li>
<li>Fix Gem::LOADED_SPECS_MUTEX handling for recursive locking. Pull request
#2985 by MSP-Greg.</li>
<li>Add <code class="language-plaintext highlighter-rouge">funding_uri </code> metadata field to gemspec. Pull request #3060 by
Colby Swandale.</li>
<li>Updates to some old gem-signing docs. Pull request #3063 by Tieg
Zaharia.</li>
<li>Update the gem method for Gem::Installer. Pull request #3137 by Daniel
Berger.</li>
<li>Simplify initial gem help output. Pull request #3148 by Olivier Lacan.</li>
<li>Resolve latest version via <code class="language-plaintext highlighter-rouge">gem contents</code>. Pull request #3149 by Dan
Rice.</li>
<li>Install suggestions. Pull request #3151 by Sophia Castellarin.</li>
<li>Only rescue the errors we actually want to rescue. Pull request #3156 by
David Rodríguez.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Accept not only /usr/bin/env but also /bin/env in some tests. Pull
request #3422 by Yusuke Endoh.</li>
<li>Skip a test that attempts to remove the current directory on Solaris.
Pull request #3423 by Yusuke Endoh.</li>
<li>Fix race condition on bundler’s parallel installer. Pull request #3440
by David Rodríguez.</li>
<li>Fix platform comparison check in #contains_requirable_file?. Pull
request #3495 by Benoit Daloze.</li>
<li>Improve missing spec error. Pull request #3559 by Luis Sagastume.</li>
<li>Fix hidden bundler template installation from rubygems updater. Pull
request #3674 by David Rodríguez.</li>
<li>Fix gem update –user-install. Pull request #2901 by Luis Sagastume.</li>
<li>Correct conflict list when uninstallation is prevented. Pull request
#2973 by David Rodríguez.</li>
<li>Fix error when trying to find bundler with a deleted “working directo….
Pull request #3090 by Luis Sagastume.</li>
<li>Fix -I require priority. Pull request #3124 by David Rodríguez.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> for new plugins layout. Pull request #3144 by David
Rodríguez.</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Set deprecation warning on query command. Pull request #2967 by Luis
Sagastume.</li>
</ul>
<p>Breaking changes:</p>
<ul>
<li>Remove ruby 1.8 leftovers. Pull request #3442 by David Rodríguez.</li>
<li>Minitest cleanup. Pull request #3445 by David Rodríguez.</li>
<li>Remove <code class="language-plaintext highlighter-rouge">builder</code> gem requirement for <code class="language-plaintext highlighter-rouge">gem regenerate_index</code>. Pull
request #3552 by David Rodríguez.</li>
<li>Remove modelines for consistency. Pull request #3714 by David Rodríguez.</li>
<li>Stop using deprecated OpenSSL::Digest constants. Pull request #3763 by
Bart de Water.</li>
<li>Remove Gem module deprecated methods. Pull request #3101 by Luis
Sagastume.</li>
<li>Remove ubygems.rb. Pull request #3102 by Luis Sagastume.</li>
<li>Remove Gem::Commands::QueryCommand. Pull request #3104 by Luis
Sagastume.</li>
<li>Remove dependency installer deprecated methods. Pull request #3106 by
Luis Sagastume.</li>
<li>Remove Gem::UserInteraction#debug method. Pull request #3107 by Luis
Sagastume.</li>
<li>Remove options from Gem::GemRunner.new. Pull request #3110 by Luis
Sagastume.</li>
<li>Remove deprecated Gem::RemoteFetcher#fetch_size. Pull request #3111 by
Luis Sagastume.</li>
<li>Remove source_exception from Gem::Exception. Pull request #3112 by Luis
Sagastume.</li>
<li>Requiring rubygems/source_specific_file is deprecated, remove it. Pull
request #3114 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.3.tgz<br />
a15dd7cd471a5fee2b6a36cf855ac2952a64d46629cd628b1a52c57bcebf52df</li>
<li>rubygems-3.2.3.zip<br />
2dee92f7f36a53079175ea77c2b43fa0dac2694ed9fff20dd275feca2956fdf3</li>
<li>rubygems-update-3.2.3.gem<br />
c6061457220fc4d90d8ce3e11f1185a217c16ee13370d5958c2b13b18bb632e8</li>
</ul>
3.2.2 Released2020-12-17T00:00:00+00:00http://blog.rubygems.org/2020/12/17/3.2.2-released<p>RubyGems 3.2.2 includes bug fixes and enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix issue where CLI commands making more than one request to
rubygems.org needing an OTP code would crash or ask for the code twice.
Pull request #4162 by sonalkr132</li>
<li>Fix building rake extensions that require openssl. Pull request #4165 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> displaying too many changelog entries. Pull
request #4145 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.1 / 2020-12-14</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Added help message for gem i webrick in gem server command. Pull request
#4117 by hsbt</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added the missing loading of fileutils same as load_specs. Pull request
#4124 by hsbt</li>
<li>Fix Resolver::APISet to always include prereleases when necessary. Pull
request #4113 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0 / 2020-12-07</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Do not override Kernel#warn when there is no need. Pull request #4075 by
eregon</li>
<li>Update endpoint of gem signin command. Pull request #3840 by sonalkr132</li>
<li>Omit deprecated commands from command help output. Pull request #4023 by
landongrindheim</li>
<li>Suggest alternatives in <code class="language-plaintext highlighter-rouge">gem query</code> deprecation. Pull request #4021 by
landongrindheim</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">time</code>, <code class="language-plaintext highlighter-rouge">cgi</code>, and <code class="language-plaintext highlighter-rouge">zlib</code>. Pull request #4010 by
deivid-rodriguez</li>
<li>Don’t hit the network when installing dependencyless local gemspec. Pull
request #3968 by deivid-rodriguez</li>
<li>Add <code class="language-plaintext highlighter-rouge">--force</code> option to <code class="language-plaintext highlighter-rouge">gem sources</code> command. Pull request #3956 by
andy-smith-msm</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">openssl</code>. Pull request #3850 by deivid-rodriguez</li>
<li>Pass more information when comparing platforms. Pull request #3817 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use better owner & group for files in rubygems package. Pull request
#4065 by deivid-rodriguez</li>
<li>Improve gem build -C flag. Pull request #3983 by bronzdoc</li>
<li>Handle unexpected behavior with URI#merge and subpaths missing trailing
slashes. Pull request #3123 by drcapulet</li>
<li>Add missing <code class="language-plaintext highlighter-rouge">fileutils</code> require in rubygems installer. Pull request
#4036 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">gem specification</code> being ignored. Pull
request #4043 by deivid-rodriguez</li>
<li>Expose <code class="language-plaintext highlighter-rouge">--no-minimal-deps</code> flag to install the latest version of
dependencies. Pull request #4030 by deivid-rodriguez</li>
<li>Fix “stack level too deep” error when overriding <code class="language-plaintext highlighter-rouge">Warning.warn</code>. Pull
request #3987 by eregon</li>
<li>Append ‘.gemspec’ extension only when it is not present. Pull request
#3988 by voxik</li>
<li>Install to correct plugins dir when using <code class="language-plaintext highlighter-rouge">--build-root</code>. Pull request
#3972 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--build-root</code> flag under Windows. Pull request #3975 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">typo_squatting?</code> false positive for <code class="language-plaintext highlighter-rouge">rubygems.org</code> itself. Pull
request #3951 by andy-smith-msm</li>
<li>Make <code class="language-plaintext highlighter-rouge">--default</code> and <code class="language-plaintext highlighter-rouge">--install-dir</code> options to <code class="language-plaintext highlighter-rouge">gem install</code> play nice
together. Pull request #3906 by deivid-rodriguez</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Deprecate server command. Pull request #3868 by bronzdoc</li>
</ul>
<p>Performance:</p>
<ul>
<li>Don’t change ruby process CWD when building extensions. Pull request
#3498 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0.rc.2 / 2020-10-08</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Make –dry-run flag consistent across rubygems commands. Pull request
#3867 by bronzdoc</li>
<li>Disallow downgrades to too old versions. Pull request #3566 by
deivid-rodriguez</li>
<li>Added <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">build</code> command. Pull request #3079 by nobu</li>
<li>Have “gem update –system” pass through the <code class="language-plaintext highlighter-rouge">--silent</code> flag. Pull
request #3789 by duckinator</li>
<li>Add writable check for cache dir. Pull request #3876 by xndcn</li>
<li>Warn on duplicate dependency in a specification. Pull request #3864 by
bronzdoc</li>
<li>Fix indentation in <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request #3861 by colby-swandale</li>
<li>Let more exceptions flow. Pull request #3819 by deivid-rodriguez</li>
<li>Ignore internal frames in RubyGems’ Kernel#warn. Pull request #3810 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Add missing fileutils require. Pull request #3911 by deivid-rodriguez</li>
<li>Fix false positive warning on Windows when PATH has
<code class="language-plaintext highlighter-rouge">File::ALT_SEPARATOR</code>. Pull request #3829 by deivid-rodriguez</li>
<li>Fix Kernel#warn override to handle backtrace location with nil path.
Pull request #3852 by jeremyevans</li>
<li>Don’t format executables on <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3811 by
deivid-rodriguez</li>
<li><code class="language-plaintext highlighter-rouge">gem install --user</code> fails with <code class="language-plaintext highlighter-rouge">Gem::FilePermissionError</code> on the system
plugins directory. Pull request #3804 by nobu</li>
</ul>
<p>Performance:</p>
<ul>
<li>Avoid duplicated generation of APISpecification objects. Pull request
#3940 by mame</li>
<li>Eval defaults with frozen_string_literal: true. Pull request #3847 by
casperisfine</li>
<li>Deduplicate the requirement operators in memory. Pull request #3846 by
casperisfine</li>
<li>Optimize Gem.already_loaded?. Pull request #3793 by casperisfine</li>
</ul>
<p>=== 3.2.0.rc.1 / 2020-07-04</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Test TruffleRuby in CI. Pull request #2797 by Benoit Daloze.</li>
<li>Rework plugins system and speed up rubygems. Pull request #3108 by David
Rodríguez.</li>
<li>Specify explicit separator not to be affected by $;. Pull request #3424
by Nobuyoshi Nakada.</li>
<li>Enable <code class="language-plaintext highlighter-rouge">Layout/ExtraSpacing</code> cop. Pull request #3449 by David Rodríguez.</li>
<li>Rollback gem deprecate. Pull request #3530 by Luis Sagastume.</li>
<li>Normalize heredoc delimiters. Pull request #3533 by David Rodríguez.</li>
<li>Log messages to stdout in <code class="language-plaintext highlighter-rouge">rake package</code>. Pull request #3632 by David
Rodríguez.</li>
<li>Remove explicit <code class="language-plaintext highlighter-rouge">psych</code> activation. Pull request #3636 by David
Rodríguez.</li>
<li>Delay <code class="language-plaintext highlighter-rouge">fileutils</code> loading to fix some warnings. Pull request #3637 by
David Rodríguez.</li>
<li>Make sure rubygems/package can be directly required reliably. Pull
request #3670 by Luis Sagastume.</li>
<li>Make sure <code class="language-plaintext highlighter-rouge">tmp</code> folder exists before calling <code class="language-plaintext highlighter-rouge">Dir.tmpdir</code>. Pull request
#3711 by David Rodríguez.</li>
<li>Add Gem.disable_system_update_message to disable gem update –system if
needed. Pull request #3720 by Josef Šimánek.</li>
<li>Tweaks to play nice with ruby-core setup. Pull request #3733 by David
Rodríguez.</li>
<li>Remove explicit require for auto-loaded constant. Pull request #3751 by
Karol Bucek.</li>
<li>Test files should not be included in spec.files. Pull request #3758 by
Marc-André Lafortune.</li>
<li>Remove TODO comment about warning on setting instead of pushing. Pull
request #2823 by Luis Sagastume.</li>
<li>Add deprecate command method. Pull request #2935 by Luis Sagastume.</li>
<li>Simplify deprecate command method. Pull request #2974 by Luis Sagastume.</li>
<li>Fix Gem::LOADED_SPECS_MUTEX handling for recursive locking. Pull request
#2985 by MSP-Greg.</li>
<li>Add <code class="language-plaintext highlighter-rouge">funding_uri </code> metadata field to gemspec. Pull request #3060 by
Colby Swandale.</li>
<li>Updates to some old gem-signing docs. Pull request #3063 by Tieg
Zaharia.</li>
<li>Update the gem method for Gem::Installer. Pull request #3137 by Daniel
Berger.</li>
<li>Simplify initial gem help output. Pull request #3148 by Olivier Lacan.</li>
<li>Resolve latest version via <code class="language-plaintext highlighter-rouge">gem contents</code>. Pull request #3149 by Dan
Rice.</li>
<li>Install suggestions. Pull request #3151 by Sophia Castellarin.</li>
<li>Only rescue the errors we actually want to rescue. Pull request #3156 by
David Rodríguez.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Accept not only /usr/bin/env but also /bin/env in some tests. Pull
request #3422 by Yusuke Endoh.</li>
<li>Skip a test that attempts to remove the current directory on Solaris.
Pull request #3423 by Yusuke Endoh.</li>
<li>Fix race condition on bundler’s parallel installer. Pull request #3440
by David Rodríguez.</li>
<li>Fix platform comparison check in #contains_requirable_file?. Pull
request #3495 by Benoit Daloze.</li>
<li>Improve missing spec error. Pull request #3559 by Luis Sagastume.</li>
<li>Fix hidden bundler template installation from rubygems updater. Pull
request #3674 by David Rodríguez.</li>
<li>Fix gem update –user-install. Pull request #2901 by Luis Sagastume.</li>
<li>Correct conflict list when uninstallation is prevented. Pull request
#2973 by David Rodríguez.</li>
<li>Fix error when trying to find bundler with a deleted “working directo….
Pull request #3090 by Luis Sagastume.</li>
<li>Fix -I require priority. Pull request #3124 by David Rodríguez.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> for new plugins layout. Pull request #3144 by David
Rodríguez.</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Set deprecation warning on query command. Pull request #2967 by Luis
Sagastume.</li>
</ul>
<p>Breaking changes:</p>
<ul>
<li>Remove ruby 1.8 leftovers. Pull request #3442 by David Rodríguez.</li>
<li>Minitest cleanup. Pull request #3445 by David Rodríguez.</li>
<li>Remove <code class="language-plaintext highlighter-rouge">builder</code> gem requirement for <code class="language-plaintext highlighter-rouge">gem regenerate_index</code>. Pull
request #3552 by David Rodríguez.</li>
<li>Remove modelines for consistency. Pull request #3714 by David Rodríguez.</li>
<li>Stop using deprecated OpenSSL::Digest constants. Pull request #3763 by
Bart de Water.</li>
<li>Remove Gem module deprecated methods. Pull request #3101 by Luis
Sagastume.</li>
<li>Remove ubygems.rb. Pull request #3102 by Luis Sagastume.</li>
<li>Remove Gem::Commands::QueryCommand. Pull request #3104 by Luis
Sagastume.</li>
<li>Remove dependency installer deprecated methods. Pull request #3106 by
Luis Sagastume.</li>
<li>Remove Gem::UserInteraction#debug method. Pull request #3107 by Luis
Sagastume.</li>
<li>Remove options from Gem::GemRunner.new. Pull request #3110 by Luis
Sagastume.</li>
<li>Remove deprecated Gem::RemoteFetcher#fetch_size. Pull request #3111 by
Luis Sagastume.</li>
<li>Remove source_exception from Gem::Exception. Pull request #3112 by Luis
Sagastume.</li>
<li>Requiring rubygems/source_specific_file is deprecated, remove it. Pull
request #3114 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.2.tgz<br />
6eb1c74fba68dbdb91065a08b10fe1f12b643a47c7ba7f4687c168c9df5e11e8</li>
<li>rubygems-3.2.2.zip<br />
4d79993d8935bc77dac72a6ca8f76f048992fbd46f850d12994d21681db8775e</li>
<li>rubygems-update-3.2.2.gem<br />
995ddeb6341f306fa692cd20f5112197b8ba29ca55e3a0ac16712459404edb8e</li>
</ul>
3.2.1 Released2020-12-14T00:00:00+00:00http://blog.rubygems.org/2020/12/14/3.2.1-released<p>RubyGems 3.2.1 includes enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Added help message for gem i webrick in gem server command. Pull request
#4117 by hsbt</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added the missing loading of fileutils same as load_specs. Pull request
#4124 by hsbt</li>
<li>Fix Resolver::APISet to always include prereleases when necessary. Pull
request #4113 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0 / 2020-12-7</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Do not override Kernel#warn when there is no need. Pull request #4075 by
eregon</li>
<li>Update endpoint of gem signin command. Pull request #3840 by sonalkr132</li>
<li>Omit deprecated commands from command help output. Pull request #4023 by
landongrindheim</li>
<li>Suggest alternatives in <code class="language-plaintext highlighter-rouge">gem query</code> deprecation. Pull request #4021 by
landongrindheim</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">time</code>, <code class="language-plaintext highlighter-rouge">cgi</code>, and <code class="language-plaintext highlighter-rouge">zlib</code>. Pull request #4010 by
deivid-rodriguez</li>
<li>Don’t hit the network when installing dependencyless local gemspec. Pull
request #3968 by deivid-rodriguez</li>
<li>Add <code class="language-plaintext highlighter-rouge">--force</code> option to <code class="language-plaintext highlighter-rouge">gem sources</code> command. Pull request #3956 by
andy-smith-msm</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">openssl</code>. Pull request #3850 by deivid-rodriguez</li>
<li>Pass more information when comparing platforms. Pull request #3817 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use better owner & group for files in rubygems package. Pull request
#4065 by deivid-rodriguez</li>
<li>Improve gem build -C flag. Pull request #3983 by bronzdoc</li>
<li>Handle unexpected behavior with URI#merge and subpaths missing trailing
slashes. Pull request #3123 by drcapulet</li>
<li>Add missing <code class="language-plaintext highlighter-rouge">fileutils</code> require in rubygems installer. Pull request
#4036 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">gem specification</code> being ignored. Pull
request #4043 by deivid-rodriguez</li>
<li>Expose <code class="language-plaintext highlighter-rouge">--no-minimal-deps</code> flag to install the latest version of
dependencies. Pull request #4030 by deivid-rodriguez</li>
<li>Fix “stack level too deep” error when overriding <code class="language-plaintext highlighter-rouge">Warning.warn</code>. Pull
request #3987 by eregon</li>
<li>Append ‘.gemspec’ extension only when it is not present. Pull request
#3988 by voxik</li>
<li>Install to correct plugins dir when using <code class="language-plaintext highlighter-rouge">--build-root</code>. Pull request
#3972 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--build-root</code> flag under Windows. Pull request #3975 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">typo_squatting?</code> false positive for <code class="language-plaintext highlighter-rouge">rubygems.org</code> itself. Pull
request #3951 by andy-smith-msm</li>
<li>Make <code class="language-plaintext highlighter-rouge">--default</code> and <code class="language-plaintext highlighter-rouge">--install-dir</code> options to <code class="language-plaintext highlighter-rouge">gem install</code> play nice
together. Pull request #3906 by deivid-rodriguez</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Deprecate server command. Pull request #3868 by bronzdoc</li>
</ul>
<p>Performance:</p>
<ul>
<li>Don’t change ruby process CWD when building extensions. Pull request
#3498 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0.rc.2 / 2020-10-8</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Make –dry-run flag consistent across rubygems commands. Pull request
#3867 by bronzdoc</li>
<li>Disallow downgrades to too old versions. Pull request #3566 by
deivid-rodriguez</li>
<li>Added <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">build</code> command. Pull request #3079 by nobu</li>
<li>Have “gem update –system” pass through the <code class="language-plaintext highlighter-rouge">--silent</code> flag. Pull
request #3789 by duckinator</li>
<li>Add writable check for cache dir. Pull request #3876 by xndcn</li>
<li>Warn on duplicate dependency in a specification. Pull request #3864 by
bronzdoc</li>
<li>Fix indentation in <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request #3861 by colby-swandale</li>
<li>Let more exceptions flow. Pull request #3819 by deivid-rodriguez</li>
<li>Ignore internal frames in RubyGems’ Kernel#warn. Pull request #3810 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Add missing fileutils require. Pull request #3911 by deivid-rodriguez</li>
<li>Fix false positive warning on Windows when PATH has
<code class="language-plaintext highlighter-rouge">File::ALT_SEPARATOR</code>. Pull request #3829 by deivid-rodriguez</li>
<li>Fix Kernel#warn override to handle backtrace location with nil path.
Pull request #3852 by jeremyevans</li>
<li>Don’t format executables on <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3811 by
deivid-rodriguez</li>
<li><code class="language-plaintext highlighter-rouge">gem install --user</code> fails with <code class="language-plaintext highlighter-rouge">Gem::FilePermissionError</code> on the system
plugins directory. Pull request #3804 by nobu</li>
</ul>
<p>Performance:</p>
<ul>
<li>Avoid duplicated generation of APISpecification objects. Pull request
#3940 by mame</li>
<li>Eval defaults with frozen_string_literal: true. Pull request #3847 by
casperisfine</li>
<li>Deduplicate the requirement operators in memory. Pull request #3846 by
casperisfine</li>
<li>Optimize Gem.already_loaded?. Pull request #3793 by casperisfine</li>
</ul>
<p>=== 3.2.0.rc.1 / 2020-07-04</p>
<p><em>Enhancements:</em></p>
<ul>
<li>Test TruffleRuby in CI. Pull request #2797 by Benoit Daloze.</li>
<li>Rework plugins system and speed up rubygems. Pull request #3108 by David
Rodríguez.</li>
<li>Specify explicit separator not to be affected by $;. Pull request #3424
by Nobuyoshi Nakada.</li>
<li>Enable <code class="language-plaintext highlighter-rouge">Layout/ExtraSpacing</code> cop. Pull request #3449 by David Rodríguez.</li>
<li>Rollback gem deprecate. Pull request #3530 by Luis Sagastume.</li>
<li>Normalize heredoc delimiters. Pull request #3533 by David Rodríguez.</li>
<li>Log messages to stdout in <code class="language-plaintext highlighter-rouge">rake package</code>. Pull request #3632 by David
Rodríguez.</li>
<li>Remove explicit <code class="language-plaintext highlighter-rouge">psych</code> activation. Pull request #3636 by David
Rodríguez.</li>
<li>Delay <code class="language-plaintext highlighter-rouge">fileutils</code> loading to fix some warnings. Pull request #3637 by
David Rodríguez.</li>
<li>Make sure rubygems/package can be directly required reliably. Pull
request #3670 by Luis Sagastume.</li>
<li>Make sure <code class="language-plaintext highlighter-rouge">tmp</code> folder exists before calling <code class="language-plaintext highlighter-rouge">Dir.tmpdir</code>. Pull request
#3711 by David Rodríguez.</li>
<li>Add Gem.disable_system_update_message to disable gem update –system if
needed. Pull request #3720 by Josef Šimánek.</li>
<li>Tweaks to play nice with ruby-core setup. Pull request #3733 by David
Rodríguez.</li>
<li>Remove explicit require for auto-loaded constant. Pull request #3751 by
Karol Bucek.</li>
<li>Test files should not be included in spec.files. Pull request #3758 by
Marc-André Lafortune.</li>
<li>Remove TODO comment about warning on setting instead of pushing. Pull
request #2823 by Luis Sagastume.</li>
<li>Add deprecate command method. Pull request #2935 by Luis Sagastume.</li>
<li>Simplify deprecate command method. Pull request #2974 by Luis Sagastume.</li>
<li>Fix Gem::LOADED_SPECS_MUTEX handling for recursive locking. Pull request
#2985 by MSP-Greg.</li>
<li>Add <code class="language-plaintext highlighter-rouge">funding_uri </code> metadata field to gemspec. Pull request #3060 by
Colby Swandale.</li>
<li>Updates to some old gem-signing docs. Pull request #3063 by Tieg
Zaharia.</li>
<li>Update the gem method for Gem::Installer. Pull request #3137 by Daniel
Berger.</li>
<li>Simplify initial gem help output. Pull request #3148 by Olivier Lacan.</li>
<li>Resolve latest version via <code class="language-plaintext highlighter-rouge">gem contents</code>. Pull request #3149 by Dan
Rice.</li>
<li>Install suggestions. Pull request #3151 by Sophia Castellarin.</li>
<li>Only rescue the errors we actually want to rescue. Pull request #3156 by
David Rodríguez.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Accept not only /usr/bin/env but also /bin/env in some tests. Pull
request #3422 by Yusuke Endoh.</li>
<li>Skip a test that attempts to remove the current directory on Solaris.
Pull request #3423 by Yusuke Endoh.</li>
<li>Fix race condition on bundler’s parallel installer. Pull request #3440
by David Rodríguez.</li>
<li>Fix platform comparison check in #contains_requirable_file?. Pull
request #3495 by Benoit Daloze.</li>
<li>Improve missing spec error. Pull request #3559 by Luis Sagastume.</li>
<li>Fix hidden bundler template installation from rubygems updater. Pull
request #3674 by David Rodríguez.</li>
<li>Fix gem update –user-install. Pull request #2901 by Luis Sagastume.</li>
<li>Correct conflict list when uninstallation is prevented. Pull request
#2973 by David Rodríguez.</li>
<li>Fix error when trying to find bundler with a deleted “working directo….
Pull request #3090 by Luis Sagastume.</li>
<li>Fix -I require priority. Pull request #3124 by David Rodríguez.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> for new plugins layout. Pull request #3144 by David
Rodríguez.</li>
</ul>
<p>Deprecations:</p>
<ul>
<li>Set deprecation warning on query command. Pull request #2967 by Luis
Sagastume.</li>
</ul>
<p>Breaking changes:</p>
<ul>
<li>Remove ruby 1.8 leftovers. Pull request #3442 by David Rodríguez.</li>
<li>Minitest cleanup. Pull request #3445 by David Rodríguez.</li>
<li>Remove <code class="language-plaintext highlighter-rouge">builder</code> gem requirement for <code class="language-plaintext highlighter-rouge">gem regenerate_index</code>. Pull
request #3552 by David Rodríguez.</li>
<li>Remove modelines for consistency. Pull request #3714 by David Rodríguez.</li>
<li>Stop using deprecated OpenSSL::Digest constants. Pull request #3763 by
Bart de Water.</li>
<li>Remove Gem module deprecated methods. Pull request #3101 by Luis
Sagastume.</li>
<li>Remove ubygems.rb. Pull request #3102 by Luis Sagastume.</li>
<li>Remove Gem::Commands::QueryCommand. Pull request #3104 by Luis
Sagastume.</li>
<li>Remove dependency installer deprecated methods. Pull request #3106 by
Luis Sagastume.</li>
<li>Remove Gem::UserInteraction#debug method. Pull request #3107 by Luis
Sagastume.</li>
<li>Remove options from Gem::GemRunner.new. Pull request #3110 by Luis
Sagastume.</li>
<li>Remove deprecated Gem::RemoteFetcher#fetch_size. Pull request #3111 by
Luis Sagastume.</li>
<li>Remove source_exception from Gem::Exception. Pull request #3112 by Luis
Sagastume.</li>
<li>Requiring rubygems/source_specific_file is deprecated, remove it. Pull
request #3114 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.1.tgz<br />
46c0f10f6c0457028b2531b4f0981bf68f25f840ef1be062ded3fe1d24089108</li>
<li>rubygems-3.2.1.zip<br />
45d19e38e8eadc10958eda63829d1bb3ea7bb37afd55f7994c0065db5c5066c1</li>
<li>rubygems-update-3.2.1.gem<br />
a41eb5d38bf00efa673dcfc504edb91cf662b451a0a88f57fdbaabb1d86f1300</li>
</ul>
3.2.0 Released2020-12-10T00:00:00+00:00http://blog.rubygems.org/2020/12/10/3.2.0-released<p>RubyGems 3.2.0 includes bug fixes, deprecations, performance, minor enhancements, bug fixes, performance, major enhancements, minor enhancements, bug fixes and deprecations.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>Enhancements:</p>
<ul>
<li>Do not override Kernel#warn when there is no need. Pull request #4075 by
eregon</li>
<li>Update endpoint of gem signin command. Pull request #3840 by sonalkr132</li>
<li>Omit deprecated commands from command help output. Pull request #4023 by
landongrindheim</li>
<li>Suggest alternatives in <code class="language-plaintext highlighter-rouge">gem query</code> deprecation. Pull request #4021 by
landongrindheim</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">time</code>, <code class="language-plaintext highlighter-rouge">cgi</code>, and <code class="language-plaintext highlighter-rouge">zlib</code>. Pull request #4010 by
deivid-rodriguez</li>
<li>Don’t hit the network when installing dependencyless local gemspec. Pull
request #3968 by deivid-rodriguez</li>
<li>Add <code class="language-plaintext highlighter-rouge">--force</code> option to <code class="language-plaintext highlighter-rouge">gem sources</code> command. Pull request #3956 by
andy-smith-msm</li>
<li>Lazily load <code class="language-plaintext highlighter-rouge">openssl</code>. Pull request #3850 by deivid-rodriguez</li>
<li>Pass more information when comparing platforms. Pull request #3817 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use better owner & group for files in rubygems package. Pull request
#4065 by deivid-rodriguez</li>
<li>Improve gem build -C flag. Pull request #3983 by bronzdoc</li>
<li>Handle unexpected behavior with URI#merge and subpaths missing trailing
slashes. Pull request #3123 by drcapulet</li>
<li>Add missing <code class="language-plaintext highlighter-rouge">fileutils</code> require in rubygems installer. Pull request
#4036 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">gem specification</code> being ignored. Pull
request #4043 by deivid-rodriguez</li>
<li>Expose <code class="language-plaintext highlighter-rouge">--no-minimal-deps</code> flag to install the latest version of
dependencies. Pull request #4030 by deivid-rodriguez</li>
<li>Fix “stack level too deep” error when overriding <code class="language-plaintext highlighter-rouge">Warning.warn</code>. Pull
request #3987 by eregon</li>
<li>Append ‘.gemspec’ extension only when it is not present. Pull request
#3988 by voxik</li>
<li>Install to correct plugins dir when using <code class="language-plaintext highlighter-rouge">--build-root</code>. Pull request
#3972 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--build-root</code> flag under Windows. Pull request #3975 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">typo_squatting?</code> false positive for <code class="language-plaintext highlighter-rouge">rubygems.org</code> itself. Pull
request #3951 by andy-smith-msm</li>
<li>Make <code class="language-plaintext highlighter-rouge">--default</code> and <code class="language-plaintext highlighter-rouge">--install-dir</code> options to <code class="language-plaintext highlighter-rouge">gem install</code> play nice
together. Pull request #3906 by deivid-rodriguez</li>
</ul>
<p><em>Deprecations:</em></p>
<ul>
<li>Deprecate server command. Pull request #3868 by bronzdoc</li>
</ul>
<p><em>Performance:</em></p>
<ul>
<li>Don’t change ruby process CWD when building extensions. Pull request
#3498 by deivid-rodriguez</li>
</ul>
<p>=== 3.2.0.rc.2 / 2020-10-8</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Make –dry-run flag consistent across rubygems commands. Pull request
#3867 by bronzdoc</li>
<li>Disallow downgrades to too old versions. Pull request #3566 by
deivid-rodriguez</li>
<li>Added <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">build</code> command. Pull request #3079 by nobu</li>
<li>Have “gem update –system” pass through the <code class="language-plaintext highlighter-rouge">--silent</code> flag. Pull
request #3789 by duckinator</li>
<li>Add writable check for cache dir. Pull request #3876 by xndcn</li>
<li>Warn on duplicate dependency in a specification. Pull request #3864 by
bronzdoc</li>
<li>Fix indentation in <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request #3861 by colby-swandale</li>
<li>Let more exceptions flow. Pull request #3819 by deivid-rodriguez</li>
<li>Ignore internal frames in RubyGems’ Kernel#warn. Pull request #3810 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Add missing fileutils require. Pull request #3911 by deivid-rodriguez</li>
<li>Fix false positive warning on Windows when PATH has
<code class="language-plaintext highlighter-rouge">File::ALT_SEPARATOR</code>. Pull request #3829 by deivid-rodriguez</li>
<li>Fix Kernel#warn override to handle backtrace location with nil path.
Pull request #3852 by jeremyevans</li>
<li>Don’t format executables on <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3811 by
deivid-rodriguez</li>
<li><code class="language-plaintext highlighter-rouge">gem install --user</code> fails with <code class="language-plaintext highlighter-rouge">Gem::FilePermissionError</code> on the system
plugins directory. Pull request #3804 by nobu</li>
</ul>
<p><em>Performance:</em></p>
<ul>
<li>Avoid duplicated generation of APISpecification objects. Pull request
#3940 by mame</li>
<li>Eval defaults with frozen_string_literal: true. Pull request #3847 by
casperisfine</li>
<li>Deduplicate the requirement operators in memory. Pull request #3846 by
casperisfine</li>
<li>Optimize Gem.already_loaded?. Pull request #3793 by casperisfine</li>
</ul>
<p>=== 3.2.0.rc.1 / 2020-07-04</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>Test TruffleRuby in CI. Pull request #2797 by Benoit Daloze.</li>
<li>Rework plugins system and speed up rubygems. Pull request #3108 by David
Rodríguez.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Specify explicit separator not to be affected by $;. Pull request #3424
by Nobuyoshi Nakada.</li>
<li>Enable <code class="language-plaintext highlighter-rouge">Layout/ExtraSpacing</code> cop. Pull request #3449 by David Rodríguez.</li>
<li>Rollback gem deprecate. Pull request #3530 by Luis Sagastume.</li>
<li>Normalize heredoc delimiters. Pull request #3533 by David Rodríguez.</li>
<li>Log messages to stdout in <code class="language-plaintext highlighter-rouge">rake package</code>. Pull request #3632 by David
Rodríguez.</li>
<li>Remove explicit <code class="language-plaintext highlighter-rouge">psych</code> activation. Pull request #3636 by David
Rodríguez.</li>
<li>Delay <code class="language-plaintext highlighter-rouge">fileutils</code> loading to fix some warnings. Pull request #3637 by
David Rodríguez.</li>
<li>Make sure rubygems/package can be directly required reliably. Pull
request #3670 by Luis Sagastume.</li>
<li>Make sure <code class="language-plaintext highlighter-rouge">tmp</code> folder exists before calling <code class="language-plaintext highlighter-rouge">Dir.tmpdir</code>. Pull request
#3711 by David Rodríguez.</li>
<li>Add Gem.disable_system_update_message to disable gem update –system if
needed. Pull request #3720 by Josef Šimánek.</li>
<li>Tweaks to play nice with ruby-core setup. Pull request #3733 by David
Rodríguez.</li>
<li>Remove explicit require for auto-loaded constant. Pull request #3751 by
Karol Bucek.</li>
<li>Test files should not be included in spec.files. Pull request #3758 by
Marc-André Lafortune.</li>
<li>Remove TODO comment about warning on setting instead of pushing. Pull
request #2823 by Luis Sagastume.</li>
<li>Add deprecate command method. Pull request #2935 by Luis Sagastume.</li>
<li>Simplify deprecate command method. Pull request #2974 by Luis Sagastume.</li>
<li>Fix Gem::LOADED_SPECS_MUTEX handling for recursive locking. Pull request
#2985 by MSP-Greg.</li>
<li>Add <code class="language-plaintext highlighter-rouge">funding_uri </code> metadata field to gemspec. Pull request #3060 by
Colby Swandale.</li>
<li>Updates to some old gem-signing docs. Pull request #3063 by Tieg
Zaharia.</li>
<li>Update the gem method for Gem::Installer. Pull request #3137 by Daniel
Berger.</li>
<li>Simplify initial gem help output. Pull request #3148 by Olivier Lacan.</li>
<li>Resolve latest version via <code class="language-plaintext highlighter-rouge">gem contents</code>. Pull request #3149 by Dan
Rice.</li>
<li>Install suggestions. Pull request #3151 by Sophia Castellarin.</li>
<li>Only rescue the errors we actually want to rescue. Pull request #3156 by
David Rodríguez.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Accept not only /usr/bin/env but also /bin/env in some tests. Pull
request #3422 by Yusuke Endoh.</li>
<li>Skip a test that attempts to remove the current directory on Solaris.
Pull request #3423 by Yusuke Endoh.</li>
<li>Fix race condition on bundler’s parallel installer. Pull request #3440
by David Rodríguez.</li>
<li>Fix platform comparison check in #contains_requirable_file?. Pull
request #3495 by Benoit Daloze.</li>
<li>Improve missing spec error. Pull request #3559 by Luis Sagastume.</li>
<li>Fix hidden bundler template installation from rubygems updater. Pull
request #3674 by David Rodríguez.</li>
<li>Fix gem update –user-install. Pull request #2901 by Luis Sagastume.</li>
<li>Correct conflict list when uninstallation is prevented. Pull request
#2973 by David Rodríguez.</li>
<li>Fix error when trying to find bundler with a deleted “working directo….
Pull request #3090 by Luis Sagastume.</li>
<li>Fix -I require priority. Pull request #3124 by David Rodríguez.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> for new plugins layout. Pull request #3144 by David
Rodríguez.</li>
</ul>
<p><em>Deprecations:</em></p>
<ul>
<li>Set deprecation warning on query command. Pull request #2967 by Luis
Sagastume.</li>
</ul>
<p>Breaking changes:</p>
<ul>
<li>Remove ruby 1.8 leftovers. Pull request #3442 by David Rodríguez.</li>
<li>Minitest cleanup. Pull request #3445 by David Rodríguez.</li>
<li>Remove <code class="language-plaintext highlighter-rouge">builder</code> gem requirement for <code class="language-plaintext highlighter-rouge">gem regenerate_index</code>. Pull
request #3552 by David Rodríguez.</li>
<li>Remove modelines for consistency. Pull request #3714 by David Rodríguez.</li>
<li>Stop using deprecated OpenSSL::Digest constants. Pull request #3763 by
Bart de Water.</li>
<li>Remove Gem module deprecated methods. Pull request #3101 by Luis
Sagastume.</li>
<li>Remove ubygems.rb. Pull request #3102 by Luis Sagastume.</li>
<li>Remove Gem::Commands::QueryCommand. Pull request #3104 by Luis
Sagastume.</li>
<li>Remove dependency installer deprecated methods. Pull request #3106 by
Luis Sagastume.</li>
<li>Remove Gem::UserInteraction#debug method. Pull request #3107 by Luis
Sagastume.</li>
<li>Remove options from Gem::GemRunner.new. Pull request #3110 by Luis
Sagastume.</li>
<li>Remove deprecated Gem::RemoteFetcher#fetch_size. Pull request #3111 by
Luis Sagastume.</li>
<li>Remove source_exception from Gem::Exception. Pull request #3112 by Luis
Sagastume.</li>
<li>Requiring rubygems/source_specific_file is deprecated, remove it. Pull
request #3114 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.0.tgz<br />
c3df079addbdae63f201d64aa000f5ebe84c981584322d0f28049d664418b317</li>
<li>rubygems-3.2.0.zip<br />
57b4a745c3e9c0c4d18d5fcb30a11d7c5403369850d290b8f7561edcefda6b93</li>
<li>rubygems-update-3.2.0.gem<br />
478977e54a114b7b02f178d5080b841bbaba364aa27957a890ae39f4e3577e4c</li>
</ul>
November 2020 RubyGems Updates2020-12-09T00:00:00+00:00http://blog.rubygems.org/2020/12/09/november-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in November.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In November, we worked on the <a href="https://github.com/rubygems/rfcs/pull/29">Bundler Version Locking RFC</a> that allows a user to specify a required Bundler version in the Gemfile/gemspec with a working <a href="https://github.com/rubygems/rfcs/pull/29#issuecomment-731333194">proof of concept</a>. We also made improvements to platform support by enabling the <code class="language-plaintext highlighter-rouge">specific_platform</code> functionality by default, and decided to delay the change to resolve all Gemfile platforms automatically in addition to that, we made the following improvements and fixes:</p>
<ul>
<li>fixed a missing require issue. <a href="https://github.com/rubygems/rubygems/pull/4036">#4036</a></li>
<li>fixed a couple of minor “Windows paths” issues. <a href="https://github.com/rubygems/rubygems/pull/4038">#4038</a>, <a href="https://github.com/rubygems/rubygems/pull/4039">#4039</a></li>
<li>fixed <a href="https://github.com/rubygems/rubygems/pull/4043">gem specification <code class="language-plaintext highlighter-rouge">--platform</code></a>.</li>
<li>added an <code class="language-plaintext highlighter-rouge">--all-platforms</code> flag that optionally allows generating Windows binstubs from non-Windows platforms. <a href="https://github.com/rubygems/rubygems/pull/3886">#3886</a></li>
<li>merged a PR to fix a bundle remove bug where it was removing comments. <a href="https://github.com/rubygems/rubygems/pull/4045">#4045</a></li>
<li>merged a PR to support the new signin endpoints. <a href="https://github.com/rubygems/rubygems/pull/3840">#3840</a></li>
<li>merged a PR to improve the <code class="language-plaintext highlighter-rouge">-C</code> flag to gem build. <a href="https://github.com/rubygems/rubygems/pull/3983">#3983</a></li>
<li>added a fix to slightly improve some “<strong>gem not found</strong>” error messages. <a href="https://github.com/rubygems/rubygems/pull/4019">#4019</a></li>
<li>fixed an intermittent spec failure. <a href="https://github.com/rubygems/rubygems/pull/4060">#4060</a></li>
<li>fixed an issue with changelog generation. <a href="https://github.com/rubygems/rubygems/pull/4059">#4059</a></li>
<li>fixed an issue with nested bundler invocations. <a href="https://github.com/rubygems/rubygems/pull/4062">#4063</a></li>
<li>fixed a discrepancy between executing with or without bundle exec. <a href="https://github.com/rubygems/rubygems/pull/4063">#4063</a></li>
<li>added more descriptive errors about default network errors. <a href="https://github.com/rubygems/rubygems/pull/4061">#4061</a></li>
<li>fixed a CI issue that appeared under Windows. <a href="https://github.com/rubygems/rubygems/pull/4068">#4068</a></li>
<li>merged a tweak to the bundle gem default skeleton. <a href="https://github.com/rubygems/rubygems/pull/4066">#4066</a></li>
<li>Extend <code class="language-plaintext highlighter-rouge">gem</code> DSL with a <code class="language-plaintext highlighter-rouge">force_ruby_platform</code> option. <a href="https://github.com/rubygems/rubygems/pull/4049">#4049</a></li>
</ul>
<p>In November, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-11-01%7D...master@%7B2020-11-30%7D">58 new commits</a>, contributed by 10 authors. There were 816 additions and 426 deletions across 79 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, we coordinated with Fastly support to enable Globalsign certs and AAAA records in our TLS config. We updated <a href="https://github.com/rubygems/rubygems/pull/3840">RubyGems CLI gem signin</a> according to changes requested in a review and also made the following fixes and improvements:</p>
<ul>
<li>added a new way to match RubyGems versions using the <code class="language-plaintext highlighter-rouge">build-arg</code> in docker image. <a href="https://github.com/rubygems/rubygems.org/pull/2548">#2548</a></li>
<li>fixed failing tests in <code class="language-plaintext highlighter-rouge">shoulda-matchers</code> update and reported an issue of invalid objects should <code class="language-plaintext highlighter-rouge">belong_to</code> tests on <code class="language-plaintext highlighter-rouge">shoulda-matchers</code> repo. <a href=" https://github.com/thoughtbot/shoulda-matchers/issues/1375">#1375</a></li>
<li>investigated <code class="language-plaintext highlighter-rouge">DelegationError</code> for ownership records with nil <code class="language-plaintext highlighter-rouge">user_id</code>.</li>
<li>updated our DMARC policy to ensure that spoofed emails with <a href="https://rubygems.org">rubygems.org</a> in sender get marked as spam.</li>
<li>worked on a PR to resolve a HackerOne report, disallowing duplicate canonical version numbers. <a href="https://github.com/rubygems/rubygems.org/pull/2559">#2559</a></li>
<li>read privacy policy of other package manager websites and researched the requirements for CCPA and GDPR.</li>
<li>add <code class="language-plaintext highlighter-rouge">Pagerduty</code> integration for Cloudwatch ALB alerts.</li>
</ul>
<p>As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.</p>
<p>In November, <a href="https://github.com/rubygems/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-11-01%7D...master@%7B2020-11-30%7D">23 new commits</a>, contributed by 3 authors. There were 89 additions and 15 deletions across 12 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.tation, writing and/or updating documentation, and bug triage.</p>
3.1.5 Released2020-12-09T00:00:00+00:00http://blog.rubygems.org/2020/12/09/3.1.5-released<p>RubyGems 3.1.5 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Add GlobalSign Root CA - R3 cert and remove outdated certs. Pull request #4100 by Aditya Prakash.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.5.tgz<br />
6d5605fdbbfdf2284794f8b2680eec948a4c6515c0d1a3e4360c82b8b0b9ee8c</li>
<li>rubygems-3.1.5.zip<br />
1174f5ddb9467717b8603c5339a8074570f8e45c5bfba513120e478dd2ad7def</li>
<li>rubygems-update-3.1.5.gem<br />
4c98f4ad8ca2f256cfffefde1739a7b13c6ccb94c40bb321559c0507b9acd2dc</li>
</ul>
3.0.9 Released2020-12-09T00:00:00+00:00http://blog.rubygems.org/2020/12/09/3.0.9-released<p>RubyGems 3.0.9 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Add GlobalSign Root CA - R3 cert and remove outdated certs. Pull request #4100 by Aditya Prakash.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.9.tgz<br />
625fc3fb8b0fa4a606354a1f6706e5141dff5d504915c9317a664ce2de1ab8f5</li>
<li>rubygems-3.0.9.zip<br />
2a6fa6ffea02a2e15e45589a3b05569cd173c0408b0268d76dbd117ae33c6f4d</li>
<li>rubygems-update-3.0.9.gem<br />
3f1a9d099a424488375c51766f95be185ca25e68555ae5513179adbbb82de624</li>
</ul>
2.7.11 Released2020-12-09T00:00:00+00:00http://blog.rubygems.org/2020/12/09/2.7.11-released<p>RubyGems 2.7.11 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Add GlobalSign Root CA - R3 cert and remove outdated certs. Pull request #4100 by Aditya Prakash.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.11.tgz<br />
732224cc49e82bd4beacbfe6b86384a8a0ed4432f65e7a08a5b2d766059e882f</li>
<li>rubygems-2.7.11.zip<br />
0eab117e6e57cb10c1d0777e37fea1fa357b5918bdff0e9eb581c16d5d1746f5</li>
<li>rubygems-update-2.7.11.gem<br />
9383ede21fb93e9ecda251861ab1d7d4d98f26054b4c13364f0f9e26b2a4f290</li>
</ul>
October 2020 RubyGems Updates2020-11-16T00:00:00+00:00http://blog.rubygems.org/2020/11/16/october-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems, Gemstash and RubyGems.org in October.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In October we released a new Bundler version — <strong><code class="language-plaintext highlighter-rouge">2.2.0.rc.2</code></strong> and RubyGems version — <strong><code class="language-plaintext highlighter-rouge">3.2.0.rc.2</code></strong>.</p>
<p>We also made the following changes and improvements:</p>
<ul>
<li>upgraded Bundler & RubyGems vendored Molinillo to <strong><code class="language-plaintext highlighter-rouge">0.7.0</code></strong> (it’s latest release). - <a href="https://github.com/rubygems/rubygems/pull/3402">#3402</a>, <a href="https://github.com/rubygems/rubygems/pull/3388">#3388</a></li>
<li>fixed an <a href="https://github.com/rubygems/rubygems/pull/4022">issue with the <code class="language-plaintext highlighter-rouge">specific_platform</code> setting.</a></li>
<li>merged a PR that stops changing the CWD for building extensions, which should allow concurrent extension compilation without any contention. - <a href="https://github.com/rubygems/rubygems/pull/3498">#3498</a></li>
<li>worked on PRs to improve independence between test and lib code (simplifies and helps packagers), and added some changes to improve specs.</li>
<li>added improvements to require more default gems lazily.</li>
<li>fixed an issue with help commands when Bundler has been installed by <code class="language-plaintext highlighter-rouge">ruby-core</code> installer and <code class="language-plaintext highlighter-rouge">man</code> is not available. - <a href="https://github.com/rubygems/rubygems/pull/3997">#3997</a></li>
<li>wrapped up a PR to allow installing plugins from local paths. - <a href="https://github.com/rubygems/rubygems/pull/4020">#4020</a></li>
<li>fixed daily Bundler CI by marking the new <code class="language-plaintext highlighter-rouge">pathname</code> default gem as unsupported. - <a href="https://github.com/rubygems/rubygems/pull/4029">#4029</a></li>
<li>fixed a <code class="language-plaintext highlighter-rouge">Kernel.warn</code> stackoverflow. - <a href="https://github.com/rubygems/rubygems/pull/3987">#3987</a></li>
<li>improved the deprecation path for gem query. - <a href="https://github.com/rubygems/rubygems/pull/4021">#4021</a></li>
<li>fixed issues with Bundler not loading RubyGems plugins in <code class="language-plaintext highlighter-rouge">$LOAD_PATH</code> locations, which was affecting some version managers. - <a href="https://github.com/rubygems/rubygems/pull/3534">#3534</a></li>
</ul>
<p>As always, we continue responding to RubyGems & Bundler issues and PRs, doing issue triage on both old and new issues, and reducing the number of open tickets.</p>
<p>In October, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-10-01%7D...master@%7B2020-10-31%7D">143 new commits</a>, contributed by 11 authors. There were 2889 additions and 1705 deletions across 889 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month we implemented a <a href="https://github.com/rubygems/rubygems.org/pull/2527">bulk update to RubyGem downloads count</a> to reduce the average processing time for <code class="language-plaintext highlighter-rouge">FastlyLogProcessor</code> by about 20 seconds. We studied an old HackerOne Report and proposed a solution for it that will get implemented into RubyGems.org.</p>
<p>We also made the following changes and improvements:</p>
<ul>
<li>imported Fastly rubygems.org production configuration to Terraform.</li>
<li>updated Fastly <code class="language-plaintext highlighter-rouge">vcl</code> to unset X-Forwarded-Host from requests to fix a HO report.</li>
<li>added regex whitelist for URL on honeycomb logs export to ensure we don’t inadvertently send any sensitive information.</li>
<li>fixed total count shown on search pagination. - <a href="https://github.com/rubygems/rubygems.org/pull/2526">#2526</a></li>
<li>rebased and updated a PR to separate the edit profile and account settings, making options like MFA registration easier to find. - <a href="https://github.com/rubygems/rubygems.org/pull/2537">#2537</a></li>
<li>updated <a href="staging.rubygems.org">staging.rubygems.org</a> to support <strong>TLS 1.3</strong> as recommended by the most recent TLS documentation of Fastly.</li>
<li>created a support ticket on Fastly to request a limit increase on TLS certificates and enable the limited offering of GlobalSign certificates.</li>
<li>updated <strong>DMARC</strong> record of rubygems.org to use Slack group and Postmarkapp.</li>
<li>replied to support tickets and google group threads.</li>
</ul>
<p>Finaly, we <a href="https://github.com/rubygems/rubygems.org/pull/2499">deployed an option to review changes</a> thanks to <a href="https://github.com/mensfeld">@mensfeld</a>, users can now compare differences between releases.</p>
<p>In total, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-10-01%7D...master@%7B2020-10-31%7D">46 new commits</a>, contributed by 8 authors. There were 694 additions and 442 deletions across 63 files.</p>
<h2 id="gemstash-news">Gemstash News</h2>
<p>This month we made a couple of improvements to the Gemstash project documentation, We added <a href="https://github.com/rubygems/guides/pull/269">documentation about Gemstash</a> and <a href="https://github.com/rubygems/guides/pull/269">documentation recommending Gemstash instead of <code class="language-plaintext highlighter-rouge">gem server</code></a> because we’re going to deprecate gem server it’s not recommended to keep it in the documentation.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.tation, writing and/or updating documentation, and bug triage.</p>
September 2020 RubyGems Updates2020-10-15T00:00:00+00:00http://blog.rubygems.org/2020/10/15/september-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems, Ruby Toolbox and RubyGems.org in September.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, we did a lot of work triaging issues and so far we’re “<strong>winning the pulse</strong>” with over <strong>80 issues</strong> closed vs only <strong>14 opened</strong>, and <strong>44 PRs</strong> merged vs <strong>8 opened</strong>. We’ve also fixed a couple of new and outstanding issues some of which include:</p>
<ul>
<li><a href="https://github.com/rubygems/rubygems/pull/3965">fixing resolver</a>, which until recently was generating duplicate spec groups, making debug output much more verbose than it should.</li>
<li>improving install for a local <code class="language-plaintext highlighter-rouge">gemspec</code> to prevent dependencies <a href="https://github.com/rubygems/rubygems/pull/3968">unnecessarily hitting the network</a>.</li>
<li>fixing bundler showing <a href="https://github.com/rubygems/rubygems/pull/3969">some unnecessary warnings</a> from git when using submodules.</li>
<li>fixing the <code class="language-plaintext highlighter-rouge">--build-root</code> option to gem install which was <a href="https://github.com/rubygems/rubygems/pull/3975">broken on Windows</a> and broken when gems <a href="https://github.com/rubygems/rubygems/pull/3972">with rubygems plugins</a> were present on the system.</li>
<li>fixing <code class="language-plaintext highlighter-rouge">ruby setup.rb</code> <a href="https://github.com/rubygems/rubygems/pull/3980">unnecessarily rewriting the bundler gemspec</a>.</li>
<li>fixing situations where <a href="https://github.com/rubygems/rubygems/pull/3854">bundler would crash</a> if running on a path including brackets.</li>
<li>responding to HackerOne reports for RubyGems.</li>
<li>adding a note about <a href="https://github.com/rubygems/rubygems.org/pull/2530">credentials in the rubygems.org repo being fake</a>, in response to a HackerOne report.</li>
<li>merging a PR <a href="https://github.com/rubygems/guides/pull/266">adding docs about Gemstash.</a></li>
<li><a href="https://github.com/rubygems/guides/pull/269">Updating docs</a> to recommend Gemstash instead of gem server.</li>
<li>catching up with changes in <code class="language-plaintext highlighter-rouge">ruby-core</code> regarding versioning default gems. (<a href="https://github.com/rubygems/rubygems/pull/3937">#3937</a> and <a href="https://github.com/rubygems/rubygems/pull/3938">#3938</a>)</li>
<li>fixing an issue with <a href="https://github.com/rubygems/rubygems/pull/3933">configuration priority.</a></li>
<li>deprecating <a href="https://github.com/rubygems/rubygems/pull/3932">bundle cache –all.</a></li>
<li>creating a unified release & changelog management workflow.</li>
<li>working on breaking <a href="https://github.com/rubygems/rubygems/issues/3317">#3317</a> into multiple more actionable issues. (<a href="https://github.com/rubygems/rubygems/issues/3317#issuecomment-692449034">#3317</a> and <a href="https://github.com/rubygems/rubygems/issues/3957">#3957</a>)</li>
<li>fixing some issues with CI to adapt to <code class="language-plaintext highlighter-rouge">ruby-core</code> changes.</li>
<li><a href="https://github.com/rubygems/rubygems/pull/3390">Shipping the <code class="language-plaintext highlighter-rouge">bundle fund</code> command</a> that lists out all the URLs for <code class="language-plaintext highlighter-rouge">gems</code> whose maintainers are actively looking for funding.</li>
</ul>
<p>We also worked on enabling <code class="language-plaintext highlighter-rouge">disable_multisource</code> and figuring out the different new behaviours it enables, several other <code class="language-plaintext highlighter-rouge">test/dev</code> issues and reviewing PRs from external contributors.</p>
<p>In September, Rubygems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-09-01%7D...master@%7B2020-09-30%7D">150 new commits</a>, contributed by 12 authors. There were 1263 additions and 4300 deletions across 176 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In September we released the <a href="https://github.com/rubygems/rubygems.org/pull/2357">work</a> done during Google Summer of Code (GSoC) 2020 related to adding support of <a href="https://guides.rubygems.org/managing-owners-using-ui/">managing owners using UI</a> and confirmation of ownership addition. Many thanks to rubygems.org GSoC student <a href="https://github.com/vachhanihpavan">@vachhanihpavan</a> for doing an excellent job.</p>
<p>We also made the following updates and improvements:</p>
<ul>
<li>profiled <code class="language-plaintext highlighter-rouge">#perform</code> method of Fastly log processor job and <a href="https://github.com/rubygems/rubygems.org/pull/2510">updated it to fetch versions from DB in bulk.</a></li>
<li>updated client side PR to identify scope as per the command, and update scope in case of forbidden response. (<a href="https://github.com/rubygems/rubygems.org/pull/1962">#1962</a> and <a href="https://github.com/rubygems/rubygems/pull/3840">#3840</a>)</li>
<li><a href="https://github.com/rubygems/rubygems/pull/2662">updated IPv4 fallback PR</a> to add configuration, and flag and tests for the configuration, and began work on adding tests for the fallback.</li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/2506">verified ownership and deploy namespace release of <code class="language-plaintext highlighter-rouge">ruby stdlib</code></a>.</li>
<li>updated API scopes client PR <a href="https://github.com/rubygems/rubygems/pull/3840">to fix OTP fallback and with tests</a>.</li>
<li>setup Zendesk slack integration and explored using their web widget as stand alone web form.</li>
<li>removed gauges javascript file from <a href="https://rg.org">rg.org</a> site and made a PR to migrate help links to Zendesk. (<a href="https://github.com/rubygems/rubygems/pull/3840">#3840</a> and <a href="https://github.com/rubygems/rubygems.org/pull/2518">#2518</a>)</li>
<li>deprecated <a href="https://help.rubygems.org/">help.rubygems.org</a> in favor of <a href="mailto:support@rubygems.org">support@rubygems.org</a> to resolve the issue of genuine help tickets being marked as spam.</li>
<li>responded to support tickets and google group threads.</li>
</ul>
<p>This month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-09-01%7D...master@%7B2020-09-30%7D">31 new commits</a>, contributed by 5 authors. There were 2467 additions and 292 deletions across 85 files.</p>
<h2 id="ruby-toolbox">Ruby Toolbox</h2>
<p>On <a href="https://www.ruby-toolbox.com/">Ruby Toolbox</a> we’ve added a display of the <a href="https://github.com/rubytoolbox/rubytoolbox/pull/731">repository README for each library</a> which will hopefully be useful for quickly evaluating projects more in depth on top of the usual metrics directly on the site. Other upgrades include:</p>
<ul>
<li>Bringing lines-of-code stats to the site so you can have an indication of the size and complexity of the library at a glance.</li>
<li>An official command line client that gives you quick access to data served by the recently launched API, including a report on the health status of your dependencies</li>
<li>Providing an alternate database dump that excludes historical gem download stats, since they make up the majority of the dump size and make imports very slow, so if you just want some real data to work with it’s become a bit cumbersome at this point</li>
</ul>
<p>Thanks <a href="https://github.com/colszowka">@colszowka</a> for your work on this project!</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.tation, writing and/or updating documentation, and bug triage.</p>
3.2.0.rc.2 Released2020-10-08T00:00:00+00:00http://blog.rubygems.org/2020/10/08/3.2.0.rc.2-released<p>RubyGems 3.2.0.rc.2 includes minor enhancements, bug fixes, performance, major enhancements, minor enhancements, bug fixes and deprecations.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Don’t hit the network when installing dependencyless local gemspec. Pull
request #3968 by deivid-rodriguez</li>
<li>Add <code class="language-plaintext highlighter-rouge">--force</code> option to <code class="language-plaintext highlighter-rouge">gem sources</code> command. Pull request #3956 by
andy-smith-msm</li>
<li>Make –dry-run flag consistent across rubygems commands. Pull request
#3867 by bronzdoc</li>
<li>Disallow downgrades to too old versions. Pull request #3566 by
deivid-rodriguez</li>
<li>Added <code class="language-plaintext highlighter-rouge">--platform</code> option to <code class="language-plaintext highlighter-rouge">build</code> command. Pull request #3079 by nobu</li>
<li>Have “gem update –system” pass through the <code class="language-plaintext highlighter-rouge">--silent</code> flag. Pull
request #3789 by duckinator</li>
<li>Add writable check for cache dir. Pull request #3876 by xndcn</li>
<li>Warn on duplicate dependency in a specification. Pull request #3864 by
bronzdoc</li>
<li>Fix indentation in <code class="language-plaintext highlighter-rouge">gem env</code>. Pull request #3861 by colby-swandale</li>
<li>Let more exceptions flow. Pull request #3819 by deivid-rodriguez</li>
<li>Ignore internal frames in RubyGems’ Kernel#warn. Pull request #3810 by
eregon</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Append ‘.gemspec’ extension only when it is not present.. Pull request
#3988 by voxik</li>
<li>Install to correct plugins dir when using <code class="language-plaintext highlighter-rouge">--build-root</code>. Pull request
#3972 by deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">--build-root</code> flag under Windows. Pull request #3975 by
deivid-rodriguez</li>
<li>Fix <code class="language-plaintext highlighter-rouge">typo_squatting?</code> false positive for <code class="language-plaintext highlighter-rouge">rubygems.org</code> itself. Pull
request #3951 by andy-smith-msm</li>
<li>Make <code class="language-plaintext highlighter-rouge">--default</code> and <code class="language-plaintext highlighter-rouge">--install-dir</code> options to <code class="language-plaintext highlighter-rouge">gem install</code> play nice
together. Pull request #3906 by deivid-rodriguez</li>
<li>Add missing fileutils require. Pull request #3911 by deivid-rodriguez</li>
<li>Fix false positive warning on Windows when PATH has
<code class="language-plaintext highlighter-rouge">File::ALT_SEPARATOR</code>. Pull request #3829 by deivid-rodriguez</li>
<li>Fix Kernel#warn override to handle backtrace location with nil path.
Pull request #3852 by jeremyevans</li>
<li>Don’t format executables on <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3811 by
deivid-rodriguez</li>
<li><code class="language-plaintext highlighter-rouge">gem install --user</code> fails with <code class="language-plaintext highlighter-rouge">Gem::FilePermissionError</code> on the system
plugins directory. Pull request #3804 by nobu</li>
</ul>
<p><em>Performance:</em></p>
<ul>
<li>Don’t change ruby process CWD when building extensions. Pull request
#3498 by deivid-rodriguez</li>
<li>Avoid duplicated generation of APISpecification objects. Pull request
#3940 by mame</li>
<li>Eval defaults with frozen_string_literal: true. Pull request #3847 by
casperisfine</li>
<li>Deduplicate the requirement operators in memory. Pull request #3846 by
casperisfine</li>
<li>Optimize Gem.already_loaded?. Pull request #3793 by casperisfine</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.2.0.rc.2.tgz<br />
e50db5bc2041f07f67ace2cd9801e0f69678918c417ea4f0801710b5edf14a28</li>
<li>rubygems-3.2.0.rc.2.zip<br />
0306c59ac8e0e1ca12005526a28226006a0a82102e568c1e24cc5f46a4ce327a</li>
<li>rubygems-update-3.2.0.rc.2.gem<br />
c9eb05077ffe719e9bd5747a7ad4e3b919582c45cf23db7eb2c6a77bcf014b9d</li>
</ul>
August 2020 RubyGems Updates2020-09-14T00:00:00+00:00http://blog.rubygems.org/2020/09/14/august-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in August.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This Month, we made improvements to the <a href="https://github.com/rubygems/rubygems/pull/3923">man page generation process</a> to ease contribution to the Bundler documentation. We also and reviewed and merged some PRs from various contributors. We’re thankful for our supportive community. <3</p>
<p>We coordinated with the Ruby core team about versioning default gems in (<a href="https://github.com/rubygems/rubygems/pull/3937">#3937</a> and <a href="https://github.com/rubygems/rubygems/pull/3938">#3938</a>), as well as <a href="https://github.com/rubygems/rubygems/pull/3933">fixing an issue with configuration priority</a>.</p>
<p>We also deprecated <a href="https://github.com/rubygems/rubygems/pull/3932"><code class="language-plaintext highlighter-rouge">bundle cache --all</code></a> in favor of explicitly configuring <code class="language-plaintext highlighter-rouge">bundle config set --local cache_all true</code>.</p>
<p>As always, we continue to fix bugs, review and merge PR and follow up with issue triaging.</p>
<p>In total, <a href="https://github.com/rubygems">Rubygems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-08-01%7D...master@%7B2020-08-31%7D">71 new commits</a>, contributed by 15 authors. There were 639 additions and 262 deletions across 173 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In August, we added a webhook configuration to Slack, set up Terraform modules sending Slack notifications from AWS Lambda, and completed the following tests, improvements and fixes:</p>
<ul>
<li>tested and deployed a PR for <a href="https://github.com/rubygems/rubygems.org/pull/2341">blocking -/_ variations of the gem names</a> – which are most commonly abused by malicious actors – and fixing SQL query missing index.</li>
<li>debugged failing rspec failing builds and <a href="https://github.com/rubygems/rubygems.org/pull/2474">updated backfill required_rubygems_version task to required_ruby_version</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/2486">added basic auth to staging.rubygems.org</a>, <a href="https://github.com/rubygems/rubygems.org/pull/2489">loaded production dump</a> and did a test run of rake task to backfill required_ruby_versions.</li>
<li>ran rake task to backfill required_ruby_versions on production, regenerate versions.list file, verify info_checksum mismatch and purge info keys on memcache and fastly. This will ensure bundle install has more successful runs on more than 30k versions, instead of throwing <code class="language-plaintext highlighter-rouge">Gem::RuntimeRequirementNotMetError</code> when required ruby version was not satisfied.</li>
<li>add tf module for cloudwatch alerts on alb, ec, es, rds and sqs. set alert threshold as per trends rubygems-terraform#3</li>
<li>reduced docker image size of rubygems.org by 100 MB by <a href="https://github.com/rubygems/rubygems.org/pull/2478">removing sass-rails from the production image</a> </li>
<li>resolved tickets on help.rubygems.org</li>
</ul>
<p>This month, <a href="https://github.com/rubygems.org">Rubygems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-08-01%7D...master@%7B2020-08-31%7D">74 new commits</a>, contributed by 6 authors. There were 225 additions and 118 deletions across 23 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
July 2020 RubyGems Updates2020-08-13T00:00:00+00:00http://blog.rubygems.org/2020/08/13/july-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in July.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In July, we improved <a href="https://github.com/rubygems/rubygems/pull/3784">Bundler’s Issue Template</a> for our maintainers and contributors. Along with that, we worked on <a href="https://github.com/rubygems/rubygems/pull/3793">improving performance optimizations</a> and we simplified our CI Workflow to make all <a href="https://github.com/rubygems/rubygems/pull/3769">Bundler testing combinations easier to maintain.</a></p>
<p>We made improvements and cleaned up PRs related to JRuby (<a href="https://github.com/rubygems/rubygems/pull/3770">#3770</a>, <a href="https://github.com/rubygems/rubygems/pull/3771">#3771</a>, <a href="https://github.com/rubygems/rubygems/pull/3774">#3774</a>) and merged a follow up <a href="https://github.com/rubygems/rubygems/pull/3765">PR to have a clean rubocop on new gems.</a></p>
<p><a href="https://github.com/rubygems/rubygems/pull/3789">We implemented <code class="language-plaintext highlighter-rouge">gem update --system --silent</code></a> and configured RubyGems branch protection. We’ve also fixed <code class="language-plaintext highlighter-rouge">rake release</code> abortion in the following instances:</p>
<ul>
<li><a href="https://github.com/rubygems/rubygems/pull/3783">when the credentials file is missing</a></li>
<li>when a deprecation warning is triggered in the Github API</li>
<li>when all <a href="https://github.com/rubygems/rubygems/pull/3785">local tags are pushed instead of only the release tag.</a></li>
</ul>
<p>In addition, we proposed a <a href="https://github.com/rubygems/rubygems/pull/3792">new workflow for managing our changelog</a> and merged more PRs integrating this workflow. <a href="https://github.com/rubygems/rubygems/pull/3808">#3808</a>, <a href="https://github.com/rubygems/rubygems/pull/3798">#3798</a>, <a href="https://github.com/rubygems/rubygems/pull/3807">#3807</a>.</p>
<p>As always, we continue to fix bugs, review PRs, follow up with issues and continue ongoing maintenance.</p>
<p>This month, <a href="https://github.com/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-07-01%7D...master@%7B2020-07-31%7D">227 new commits</a>, contributed by 15 authors. There were 146 additions and 170 deletions across 1,070 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>RubyGems.org saw a lot of activity this month with 30 merged pull requests, including a <a href="https://github.com/rubygems/rubygems.org/pull/2451">fix for <code class="language-plaintext highlighter-rouge">rack_attack</code> test failing on Travis with 429.</a></p>
<p>We updated our sendgrid account subscription to allocate dedicated IP, and setup rDNS and gmail postmaster. We filed a support ticket on <a href="fastly.com">Fastly</a> for an IPv6 connection issue, searched honeycomb’s <a href="https://rubygems.org/">RubyGems.org</a> dataset for API keys and disabled their fastly integration, and sent an email notification about it to our users.</p>
<p>We’ve migrated to sidecar nginx proxy running on EKS cluster from legacy SPOF nginx running on a dedicated host. We also updated our EKS cluster to v1.16.</p>
<p>Over on <a href="help.rubygems.org">help.rubygems.org</a> we resolved tickets, fixed a TypeError on the signup page, and removed unused daemons gems from the Gemfile.</p>
<p>In addition to those improvements, we completed the following:</p>
<ul>
<li>
<p>searched 22 months of logs from s3 and <a href="https://github.com/rubygems/rubygems.org/pull/2463">created a new email</a> to <a href="https://blog.rubygems.org/2020/07/28/api-key-leak.html">remediate a possible API key leak</a>.</p>
</li>
<li>
<p>debugged Outlook marking RubyGems.org mails as spam and filed a support ticket for shared IP update.</p>
</li>
<li>
<p>worked on a PR for client side support of API key scopes and updated the server-side PR.</p>
</li>
<li>
<p>cleaned up failed jobs with <code class="language-plaintext highlighter-rouge">retry/delete</code>.</p>
</li>
<li>
<p>ran <code class="language-plaintext highlighter-rouge">rake task</code> to delete dangling dependency reports and set <code class="language-plaintext highlighter-rouge">unresolved_name</code> manually.</p>
</li>
<li>
<p>fixed <code class="language-plaintext highlighter-rouge">NoMethodError</code> on transitive dependency page.</p>
</li>
<li>
<p>removed unused dependencies from dockerfile <a href="https://github.com/rubygems/rubygems.org/pull/2449">#2449</a></p>
</li>
</ul>
<p>In total, <a href="https://github.com/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-07-01%7D...master@%7B2020-07-31%7D">72 new commits</a>, contributed by 8 authors. There were 335 additions and 111 deletions across 53 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
API key logging leak2020-07-28T00:00:00+00:00http://blog.rubygems.org/2020/07/28/api-key-leak<h1 id="api-key-logging-leak">API key logging leak</h1>
<h3 id="summary">Summary</h3>
<p>407 user API keys were inadvertently sent to a third-party service via HTTP logs between Oct 2018 and Jul 2020. The data was available to the public, but based on the service’s query logs, no one ever queried for any of the API keys that were sent.</p>
<p>Out of an abundance of caution, we have reset all 407 API keys. We are also <a href="https://github.com/rubygems/rubygems.org/pull/1962">updating the API key system</a> to reduce the chance this type of issue could happen again in the future.</p>
<h3 id="what-happened">What happened</h3>
<p>RubyGems.org started sending Fastly and Nginx access logs to Honeycomb in October 2018. Honeycomb provides public access to the RubyGems.org dataset, and <a href="https://docs.honeycomb.io/learning-about-observability/rubygems/">there is lots of useful and interesting data there</a> about the Ruby ecosystem. RubyGems.org scrubs PII (like client IP addresses) before sending the data to Honeycomb, and Honeycomb retains the data for up to 60 days.</p>
<p>On Saturday, July 18 2020, the RubyGems.org team discovered that some API keys were publicly accessible via event logs sent to <a href="https://www.honeycomb.io/">Honeycomb</a>. After discovering this, we immediately stopped sending new data to Honeycomb and removed public access to the dataset.</p>
<h3 id="why-that-is-bad">Why that is bad</h3>
<p>RubyGems.org user API keys are, effectively, user credentials. If a malicious developer was able to get your API key, they could potentially use that key to yank your gems, or push new malicious versions of your gems.</p>
<p>It’s important to note that versions are immutable, so once a version was legitimately published it cannot be modified, even with proper (or stolen) credentials. In addition, if you have two-factor authentication enabled for API access, then a stolen API key is not enough to gain access to gem push, yank, owner and signin commands.</p>
<h3 id="who-was-affected">Who was affected</h3>
<p>Only users who subscribe to their personal dashboard RSS feed in an RSS reader could be affected.</p>
<p>The leaked API keys were all sent in the query string for the customized dashboard RSS feed. Unfortunately, many RSS clients are unable to send authorization headers, and so sending a token in the URL is the only way for many RSS clients to view their personalized dashboard.</p>
<p>When we originally set up the Honeycomb integration, this feature was overlooked, and API keys in GET requests for the dashboard were not scrubbed from the logs.</p>
<h3 id="what-we-did-about-it">What we did about it</h3>
<p>We scanned the full Honeycomb dataset for the last 60 days, and found 155 keys that were inadvertently sent to Honeycomb. We reset all of those keys immediately. Then, with the help of the Honeycomb team, we reviewed the complete Honeycomb query history, and confirmed that no queries had ever searched for API keys at any point in the past. Finally, we unarchived our full HTTP logs, going back to October 2018, and found another 252 API keys that were ever sent to Honeycomb. We have reset those API keys as well.</p>
<p>In total, 407 API keys were ever sent to Honeycomb (out of 147,849 API keys total). We have reset all 407 keys, and sent an email to every user whose key was reset.</p>
<h3 id="what-you-need-to-do">What you need to do</h3>
<p>If you used the custom dashboard RSS feed with your API key in the URL sometime since October 2018, you should check your gems to make sure there were no unauthorized versions added between October 2018 and July 2020.</p>
<p>Since August 2019, every gem push has triggered a notification email to all accounts with owner permission on that gem. If you didn’t get any suspicious notifications, you only need to verify your gems from October 2018 to August 2019.</p>
<p>Anyone affected by this leak has had their API key reset already. If you want to be extremely cautious, you can reset your API key again. It’s easy for anyone to reset their own API key: go to <a href="https://rubygems.org/profile/edit">rubygems.org/profile/edit</a> and look for the button to “Reset my API key”.</p>
<h3 id="future-steps">Future steps</h3>
<ul>
<li>As mentioned above, we reset all API keys that were ever sent to Honeycomb.</li>
<li>We no longer allow API actions authenticated via query string parameter. This is a breaking change, but we feel it is necessary for a secure ecosystem.</li>
<li>We will soon change the RSS feed to have its own key that does not have access to the API, reducing the risk of using the RSS feed.</li>
<li>Once we are confident we are filtering API keys out of the data, we will re-enable the Honeycomb integration.</li>
</ul>
Removing SHA1 passwords from RubyGems.org2020-07-16T00:00:00+00:00http://blog.rubygems.org/2020/07/16/removing-sha1-passwords-in-rubygems-org<p>When the RubyGems.org Rails app was created in 2009, the “standard” way to store passwords was to use the SHA1 hashing algorithm. While there were limited academic attacks against SHA1 published as early as 2005, practical attacks didn’t arrive until the mid-2010s. Today, SHA1 is is widely considered insecure, and there are much better options available.</p>
<p>RubyGems.org switched to using BCrypt by default for new accounts in 2013. As part of that switch, users from before 2013 are automatically migrated from SHA1 to BCrypt the next time they log in. In the coming days, RubyGems.org will be removing the remaining SHA1 passwords for any user who has not logged in to their account since 2013.</p>
<p>After this change, users who have not logged in since 2013 will need to perform a password reset using their email address.</p>
<p>Accounts created or logged in since 2013 are not effected. For those accounts, no action is required.</p>
<h2 id="faq">FAQ</h2>
<h3 id="what-is-changing">What is changing?</h3>
<p>RubyGems.org will remove legacy stored passwords hashed with the SHA1 algorithm. Affected accounts will need to reset their password via the email address registered to their account. No other user information will be modified or removed.</p>
<h3 id="how-can-i-tell-if-my-account-will-be-effected">How can I tell if my account will be effected?</h3>
<p>If you have logged onto your rubygems.org account since 2013, your password has been automatically migrated to use BCrypt and no further action is required.</p>
<h2 id="why-are-we-making-this-change">Why are we making this change?</h2>
<p>SHA1 is no longer an acceptable method to hash user passwords. It was formally deprecated by NIST in 2011, and publicly broken by academic researchers in 2017.</p>
<p>Storing legacy SHA1 hashes creates a security risk. If attackers were to steal the RubyGems.org users table, they would be able to crack those SHA1 hashes with little effort. Those cracked passwords could then be used to take over RubyGems.org accounts and yank widely-used gems, or publish malicious gems. To eliminate this risk, we will be deleting all SHA1 password hashes from the RubyGems.org database.</p>
June 2020 RubyGems Updates2020-07-15T00:00:00+00:00http://blog.rubygems.org/2020/07/15/june-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in June.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>In June, RubyGems saw significant improvements on Bundler and RubyGems development. We released <a href="https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.0.rc.1">Bundler 2.2.0.rc.1</a> and <a href="https://github.com/rubygems/rubygems/releases/tag/v3.2.0.rc.1">RubyGems 3.2.0.rc.1</a>! 🎉</p>
<p>We also worked on synchronizing the latest versions of both libraries with ruby-core, and fixed issues that came up. We also <a href="https://github.com/rubygems/rubygems/pull/3725">enforced our ruby-core workflow</a> to try to prevent further tedious integrations with ruby-core in the future by catching issues early and minimizing the back and forth of patches between upstream and downstream.</p>
<p>We changed <a href="https://github.com/rubygems/rubygems/pull/3685">bundler specs to raise by default when any subcommand fails</a>. This action helped reveal two bugs (which we of course, fixed!). We’ve adapted bundler release tasks to a <a href="https://github.com/rubygems/rubygems/pull/3703">new repository layout</a> and now have the changelog draft up-to-date.</p>
<p>We’ve also implemented a fix to <a href="https://github.com/rubygems/rubygems/pull/3668">stop soft-validating gemspecs</a> (e.g. giving validations that only warn) except for in gem-authoring contexts. We also added a <a href="https://github.com/rubygems/rubygems/pull/3689">slack notification to the maintainers channel</a> that triggers whenever the <code class="language-plaintext highlighter-rouge">ruby-head</code> builds starts failing. We <a href="https://github.com/rubygems/rubygems/pull/3769">simplified our CI Workflows</a> and did some final cleanup PRs related to CI failures on <code class="language-plaintext highlighter-rouge">jruby</code>.</p>
<p>Outside of these major highlights, we continue to fix bugs, review PRs, improve our documentation, cleanup test suites, and continue our usual ongoing maintenance.</p>
<p>In total, <a href="https://github.com/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-06-01%7D...master@%7B2020-06-30%7D">243 new commits</a>, contributed by 15 authors. There were 3003 additions and 2432 deletions across 313 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, we added terraform module for RDS monitors and added alerts on <code class="language-plaintext highlighter-rouge">rubgems-production</code>, <code class="language-plaintext highlighter-rouge">rubygems-staging</code> and <code class="language-plaintext highlighter-rouge">shipit</code> instances. We followed up with fixes on RubyGems.org that have now been deployed and verified! We also debugged failed delayed jobs in production and created a <a href="https://github.com/rubygems/rubygems.org/pull/2389">fix for issues we found with regex validation with user email.</a> <a href="https://github.com/rubygems/rubygems.org/pull/2406">rubygems/rubygems.org/pull/2406</a> <a href="https://github.com/rubygems/rubygems.org/pull/2388">rubygems/rubygems.org/pull/2388</a></p>
<p>In addition to that, We made a PR to <a href="https://github.com/rubygems/rubygems.org/pull/2392">send mail update confirmation when a user changes their email address</a>, added a RubyGems.org guide for rate limits, and made the following improvements:</p>
<ul>
<li>increased Strict-Transport-Security max-time to ensure HTTPS-only access</li>
<li>updated <a href="https://github.com/rubygems/rubygems.org/pull/2382">rake task to remove duplicate runtime dependencies</a></li>
<li>
<p>updated <code class="language-plaintext highlighter-rouge">versions.list</code> <a href="https://github.com/rubygems/rubygems.org/pull/2380">source location from bundler-api to s3.</a> and added <a href="https://github.com/rubygems/rubygems.org/pull/2403">cronjob to update the file monthly.</a></p>
</li>
<li>
<p>ran rake tasks related to <code class="language-plaintext highlighter-rouge">compact_index</code> which enabled bundler to make fewer requests to our server when installing some gems and fixed install of gems with multiple Ruby or Rubygems requirements</p>
</li>
<li>
<p>updated correct checksum task to use non-caching info_checksum calc, rerun the task, and expire info cache of gems changed from production</p>
</li>
<li>
<p><a href="https://github.com/rubygems.org/pull/1962">rebased and updated API keys scope PR</a></p>
</li>
<li>updated and deployed rate limit changes to fix merge conflict and use test helpers. <a href="https://github.com/rubygems.org/pull/2330">rubygems.org#2330</a></li>
<li>reset a few leaked API keys and send mail to affected users</li>
</ul>
<p>As always, we continued to fix bugs, and provide help on <a href="https://help.rubygems.org">help.rubygems.org</a> and ongoing support work.</p>
<p>In June, <a href="https://github.com/rubygems.org">RubyGems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-06-01%7D...master@%7B2020-06-30%7D">119 new commits</a>, contributed by 10 authors. There were 1256 additions and 489 deletions across 86 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
May 2020 RubyGems Updates2020-06-10T00:00:00+00:00http://blog.rubygems.org/2020/06/10/may-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org/">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in May.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>This month, we refactored the spec suite to be faster and collated changes that will be shipped in the next bundler release. We fixed an <a href="https://github.com/rubygems/rubygems/pull/3626">activation issue on old versions of Bundler</a>. We’ve fixed several regressions in RubyGems custom <code class="language-plaintext highlighter-rouge">require</code> and made specific tests work when running from ruby-core (thanks <a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a>). We revisited a bunch of old PRs and work from the old repo, and got it ready to merge into the new repo.</p>
<p>In May, <a href="https://github.com/rubygems/rubygems">Rubygems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-05-01%7D...master@%7B2020-05-31%7D">248 new commits</a>, contributed by 19 authors. There were 2227 additions and 1857 deletions across 892 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In May, we worked on reviewing several fixes on <a href="https://www.rubygems.org">rubygems.org</a> that, once deployed, will unblock the next bundler release. We’ve also done work on refining the upcoming release, handling some deprecation message issues, and a few problems with the integration with ruby-core. We investigated Honeybadger reports and created PRs to fix all of them.
RubyGems.org saw several bug fixes and updates this month, some of which include the following:</p>
<ul>
<li>ran rake task to delete extraneous dependencies locally and update tasks to update version info_checksum.</li>
<li>verified feasibility of using updated_at column to order versions for the generation of versions.list file.</li>
<li>added original_script_name to kaminari params blacklist, which prevents XSS and unintended URL redirect.</li>
<li>updated rack-attack tests and config to fix dependency update build.</li>
<li>resolved tickets on <a href="https://help.rubygems.org">help.rubygems.org</a></li>
<li>added rake task to update check of version with multi ruby/rubyGems. <a href="https://github.com/rubygems/rubygems.org/pull/2370">rubygems/rubygems.org#2370</a></li>
<li>verified compact_index update and running rake task don’t introduce new mismatches</li>
<li>updated compact_index to remove whitespace change and released a new version.</li>
<li>debug checksum mismatch due to incomplete SQL ordering and unresolved dependencies</li>
<li>worked on PR to fix SQL ordering of dependencies in info and update correct_info_checksum rake task. <a href="https://github.com/rubygems/rubygems.org/pull/2374">rubygems/rubygems.org#2374</a></li>
<li>fixed rack attack failing tests due to merge issues. rubygems/rubygems.org#2369</li>
<li>restarted work on moving <a href="http://rubygems.org/">RubyGems.org</a> ‘s CI to Github Actions</li>
</ul>
<p>We continue to attend to tickets, update dependencies, and review patches and PRs on RubyGems.org.</p>
<p>For this month, <a href="https://github.com/rubygems/rubygems.org">Rubygems.org</a> gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-05-01%7D...master@%7B2020-05-31%7D">58 new commits</a>, contributed by 8 authors. There were 646 additions and 102 deletions across 46 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.</p>
3.1.4 Released2020-06-03T00:00:00+00:00http://blog.rubygems.org/2020/06/03/3.1.4-released<p>RubyGems 3.1.4 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Deprecate rubyforge_project attribute only during build time. Pull request #3609 by Josef Šimánek.</li>
<li>Update links. Pull request #3610 by Josef Šimánek.</li>
<li>Run CI at 3.1 branch head as well. Pull request #3677 by Josef Šimánek.</li>
<li>Remove failing ubuntu-rvm CI flow. Pull request #3611 by Josef Šimánek.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.4.tgz<br />
d8030019d86d60469d3f4f48b7cfcd724b184157ac2881a5bec4394d9cd93f7d</li>
<li>rubygems-3.1.4.zip<br />
a026eb196693df8aae7c457ca0767b97e15deb070ef4e93333ea825b9a8d6c13</li>
<li>rubygems-update-3.1.4.gem<br />
a344d7a4cf7bd30d987469068157801a9d06af448860b65c8b81922030375122</li>
</ul>
April 2020 RubyGems Updates2020-05-11T00:00:00+00:00http://blog.rubygems.org/2020/05/11/april-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in April.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>RubyGems changes in April included a fix for a recent regression in RubyGems to interfere with common bundler usages, improvement to a <a href="https://github.com/rubygems/rubygems/pull/3559">missing spec error</a>, and shipping a new RSpec runner that works better with parallelization. We also updated our CI to ruby 2.7 and made a PR to manage bundler development dependencies through bundler.</p>
<p>For the month, <a href="https://github.com/rubygems/rubygems">RubyGems</a> gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-04-01%7D...master@%7B2020-04-30%7D">181 new commits</a>, contributed by 15 authors. There were 1857 additions and 1015 deletions across 132 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In April, we worked on keeping <a href="http://rubygems.org/">RubyGems.org</a> dependencies up to date. Thanks to <a href="https://github.com/sonalkr132">@aditya</a>, we sent email notification requesting users to enable MFA leading to three fold increase in MFA enabled account.</p>
<p>In addition to those developments, we worked on the following:</p>
<ul>
<li>Merged bundler-site and RubyGems guides PRs.</li>
<li>Updated our ElasticSearch Index to support prefix queries; previously these were returning incomplete search results.</li>
<li>Investigated Intermittent CI failure <a href="https://github.com/rubygems/bundler-site/issues/519">rubygems/bundler-site/issues/519</a>.</li>
<li>PR to add validation to string columns with user input rubygems/rubygems.org#2346</li>
<li>Fixed the broken animation on stats page and ensured Github stars count were using the metadata URI attributes <a href="https://github.com/rubygems/rubygems.org/pull/2335">rubygems/rubygems.org#2335</a></li>
<li>Worked on optimizations for our stats and just_updated endpoints, this will help us reduce 1200ms and 600ms in response time respectively. <a href="https://github.com/rubygems/rubygems.org/pull/2335">rubygems/rubygems.org#2333</a></li>
<li>Finished work on reset of rate limit on successful gem push <a href="https://github.com/rubygems/rubygems.org/pull/2311">rubygems/rubygems.org#2311</a></li>
</ul>
<p>Thanks to @johnfrancismccann, our releases page shows a consistent number of items per page.</p>
<p>For the month, Rubygems.org gained <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-04-01%7D...master@%7B2020-04-30%7D">70 new commits</a>, contributed by 8 authors. There were 337 additions and 143 deletions across 39 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
3.1.3 Released2020-05-05T00:00:00+00:00http://blog.rubygems.org/2020/05/05/3.1.3-released<p>RubyGems 3.1.3 includes .</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<ul>
<li>Fix platform comparison check in #contains_requirable_file?. Pull request #3495 by Benoit Daloze.</li>
<li>Improve gzip errors logging. Pull request #3485 by David Rodríguez.</li>
<li>Fix incorrect <code class="language-plaintext highlighter-rouge">gem uninstall --all</code> message. Pull request #3483 by David Rodríguez.</li>
<li>Fix incorrect bundler version being required. Pull request #3458 by David Rodríguez.</li>
<li>Resolver: require NameTuple before use. Pull request #3171 by Olle Jonsson.</li>
<li>Use absolute paths with autoload. Pull request #3100 by David Rodríguez.</li>
<li>Avoid changing $SOURCE_DATE_EPOCH. Pull request #3088 by Ellen Marie Dash.</li>
<li>Use Bundler 2.1.4. Pull request #3072 by Hiroshi SHIBATA.</li>
<li>Fix gem install from a gemdeps file with complex dependencies. Pull request #3054 by Luis Sagastume.</li>
<li>Add tests to check if Gem.ruby_version works with ruby git master. Pull request #3049 by Yusuke Endoh.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.3.tgz<br />
17061f09b3583edc8edf600b9e220c21a17793afca8d922dcfb460db29933ca0</li>
<li>rubygems-3.1.3.zip<br />
41e2f7e0e5087c7673d324c48759c44309aa4f818539796a6c995e5f7bb7e2a9</li>
<li>rubygems-update-3.1.3.gem<br />
1dca1716da249db38a7255fccc875705fdbbe98754a5e6a1e19b6df097f089e5</li>
</ul>
March 2020 RubyGems Updates2020-04-27T00:00:00+00:00http://blog.rubygems.org/2020/04/27/march-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in March.</p>
<h2 id="rubygems-news">RubyGems news</h2>
<p>We have great news! Bundler merged into RubyGems! Major props to @hsbt for sending the PR to combine repositories, as well as @deivid-rodruiguez for helping troubleshoot, fix CI, and get the PR landed.</p>
<p>On top of that huge accomplishment, RubyGems saw ongoing maintenance and bugfixes, improved tests on JRuby, better deprecation warnings, and fixes for the internal bot that labels PRs and issues. The RubyGems team spent time to get more familiar with newly imported Bundler issues, and the Bundler team spent time getting more familiar with RubyGems, as well as the usual PR review and issue triage.</p>
<p>In March, RubyGems gained <a href="https://github.com/rubygems/rubygems/compare/master@%7B2020-03-01%7D...master@%7B2020-03-31%7D">more than 10,000 new commits</a> (which includes all of Bundler’s history!) contributed by 21 authors. There were 96,617 additions and 961 deletions across 1,423 files.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In March, thanks to Aditya and Colby we were able to update most of our gem dependencies, which included a security release to Rails. Additionally, he helped us fix the incorrect rate limit on the gem push endpoint. This should be a big improvement for users with high release volume like AWS, which publishes hundreds of gems every time they update <code class="language-plaintext highlighter-rouge">aws-sdk</code>. We also resolved some related rate limit issues with multi-factor authentication.</p>
<p>To mitigate against typo-squatting, we were previously maintaining a protected list of gem names using the Levenshtein distance. Unfortunately, the check turned out to be too strict, and caused more problems than it was solving. We have disabled it for now, and we are looking into other ways to deal with typo-squatting. Thank you for bearing with us while we figure this out.</p>
<p>Aditya was also able to complete a grab bag of other useful work, including:</p>
<ul>
<li>revisit adoptions PR/issues</li>
<li>help a gsoc student write RFC for the ownership changes <a href="https://github.com/rubygems/rfcs/issues/25">rubygems/rfcs#25</a></li>
<li>fix incorrect backoff on mfa endpoints beside gem push <a href="https://github.com/rubygems/rubygems.org/issues/2270">rubygems/rubygems.org#2270</a></li>
<li>PR to migrate nginx to sidecar in staging deployment <a href="https://github.com/rubygems/rubygems.org/issues/2291">rubygems/rubygems.org#2291</a></li>
<li>PR to support prefix match <a href="https://github.com/rubygems/rubygems.org/issues/2308">rubygems/rubygems.org#2308</a></li>
<li>PRs to fix several open issues <a href="https://github.com/rubygems/rubygems.org/issues/2315">rubygems/rubygems.org#2315</a>, <a href="https://github.com/rubygems/rubygems.org/issues/2316">#2316</a>, <a href="https://github.com/rubygems/rubygems.org/issues/2317">#2317</a>.</li>
<li>debug 429 for info endpoint on nginx</li>
<li>debug partial requests being logged as not cacheable by fastly</li>
</ul>
<p>For the month, RubyGems.org received <a href="https://github.com/rubygems/rubygems.org/compare/master@%7B2020-03-01%7D...master@%7B2020-03-31%7D">80 commits</a> from 6 authors, who made 294 additions and 206 deletions across 17 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.md#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
Announcing RubyGems.org Stats2020-03-09T00:00:00+00:00http://blog.rubygems.org/2020/03/09/announcing-rubygems-stats<p>Ever since it was first released, the Bundler team has wanted to know more about the developers out there using our code. What versions of Ruby are still being actively used? What versions of RubyGems is it safe to stop supporting? Which operating systems should we focus on testing?</p>
<p>It’s been almost 10 years since that first release, but today the RubyGems and Bundler team is excited to announce that everyone can see the answers to these questions at <a href="https://stats.rubygems.org">stats.rubygems.org</a>. It’s been a long journey from <a href="https://github.com/rubygems/bundler/commit/7a95b0cbbcacbd899bd108319fffb57c327ad6f7">the first commit in 2013</a> to the working website today, so I’ll try to stick to the highlights.</p>
<p>After reading reports like <a href="https://marco.org/2011/08/13/instapaper-ios-device-and-version-stats-update">iOS device and OS version stats from Instapaper</a> and <a href="https://blog.planetargon.com/entries/the-2018-ruby-on-rails-survey">Planet Argon’s long-running Ruby on Rails community survey</a>, I was inspired to try to collect similar stats about Bundler users. Knowing that Bundler already had to to send some information to RubyGems.org during every <code class="language-plaintext highlighter-rouge">bundle install</code>, I started there. Sending Bundler, RubyGems, and Ruby version information in the User-Agent header meant that the versions we wanted to track would be available in the RubyGems.org server logs.</p>
<p>Merely 2 or 3 years later, I was able to ensure that a redacted copy of the RubyGems.org server logs would be saved to storage sponsored by <a href="https://rubytogether.org">Ruby Together</a>. Then, I just needed to figure out how to take the files on S3 and turn them into useful daily numbers.</p>
<p>Unfortunately, RubyGems.org is an extremely popular website, and it produces a truly stupendous amount of logs: something on the order of 500GB, every single day. Downloading those logs, parsing them to get out the user agent, trying to remove duplicates, and then saving the results, becomes an extremely hard job when you need to be able to do it cheaply, every day, and faster than 20GB/hour.</p>
<p>It took several more years, and <a href="https://andre.arko.net/2018/10/25/parsing-logs-230x-faster-with-rust/">lots of experimentation with Ruby, Python, Apache Spark, AWS Glue, Rust, and Amazon Lambda</a>, but I eventually managed to create a system that could reliably process the RubyGems.org logs firehose and provide daily numbers in the second half of 2018.</p>
<p>At that point, André started work on a webapp that could display that data, but then completely ran out of spare cycles to work on the project for all of 2019. Fortunately, that’s when <a href="https://github.com/sidk">@sidk</a> stepped in, heroically working to complete and expand the webapp into the site we have today. Here’s a summary from Sid of how the final site is set up:</p>
<hr />
<p>The display webapp is comprised of the following components:</p>
<ul>
<li>A daily rake task, to download data from S3 into Postgres. Data is uploaded to S3 by kirby (the log parser) after it processes log data.</li>
<li>A JSON API, with the following endpoints:
<ul>
<li>/versions/{thing}</li>
<li>/comparison/{thing1}/{thing2}</li>
</ul>
</li>
</ul>
<p>In the API, each <code class="language-plaintext highlighter-rouge">thing</code> is one of: ruby, bundler, rubygems, platform, or ci.</p>
<p>On the frontend, we currently use <a href="https://apexcharts.com">ApexCharts</a>. Every graph on the page is a partial that makes a request to the server for version or comparison data and then instantiates an ApexChart.</p>
<hr />
<p>In the end, things worked out pretty well, and we’re very excited and proud to make such a useful resource available to the Ruby community. We’re excited to work with all of you to keep making both the <a href="https://github.com/rubytogether/kirby">log parser</a> and <a href="https://github.com/rubytogether/ecosystem">display webapp</a> even better.</p>
<p>Check out <a href="https://stats.rubygems.org">stats.rubygems.org</a> and tell us what you think!</p>
3.0.8 Released2020-02-19T00:00:00+00:00http://blog.rubygems.org/2020/02/19/3.0.8-released<p>RubyGems 3.0.8 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Gem::Specification#to_ruby needs OpenSSL. Pull request #2937 by Nobuyoshi Nakada.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.8.tgz<br />
a462d8f9860a17f8dc1a713c51ce3888b3b4c4897e2896426d67a90628277632</li>
<li>rubygems-3.0.8.zip<br />
bf2a468704e32b397be1028671bd6572bd1c6affa024b95b67f760f5181f0277</li>
<li>rubygems-update-3.0.8.gem<br />
6b02065e13df8cb365ece9726ea542ba5ea3527d40b58d21bf63e6cf998248d0</li>
</ul>
3.0.7 Released2020-02-18T00:00:00+00:00http://blog.rubygems.org/2020/02/18/3.0.7-released<p>RubyGems 3.0.7 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix underscore version selection for bundler #2908 by David Rodríguez.</li>
<li>Add missing wrapper. Pull request #2690 by David Rodríguez.</li>
<li>Make Gem::Specification#ruby_code handle OpenSSL::PKey::RSA objects. Pull request #2782 by Luis Sagastume.</li>
<li>Installer.rb - fix #windows_stub_script. Pull request #2876 by MSP-Greg.</li>
<li>Use IAM role to extract security-credentials for EC2 instance. Pull request #2894 by Alexander Pakulov.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.7.tgz<br />
e686c4aec1abcfbedc1a2b841db0ccfb22c5745af7b0fb909d22560471a9c433</li>
<li>rubygems-3.0.7.zip<br />
ae09e078cbde01f15dc477a959386c0dda2fa6bf433b8e68600166530c261e8d</li>
<li>rubygems-update-3.0.7.gem<br />
f612029bc1a9c09cd7af095f01df6cb6471d0eefd8ffae70c1799275cf2b9ffc</li>
</ul>
3.1.2 Released2019-12-20T00:00:00+00:00http://blog.rubygems.org/2019/12/20/3.1.2-released<p>RubyGems 3.1.2 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Restore non prompting <code class="language-plaintext highlighter-rouge">gem update --system</code> behavior. Pull request #3040 by David Rodríguez.</li>
<li>Show only release notes for new code installed. Pull request #3041 by David Rodríguez.</li>
<li>Inform about installed <code class="language-plaintext highlighter-rouge">bundle</code> executable after <code class="language-plaintext highlighter-rouge">gem update --system</code>. Pull request #3042 by David Rodríguez.</li>
<li>Use Bundler 2.1.2. Pull request #3043 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Require <code class="language-plaintext highlighter-rouge">uri</code> in source.rb. Pull request #3034 by mihaibuzgau.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system --force</code>. Pull request #3035 by David Rodríguez.</li>
<li>Move <code class="language-plaintext highlighter-rouge">require uri</code> to source_list. Pull request #3038 by mihaibuzgau.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.2.tgz<br />
1626f8d72537eb77eed70a4f9821923d8f2b71d25466e26402d379cd2466c723</li>
<li>rubygems-3.1.2.zip<br />
35d815b0c25138a381e00d7a6b149ef511f8317ad3257feec4164bb8bb4fbedd</li>
<li>rubygems-update-3.1.2.gem<br />
3df50ca8f2dc1b6250b5cd9d752173183c1788ba92eb059133b72b9b36d866a7</li>
</ul>
3.1.1 Released2019-12-16T00:00:00+00:00http://blog.rubygems.org/2019/12/16/3.1.1-released<p>RubyGems 3.1.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Vendor Bundler 2.1.0 again. The version of Bundler with RubyGems 3.1.0 was Bundler 2.1.0.pre.3. Pull request #3029 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.1.tgz<br />
afdca4c76386395f78ae4b64f66504afe25f732368abdb833f547bee30751cf4</li>
<li>rubygems-3.1.1.zip<br />
1611541ff5bdf9308d138d88f7579fbd73434cbaa5812d200013b7acbbbd0761</li>
<li>rubygems-update-3.1.1.gem<br />
007048a02c72a108e6b7ba3b8bcbc334904c2c9d56d904dcd594f3935abd05de</li>
</ul>
3.1.0 Released2019-12-16T00:00:00+00:00http://blog.rubygems.org/2019/12/16/3.1.0-released<p>RubyGems 3.1.0 includes major enhancements, minor enhancements, bug fixes and compatibility changes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>Release Notes:</p>
<p><a href="https://github.com/rubygems/rubygems/releases/tag/v3.1.0">Release Notes of RubyGems 3.1.0</a></p>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.1.0.tgz<br />
2199aa7a4d53a904d42d56d6697f3bb8dea7f4730158ea1a2b241e4f065e1b71</li>
<li>rubygems-3.1.0.zip<br />
c5e78255747c55fb02b86e9fe0446f065d8abc89d7c503518324de5d63bc16d2</li>
<li>rubygems-update-3.1.0.gem<br />
f817d7e5576e99b31e220a74d54f0bf01249baa56b0afa43861cd59ee38231c0</li>
</ul>
RubyGems.org and Chef Gem Ownership2019-09-20T00:00:00+00:00http://blog.rubygems.org/2019/09/20/chef-ownership<p>Ruby Central and the RubyGems.org Administrators have released the following
statement with regard to the access and ownership of gems by Chef Software.</p>
<p><a href="/images/rubygems-chef-statement.pdf">Statement</a></p>
3.0.6 Released2019-08-16T00:00:00+00:00http://blog.rubygems.org/2019/08/16/3.0.6-released<p>RubyGems 3.0.6 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Revert #2813. It broke the compatibility with 3.0.x versions.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.6.tgz<br />
fd6785ac24728bd5bf8f0883d197fe0cea4df37d485c5353c93fbe573b8941b1</li>
<li>rubygems-3.0.6.zip<br />
d222edc519421f221bfa835a71e5ccea742c5295d8035451ec3baeee8c6b9b3c</li>
<li>rubygems-update-3.0.6.gem<br />
0e4fcbd4f1f0b6d58fc656051f3f3a0229713552d5b1eeab588f853d8ec96d7a</li>
</ul>
3.0.5 Released2019-08-16T00:00:00+00:00http://blog.rubygems.org/2019/08/16/3.0.5-released<p>RubyGems 3.0.5 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Use env var to configure api key on push. Pull request #2559 by Luis Sagastume.</li>
<li>Unswallow uninstall error. Pull request #2707 by David Rodríguez.</li>
<li>Expose windows path normalization utility. Pull request #2767 by David Rodríguez.</li>
<li>Clean which command. Pull request #2801 by Luis Sagastume.</li>
<li>Upgrading S3 source signature to AWS SigV4. Pull request #2807 by Alexander Pakulov.</li>
<li>Remove missleading comment, no reason to move Gem.host to Gem::Util. Pull request #2811 by Luis Sagastume.</li>
<li>Drop support for ‘gem env packageversion’. Pull request #2813 by Luis Sagastume.</li>
<li>Take into account just git tracked files in update_manifest rake task. Pull request #2816 by Luis Sagastume.</li>
<li>Remove TODO comment, there’s no Gem::Dirs constant. Pull request #2819 by Luis Sagastume.</li>
<li>Remove unused ‘raise’ from test_case. Pull request #2820 by Luis Sagastume.</li>
<li>Move TODO comment to an information comment. Pull request #2821 by Luis Sagastume.</li>
<li>Use File#open instead of Kernel#open in stub_specification.rb. Pull request #2834 by Luis Sagastume.</li>
<li>Make error code a gemcutter_utilities a constant. Pull request #2844 by Luis Sagastume.</li>
<li>Remove FIXME comment related to PathSupport. Pull request #2854 by Luis Sagastume.</li>
<li>Use gsub with Hash. Pull request #2860 by Kazuhiro NISHIYAMA.</li>
<li>Use the standard RUBY_ENGINE_VERSION instead of JRUBY_VERSION. Pull request #2864 by Benoit Daloze.</li>
<li>Do not mutate uri.query during s3 signature creation. Pull request #2874 by Alexander Pakulov.</li>
<li>Fixup #2844. Pull request #2878 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix intermittent test error on Appveyor & Travis. Pull request #2568 by MSP-Greg.</li>
<li>Extend timeout on assert_self_install_permissions. Pull request #2605 by SHIBATA Hiroshi.</li>
<li>Better folder assertions. Pull request #2644 by David Rodríguez.</li>
<li>Fix default gem executable installation when folder is not <code class="language-plaintext highlighter-rouge">bin/</code>. Pull request #2649 by David Rodríguez.</li>
<li>Fix gem uninstall behavior. Pull request #2663 by Luis Sagastume.</li>
<li>Fix for large values in UID/GID fields in tar archives. Pull request #2780 by Alexey Shein.</li>
<li>Fixed task order for release. Pull request #2792 by SHIBATA Hiroshi.</li>
<li>Ignore GEMRC variable for test suite. Pull request #2837 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.5.tgz<br />
2cd05ad70bbe83a3a3a78adb3b14c9b7b3b3a60a6a745794c9bf04d1144e3948</li>
<li>rubygems-3.0.5.zip<br />
183c153348280a14af8eb43186abeb17015728c74c2dd83447baae8a75472644</li>
<li>rubygems-update-3.0.5.gem<br />
533ab83fc7394c50284d5fc1cdc22d504f8f0a61e6f60e40766aa2880025c5fa</li>
</ul>
3.0.4 Released2019-06-14T00:00:00+00:00http://blog.rubygems.org/2019/06/14/3.0.4-released<p>RubyGems 3.0.4 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Add support for TruffleRuby #2612 by Benoit Daloze</li>
<li>Serve a more descriptive error when –no-ri or –no-rdoc are used #2572 by Grey Baker</li>
<li>Improve test compatibility with CMake 2.8. Pull request #2590 by Vít Ondruch.</li>
<li>Restore gem build behavior and introduce the “-C” flag to gem build. Pull request #2596 by Luis Sagastume.</li>
<li>Enabled block call with util_set_arch. Pull request #2603 by SHIBATA Hiroshi.</li>
<li>Avoid rdoc hook when it’s failed to load rdoc library. Pull request #2604 by SHIBATA Hiroshi.</li>
<li>Drop tests for legacy RDoc. Pull request #2608 by Nobuyoshi Nakada.</li>
<li>Update TODO comment. Pull request #2658 by Luis Sagastume.</li>
<li>Skip malicious extension test with mswin platform. Pull request #2670 by SHIBATA Hiroshi.</li>
<li>Check deprecated methods on release. Pull request #2673 by David Rodríguez.</li>
<li>Add steps to run bundler tests. Pull request #2680 by Aditya Prakash.</li>
<li>Skip temporary “No such host is known” error. Pull request #2684 by Takashi Kokubun.</li>
<li>Replaced aws-sdk-s3 instead of s3cmd. Pull request #2688 by SHIBATA Hiroshi.</li>
<li>Allow uninstall from symlinked GEM_HOME. Pull request #2720 by David Rodríguez.</li>
<li>Use current checkout in CI to uninstall RVM related gems. Pull request #2729 by David Rodríguez.</li>
<li>Update Contributor Covenant v1.4.1. Pull request #2751 by SHIBATA Hiroshi.</li>
<li>Added supported versions of Ruby. Pull request #2756 by SHIBATA Hiroshi.</li>
<li>Fix shadowing outer local variable warning. Pull request #2763 by Luis Sagastume.</li>
<li>Update the certificate files to make the test pass on Debian 10. Pull request #2777 by Yusuke Endoh.</li>
<li>Backport ruby core changes. Pull request #2778 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Test_gem.rb - intermittent failure fix. Pull request #2613 by MSP-Greg.</li>
<li>Fix sporadic CI failures. Pull request #2617 by David Rodríguez.</li>
<li>Fix flaky bundler version finder tests. Pull request #2624 by David Rodríguez.</li>
<li>Fix gem indexer tests leaking utility gems. Pull request #2625 by David Rodríguez.</li>
<li>Clean up default spec dir too. Pull request #2639 by David Rodríguez.</li>
<li>Fix 2.6.1 build against vendored bundler. Pull request #2645 by David Rodríguez.</li>
<li>Fix comment typo. Pull request #2664 by Luis Sagastume.</li>
<li>Fix comment of Gem::Specification#required_ruby_version=. Pull request #2732 by Alex Junger.</li>
<li>Fix TODOs. Pull request #2748 by David Rodríguez.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.4.tgz<br />
8292d0fb2e4dc6e074bb053894eb41f2ef533adcb088b7081450ae3cf62fe277</li>
<li>rubygems-3.0.4.zip<br />
6eac10cd45d460200da6c7615b38101357eb58668754a7d9839f107f88bbbaca</li>
<li>rubygems-update-3.0.4.gem<br />
8d2e3358c89d0d49a6f5dcab97ae4747369adfc8e47279113d3c2bb3e5e65350</li>
</ul>
2.7.10 Released2019-06-14T00:00:00+00:00http://blog.rubygems.org/2019/06/14/2.7.10-released<p>RubyGems 2.7.10 includes minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Fix bundler rubygems binstub not properly looking for bundler. Pull request #2426 by David Rodríguez.</li>
<li>[BudlerVersionFinder] set .filter! and .compatible? to match only on major versions. Pull request #2515 by Colby Swandale.</li>
<li>Update for compatibilty with new minitest. Pull request #2118 by MSP-Greg.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.10.tgz<br />
d81dda6d8c54849cda16a95ae0216516deaa0f59ed3c123222128b15723a82ad</li>
<li>rubygems-2.7.10.zip<br />
a872d3333c9d408cf4067309ea28146e4d8215f6a784edab155cfc801887e32f</li>
<li>rubygems-update-2.7.10.gem<br />
be31228afaece7e31303fc21bf16f76a52faf591800a5309ff018bcd25c50b97</li>
</ul>
January and February 2019 RubyGems Updates2019-03-12T00:00:00+00:00http://blog.rubygems.org/2019/03/12/jan-feb-rubygems-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January and February.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In last two months, we updated our search API to use Elasticsearch, which resolves multiple issues including <a href="https://github.com/rubygems/rubygems.org/issues/972">missing search results</a> and <a href="https://github.com/rubygems/rubygems.org/issues/1256">slow performance</a>. Thanks to @lucianosousa, we are now using Rails 5.2.2. We would also like to let you know that we sprinkled some styling to our email templates and now they are no longer being marked as spam by some email providers. We haven’t received any new help ticket for email being lost in last month—a good sign!</p>
<p>In mid February, we had to impose rate limit of one yank request per 10 min because we were seeing some users yank hundreds of gems at once. Our yank API endpoint was extremely slow, and hundreds of yanks at once was causing site instability. Since then we have worked hard on some optimizations and we are happy to report that we have brought down the average response time of Yank API from 4000 ms to 250 ms.</p>
<p>In January and February, Rubygems.org gained 67 new commits, contributed by 8 authors. There were 1,177 additions and 509 deletions across 81 files.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>RubyGems saw a bunch of commits cleaning up code, fixing bugs, and generally making things work better.</p>
<p>We also did additional work in the background, working with security researchers to fix problems that they had discovered. You can read more about <a href="https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html">the security issues, fixes, and the latest release with fixes on the RubyGems blog</a>.</p>
<p>In January and February, RubyGems gained 153 new commits, contributed by 12 authors. There were 1,776 additions and 807 deletions across 176 files.</p>
<hr />
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
Removing the edit linkset form2019-03-08T00:00:00+00:00http://blog.rubygems.org/2019/03/08/and-then-there-was-one-metadata-links<p>Say you have built a new futuristic website for your gem and now you want to update its homepage link on our site. <em>What happened to the linkset edit link?</em> is something you may find yourself asking when you find out that the edit link is no more (Press F?). Before more of you start <a href="https://github.com/rubygems/rubygems.org/issues/1899#issue-406110693">questioning your sanity</a> over it, let us assure you that it is still the same timeline you have always lived in. While we don’t have portals yet, you can now set your gem page sidebar links per version, so that’s something.</p>
<p>It started with <code class="language-plaintext highlighter-rouge">@fwolfst</code> <a href="https://github.com/rubygems/rubygems/issues/1007">suggesting</a> that we should use the gemspec to set the source code link, and all we said back was:</p>
<blockquote>
<p>submitting a pull request with this change and a test will get a review, though.</p>
</blockquote>
<p>4 years to deliver a feature may sound neither stirring nor impressive, until you learn about the gears we had to grease to make it possible. We <a href="https://github.com/rubygems/rubygems.org/pull/858">exposed</a> the metadata field from the API, <a href="https://github.com/rubygems/rubygems.org/issues/718#issuecomment-69181157">added</a> linkset and changelog URLs to the bandwagon, <a href="https://github.com/rubygems/rubygems.org/pull/895">backfilled</a> metadata for the older versions and even <a href="https://github.com/rubygems/rubygems.org/commit/a72bc3b6506ffbdb5aeb1ec3f23d88c69ce05851">reverted</a> a revert of a commit. It was so nice of <code class="language-plaintext highlighter-rouge">@kbrock</code> to keep <a href="https://github.com/rubygems/rubygems.org/pull/1234">his PR</a> updated while we worked on other pressing issues. As of now, if you need to update any of the sidebar links previously editable from the UI, you would have to set a few URI attributes in <code class="language-plaintext highlighter-rouge">spec.metadata</code>. Please, check our <a href="https://guides.rubygems.org/specification-reference/#metadata">guides</a> for the details of the requirements.</p>
<p align="center"> <img src="https://gist.github.com/sonalkr132/8608c421ae1cf79623567a05a3bffaf0/raw/40105759f41b8ed4b8173d2e5537633ec50a3cad/immutable-awesomeness-by-john-willis-and-josh-corman-3-638.jpg" alt="immutable" /> </p>
<p>On <a href="https://rubygems.org/gems/rake/versions/12.3.1">the versions page</a> we expect that the fields like dependencies, require ruby version and SHA256 checksum are all for the version we are looking at. Most of what we see on the page have always come from the various attributes of the gemspec file. Some noteworthy exceptions were the wiki, code, mail, bug tracker and documentation links show on the right sidebar. You use to optionally set them using the edit <code class="language-plaintext highlighter-rouge">linkset</code> form and the model <em>belongs_to</em> <code class="language-plaintext highlighter-rouge">rubygems</code> (not <code class="language-plaintext highlighter-rouge">versions</code>). While, URI for the wiki, code and bug tracker generally don’t change over versions, documentation and changelog links often need to be updated with each new version. In Rubygems.org, we like to consider versions immutable after you have pushed them to our servers. Although, we had the alternative of updating the linkset relationship to <code class="language-plaintext highlighter-rouge">belongs_to: versions</code>, it doesn’t fit well with our assumption of immutable releases.</p>
<p>Removing the UI form makes gemspec only source of truth for data for the links and gives gem publishers more control over them. Those releasing gems using a CI build would find it more convenient to use the gem specification than the UI. Further, Rubygems.org repo got to shed <a href="https://github.com/rubygems/rubygems.org/pull/1815">more than 200 lines of code</a> by removing the form. Enough real estate for two ruby classes according to <a href="https://youtu.be/npOGOmkxuio?t=495">some</a>.</p>
<p>We understand that there are times when you need to get things done. If you are genuinely in a situation where you can’t release a new version to update those links, please feel free to file <a href="https://help.rubygems.org/discussion/new">a support ticket</a> and for the time being, we will update it for you. Having said that, we also hope that you feel metadata links are a useful addition and you will use them in your next versions release. In case you are still undecided, possibly a montage of <em>back of the book style</em> quotes will sell it better.
<br /></p>
<p align="center">
<img src="https://gist.github.com/sonalkr132/8608c421ae1cf79623567a05a3bffaf0/raw/7be7798e5e4d2aee99b08a3eaf9268bd98ea20c4/metadata-quotes.gif" />
<small><a href="https://gist.github.com/sonalkr132/8608c421ae1cf79623567a05a3bffaf0#file-quote-links-md">source of quotes</a></small>
</p>
March 2019 Security Advisories2019-03-05T00:00:00+00:00http://blog.rubygems.org/2019/03/05/security-advisories-2019-03<p>Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via <a href="https://hackerone.com/rubygems">hackerone</a>.</p>
<p>We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8.
If you can’t upgrade RubyGems 2.7 or 3.0, please use <a href="https://bugs.ruby-lang.org/attachments/7669">this patch</a> for RubyGems 2.6.</p>
<h2 id="cve-2019-8320-delete-directory-using-symlink-when-decompressing-tar">CVE-2019-8320: Delete directory using symlink when decompressing tar</h2>
<h3 id="description">Description</h3>
<p>A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2.
Before making new directories or touching files (which now include
path-checking code for symlinks), it would delete the target
destination. If that destination was hidden behind a symlink, a
malicious gem could delete arbitrary files on the user’s machine,
presuming the attacker could guess at paths. Given how frequently <code class="language-plaintext highlighter-rouge">gem</code> is run
as sudo, and how predictable paths are on modern systems (<code class="language-plaintext highlighter-rouge">/tmp</code>,
<code class="language-plaintext highlighter-rouge">/usr</code>, etc.), this could likely lead to data loss or an unusable
system.</p>
<h3 id="reporter">Reporter</h3>
<p>ooooooo_q</p>
<h2 id="cve-2019-8321-escape-sequence-injection-vulnerability-in-verbose">CVE-2019-8321: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">verbose</code></h2>
<h3 id="description-1">Description</h3>
<p>An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since <code class="language-plaintext highlighter-rouge">Gem::UserInteraction#verbose</code> calls say without escaping, escape
sequence injection is possible.</p>
<h3 id="reporter-1">Reporter</h3>
<p>ooooooo_q</p>
<h2 id="cve-2019-8322-escape-sequence-injection-vulnerability-in-gem-owner">CVE-2019-8322: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">gem owner</code></h2>
<h3 id="description-2">Description</h3>
<p>An issue was discovered in RubyGems 2.6 and later through 3.0.2.
The <code class="language-plaintext highlighter-rouge">gem owner</code> command outputs the contents of the API response directly
to stdout. Therefore, if the response is crafted, escape sequence
injection may occur.</p>
<h3 id="reporter-2">Reporter</h3>
<p>ooooooo_q</p>
<h2 id="cve-2019-8323-escape-sequence-injection-vulnerability-in-api-response-handling">CVE-2019-8323: Escape sequence injection vulnerability in API response handling</h2>
<h3 id="description-3">Description</h3>
<p>An issue was discovered in RubyGems 2.6 and later through 3.0.2.
<code class="language-plaintext highlighter-rouge">Gem::GemcutterUtilities#with_response</code> may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.</p>
<h3 id="reporter-3">Reporter</h3>
<p>ooooooo_q</p>
<h2 id="cve-2019-8324-installing-a-malicious-gem-may-lead-to-arbitrary-code-execution">CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution</h2>
<h3 id="description-4">Description</h3>
<p>An issue was discovered in RubyGems 2.6 and later through 3.0.2.
A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of
gemspec, which is <code class="language-plaintext highlighter-rouge">eval</code>-ed by code in <code class="language-plaintext highlighter-rouge">ensure_loadable_spec</code> during
the preinstall check.</p>
<h3 id="reporter-4">Reporter</h3>
<p>nyangawa of Chaitin Tech</p>
<h2 id="cve-2019-8325-escape-sequence-injection-vulnerability-in-errors">CVE-2019-8325: Escape sequence injection vulnerability in errors</h2>
<h3 id="description-5">Description</h3>
<p>An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since <code class="language-plaintext highlighter-rouge">Gem::CommandManager#run</code> calls alert_error without escaping,
escape sequence injection is possible. (There are many ways to cause
an error.)</p>
<h3 id="reporter-5">Reporter</h3>
<p>ooooooo_q</p>
3.0.3 Released2019-03-05T00:00:00+00:00http://blog.rubygems.org/2019/03/05/3.0.3-released<p>RubyGems 3.0.3 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>Fixed following vulnerabilities:
<ul>
<li>CVE-2019-8320: Delete directory using symlink when decompressing tar</li>
<li>CVE-2019-8321: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">verbose</code></li>
<li>CVE-2019-8322: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">gem owner</code></li>
<li>CVE-2019-8323: Escape sequence injection vulnerability in API response handling</li>
<li>CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution</li>
<li>CVE-2019-8325: Escape sequence injection vulnerability in errors</li>
</ul>
</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.3.tgz<br />
cba8455df50588dedff3a2daa0d991b6b233aa155d23d82c829968abc169a5f8</li>
<li>rubygems-3.0.3.zip<br />
6eec823241e933ae8edffea77416ca54400c14589cb5462d9c1145fa3cd2cb97</li>
<li>rubygems-update-3.0.3.gem<br />
f48afcbb4a9f3f5700ad390f761ea9f06d10815aa6ff91df147415156e6b3f36</li>
</ul>
2.7.9 Released2019-03-05T00:00:00+00:00http://blog.rubygems.org/2019/03/05/2.7.9-released<p>RubyGems 2.7.9 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>Fixed following vulnerabilities:
<ul>
<li>CVE-2019-8320: Delete directory using symlink when decompressing tar</li>
<li>CVE-2019-8321: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">verbose</code></li>
<li>CVE-2019-8322: Escape sequence injection vulnerability in <code class="language-plaintext highlighter-rouge">gem owner</code></li>
<li>CVE-2019-8323: Escape sequence injection vulnerability in API response handling</li>
<li>CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution</li>
<li>CVE-2019-8325: Escape sequence injection vulnerability in errors</li>
</ul>
</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.9.tgz<br />
8fa1c95d0c6a1c601860a65a71664c84b01b62f9ecd95e7f34f98fd5330cd6ce</li>
<li>rubygems-2.7.9.zip<br />
6d5043f8b1d8fb5b95c066df7820aaa215a7572eefbb7da17cf7d0812895f807</li>
<li>rubygems-update-2.7.9.gem<br />
d9fa6973b088227c085aae1a06c834dde8ce155727b30f925f66e19a827216df</li>
</ul>
December 2018 RubyGems Updates2019-02-02T00:00:00+00:00http://blog.rubygems.org/2019/02/02/december-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In RubyGems.org news, lead RubyGems.org maintainer <a href="https://github.com/dwradcliffe">@dwradcliffe</a> completed porting the production RubyGems.org deployment to use Kubernetes! This didn’t cause any user-facing changes, but makes it easier for others to develop locally, and will help us with our efforts to avoid downtime.</p>
<p>Another major development was <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/">enabling two factor authentication</a>, a Google Summer of Code project that can greatly improve the security of logging in and publishing new gems, for any gem authors who enable it. (Special thanks to <a href="https://github.com/ecnelises">@ecnelises</a> for his work on this!)</p>
<p>In addition to those major developments, we continued to fix bugs, improve translations, and generally keep things humming along.</p>
<p>This month, RubyGems.org gained 57 new commits, contributed by 11 authors. There were 1,362 additions and 1,259 deletions across 111 files.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>December for RubyGems was also a big milestone: we shipped RubyGems 3.0.0! The biggest changes were S3 sources, multi-threaded gem downloads, support for two-factor authentication, and including Bundler 1.17.2.</p>
<p>In addition to those big changes, we continued to clean up unused code, improve warning and error messages, and fix bugs.</p>
<p>This month, RubyGems gained 149 new commits, contributed by 15 authors. There were 1,699 additions and 1,509 deletions across 270 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
3.0.2 Released2019-01-01T00:00:00+00:00http://blog.rubygems.org/2019/01/01/3.0.2-released<p>RubyGems 3.0.2 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Use Bundler-1.17.3. Pull request #2556 by SHIBATA Hiroshi.</li>
<li>Fix document flag description. Pull request #2555 by Luis Sagastume.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix tests when ruby –program-suffix is used without rubygems –format-executable. Pull request #2549 by Jeremy Evans.</li>
<li>Fix Gem::Requirement equality comparison when ~> operator is used. Pull request #2554 by Grey Baker.</li>
<li>Unset SOURCE_DATE_EPOCH in the test cases. Pull request #2558 by Sorah Fukumori.</li>
<li>Restore SOURCE_DATE_EPOCH. Pull request #2560 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.2.tgz<br />
7bacd882b258a4efbfdc1e56f34f85ce0ac2e83f1c41dbc9c8e1ac53021366d2</li>
<li>rubygems-3.0.2.zip<br />
3181e37b7add41353e0c82776e82c5fbd17fa8ac6dcedbc6d2ed2693f4c13003</li>
<li>rubygems-update-3.0.2.gem<br />
311dbf1f1d62d59c861be213b03fd326bde81da7f560f89ea170610e013cdbc6</li>
</ul>
3.0.1 Released2018-12-23T00:00:00+00:00http://blog.rubygems.org/2018/12/23/3.0.1-released<p>RubyGems 3.0.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Ensure globbed files paths are expanded. Pull request #2536 by Tony Ta.</li>
<li>Dup the Dir.home string before passing it on. Pull request #2545 by Charles Oliver Nutter.</li>
<li>Added permissions to installed files for non-owners. Pull request #2546 by SHIBATA Hiroshi.</li>
<li>Restore release task without hoe. Pull request #2547 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.1.tgz<br />
c0666847b5c5f6a15e0fdaabfaac6ba35f7f7559c0eea5f3d436e28d71e69576</li>
<li>rubygems-3.0.1.zip<br />
bfbb10e1b80bb40d46b17f644cde45defd1d925e10ff4646d7a77d98ebf84182</li>
<li>rubygems-update-3.0.1.gem<br />
6b973dfe94f44502084434f5bad6d8ea13c220ea74833334b2906520aed91e43</li>
</ul>
3.0.0 Released2018-12-19T00:00:00+00:00http://blog.rubygems.org/2018/12/19/3.0.0-released<p>RubyGems 3.0.0 includes major enhancements, minor enhancements, bug fixes, compatibility changes and style changes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>S3 source. Pull request #1690 by Aditya Prakash.</li>
<li>Download gems with threads. Pull request #1898 by André Arko.</li>
<li>Update to SPDX license list 3.0. Pull request #2152 by Mike Linksvayer.</li>
<li>[GSoC] Multi-factor feature for RubyGems. Pull request #2369 by Qiu Chaofan.</li>
<li>Use bundler 1.17.2. Pull request #2521 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Don’t treat inaccessible working directories as build failures. Pull request #1135 by Pete.</li>
<li>Remove useless directory parameter from builders .build methods. [rebased]. Pull request #1433 by Kurtis Rainbolt-Greene.</li>
<li>Skipping more than one gem in pristine. Pull request #1592 by Henne Vogelsang.</li>
<li>Add info command to print information about an installed gem. Pull request #2023 by Colby Swandale.</li>
<li>Add –[no-]check-development option to cleanup command. Pull request #2061 by Lin Jen-Shin (godfat).</li>
<li>Show which gem referenced a missing gem. Pull request #2067 by Artem Khramov.</li>
<li>Prevent to delete to “bundler-“ prefix gem like bundler-audit. Pull request #2086 by SHIBATA Hiroshi.</li>
<li>Fix rake install_test_deps once the rake clean_env does not exist. Pull request #2090 by Lucas Arantes.</li>
<li>Workaround common options mutation in Gem::Command test. Pull request #2098 by Thibault Jouan.</li>
<li>Extract a SpecificationPolicy validation class. Pull request #2101 by Olle Jonsson.</li>
<li>Handle environment that does not have <code class="language-plaintext highlighter-rouge">flock</code> system call. Pull request #2107 by SHIBATA Hiroshi.</li>
<li>Handle the explain option in gem update. Pull request #2110 by Colby Swandale.</li>
<li>Add Gem.operating_system_defaults to allow packagers to override defaults. Pull request #2116 by Vít Ondruch.</li>
<li>Update for compatibilty with new minitest. Pull request #2118 by MSP-Greg.</li>
<li>Make Windows bin stubs portable. Pull request #2119 by MSP-Greg.</li>
<li>Avoid to warnings about gemspec loadings in rubygems tests. Pull request #2125 by SHIBATA Hiroshi.</li>
<li>Set whether bundler is used for gemdeps with an environmental variable. Pull request #2126 by SHIBATA Hiroshi.</li>
<li>Titleize “GETTING HELP” in readme. Pull request #2136 by Colby Swandale.</li>
<li>Improve the error message given when using –version with multiple gems in the install command. Pull request #2137 by Colby Swandale.</li>
<li>Use <code class="language-plaintext highlighter-rouge">File.open</code> instead of <code class="language-plaintext highlighter-rouge">open</code>. Pull request #2142 by SHIBATA Hiroshi.</li>
<li>Gem::Util.traverse_parents should not crash on permissions error. Pull request #2147 by Robert Ulejczyk.</li>
<li>[Installer] Avoid a #mkdir race condition. Pull request #2148 by Samuel Giddins.</li>
<li>Allow writing gemspecs from gem unpack to location specified by target option. Pull request #2150 by Colby Swandale.</li>
<li>Raise errors in <code class="language-plaintext highlighter-rouge">gem uninstall</code> when a file in a gem could not be removed . Pull request #2154 by Colby Swandale.</li>
<li>Remove PID from gem index directory. Pull request #2155 by SHIBATA Hiroshi.</li>
<li>Nil guard on <code class="language-plaintext highlighter-rouge">Gem::Specification</code>. Pull request #2164 by SHIBATA Hiroshi.</li>
<li>Skip broken test with macOS platform. Pull request #2167 by SHIBATA Hiroshi.</li>
<li>Support option for <code class="language-plaintext highlighter-rouge">--destdir</code> with upgrade installer. Pull request #2169 by SHIBATA Hiroshi.</li>
<li>To use constant instead of hard-coded version. Pull request #2171 by SHIBATA Hiroshi.</li>
<li>Add Rake task to install dev dependencies. Pull request #2173 by Ellen Marie Dash.</li>
<li>Add new sections to the README and explaination of what RubyGems is. Pull request #2174 by Colby Swandale.</li>
<li>Prefer to use <code class="language-plaintext highlighter-rouge">Numeric#zero?</code> instead of <code class="language-plaintext highlighter-rouge">== 0</code>. Pull request #2176 by SHIBATA Hiroshi.</li>
<li>Ignore perfomance test of version regexp pattern. Pull request #2179 by SHIBATA Hiroshi.</li>
<li>Ignore .DS_Store files in the update_manifest task. Pull request #2199 by Colby Swandale.</li>
<li>Allow building gems without having to be in the gem folder . Pull request #2204 by Colby Swandale.</li>
<li>Added coverage ability used by simplecov. Pull request #2207 by SHIBATA Hiroshi.</li>
<li>Improve invalid proxy error message. Pull request #2217 by Luis Sagastume.</li>
<li>Simplify home directory detection and platform condition. Pull request #2218 by SHIBATA Hiroshi.</li>
<li>Permission options. Pull request #2219 by Nobuyoshi Nakada.</li>
<li>Improve gemspec and package task. Pull request #2220 by SHIBATA Hiroshi.</li>
<li>Prefer to use util_spec in <code class="language-plaintext highlighter-rouge">Gem::TestCase</code>. Pull request #2227 by SHIBATA Hiroshi.</li>
<li>[Requirement] Treat requirements with == versions as equal. Pull request #2230 by Samuel Giddins.</li>
<li>Add a note for the non-semantically versioned case. Pull request #2242 by David Rodríguez.</li>
<li>Keep feature names loaded in the block. Pull request #2261 by Nobuyoshi Nakada.</li>
<li>Tweak warning recommendation. Pull request #2266 by David Rodríguez.</li>
<li>Show git path in gem env. Pull request #2268 by Luis Sagastume.</li>
<li>Add <code class="language-plaintext highlighter-rouge">--env-shebang</code> flag to setup command. Pull request #2271 by James Myers.</li>
<li>Support SOURCE_DATE_EPOCH to make gem spec reproducible. Pull request #2278 by Levente Polyak.</li>
<li>Chdir back to original directory when building an extension fails. Pull request #2282 by Samuel Giddins.</li>
<li>[Rakefile] Add a default task that runs the tests. Pull request #2283 by Samuel Giddins.</li>
<li>Support SOURCE_DATE_EPOCH to make gem tar reproducible. Pull request #2289 by Levente Polyak.</li>
<li>Reset hooks in test cases. Pull request #2297 by Samuel Giddins.</li>
<li>Minor typo: nokogiri. Pull request #2298 by Darshan Baid.</li>
<li>Ignore vendored molinillo from code coverage. Pull request #2302 by SHIBATA Hiroshi.</li>
<li>Support IO.copy_stream. Pull request #2303 by okkez.</li>
<li>Prepare beta release. Pull request #2304 by SHIBATA Hiroshi.</li>
<li>Add error message when trying to open a default gem. Pull request #2307 by Luis Sagastume.</li>
<li>Add alias command ‘i’ for ‘install’ command. Pull request #2308 by ota42y.</li>
<li>Cleanup rdoc task in Rakefile. Pull request #2318 by SHIBATA Hiroshi.</li>
<li>Add testcase to test_gem_text.rb. Pull request #2329 by Oliver.</li>
<li>Gem build strict option. Pull request #2332 by David Rodríguez.</li>
<li>Make spec reset more informative. Pull request #2333 by Luis Sagastume.</li>
<li>[Rakefile] Set bundler build metadata when doing a release. Pull request #2335 by Samuel Giddins.</li>
<li>Speed up globbing relative to given directories. Pull request #2336 by Samuel Giddins.</li>
<li>Remove semver gem build warning. Pull request #2351 by David Rodríguez.</li>
<li>Expand symlinks in gem path. Pull request #2352 by Benoit Daloze.</li>
<li>Normalize comment indentations. Pull request #2353 by David Rodríguez.</li>
<li>Add bindir flag to pristine. Pull request #2361 by Luis Sagastume.</li>
<li>Add –user-install behaviour to cleanup command. Pull request #2362 by Luis Sagastume.</li>
<li>Allow build options to be passed to Rake. Pull request #2382 by Alyssa Ross.</li>
<li>Add –re-sign flag to cert command. Pull request #2391 by Luis Sagastume.</li>
<li>Fix “interpreted as grouped expression” warning. Pull request #2399 by Colby Swandale.</li>
<li>[Gem::Ext::Builder] Comments to aid future refactoring. Pull request #2405 by Ellen Marie Dash.</li>
<li>Move CONTRIBUTING.rdoc and POLICIES.rdoc documents to markdown. Pull request #2412 by Colby Swandale.</li>
<li>Improve certificate expiration defaults. Pull request #2420 by Luis Sagastume.</li>
<li>Freeze all possible constants. Pull request #2422 by Colby Swandale.</li>
<li>Fix bundler rubygems binstub not properly looking for bundler. Pull request #2426 by David Rodríguez.</li>
<li>Make sure rubygems never leaks to another installation. Pull request #2427 by David Rodríguez.</li>
<li>Update README.md. Pull request #2428 by Marc-André Lafortune.</li>
<li>Restrict special chars from prefixing new gem names. Pull request #2432 by Luis Sagastume.</li>
<li>This removes support for dynamic API backend lookup via DNS SRV records. Pull request #2433 by Arlandis Word.</li>
<li>Fix link to CONTRIBUTING.md doc. Pull request #2434 by Arlandis Word.</li>
<li>Support Keyword args with Pysch. Pull request #2439 by SHIBATA Hiroshi.</li>
<li>Bug/kernel#warn uplevel. Pull request #2442 by Nobuyoshi Nakada.</li>
<li>Improve certificate error message. Pull request #2454 by Luis Sagastume.</li>
<li>Update gem open command help text. Pull request #2458 by Aditya Prakash.</li>
<li>Uninstall with versions. Pull request #2466 by David Rodríguez.</li>
<li>Add output option to build command. Pull request #2501 by Colby Swandale.</li>
<li>Move rubocop into a separate stage in travis ci. Pull request #2510 by Colby Swandale.</li>
<li>Ignore warnings with test_gem_specification.rb. Pull request #2523 by SHIBATA Hiroshi.</li>
<li>Support the environment without OpenSSL. Pull request #2528 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix undefined method error when printing alert. Pull request #1884 by Robert Ross.</li>
<li>Frozen string fix - lib/rubygems/bundler_version_finder.rb. Pull request #2115 by MSP-Greg.</li>
<li>Fixed typos. Pull request #2143 by SHIBATA Hiroshi.</li>
<li>Fix regression of destdir on Windows platform. Pull request #2178 by SHIBATA Hiroshi.</li>
<li>Fixed no assignment variables about default gems installation. Pull request #2181 by SHIBATA Hiroshi.</li>
<li>Fix spelling errors in the README. Pull request #2187 by Colby Swandale.</li>
<li>Missing comma creates ambiguous meaning. Pull request #2190 by Clifford Heath.</li>
<li>Fix getting started instructions. Pull request #2198 by Luis Sagastume.</li>
<li>Fix rubygems dev env. Pull request #2201 by Luis Sagastume.</li>
<li>Fix #1470: generate documentation when –install-dir is present. Pull request #2229 by Elias Hernandis.</li>
<li>Fix activation when multiple platforms installed. Pull request #2339 by MSP-Greg.</li>
<li>Fix required_ruby_version with prereleases and improve error message. Pull request #2344 by David Rodríguez.</li>
<li>Update tests for ‘newer’ Windows builds. Pull request #2348 by MSP-Greg.</li>
<li>Fix broken rubocop task by upgrading to 0.58.1. Pull request #2356 by David Rodríguez.</li>
<li>Gem::Version should handle nil like it used to before. Pull request #2363 by Luis Sagastume.</li>
<li>Avoid need of C++ compiler to pass the test suite. Pull request #2367 by Vít Ondruch.</li>
<li>Fix auto resign expired certificate. Pull request #2380 by Luis Sagastume.</li>
<li>Skip permissions-dependent test when root. Pull request #2386 by Alyssa Ross.</li>
<li>Fix test that depended on /usr/bin being in PATH. Pull request #2387 by Alyssa Ross.</li>
<li>Fixed test fail with mswin environment. Pull request #2390 by SHIBATA Hiroshi.</li>
<li>Fix broken builds using the correct rubocop version. Pull request #2396 by Luis Sagastume.</li>
<li>Fix extension builder failure when verbose. Pull request #2457 by Sorah Fukumori.</li>
<li>Fix test warnings. Pull request #2472 by MSP-Greg.</li>
<li>The test suite of bundler is not present ruby description. Pull request #2484 by SHIBATA Hiroshi.</li>
<li>Fix crash on certain gemspecs. Pull request #2506 by David Rodríguez.</li>
<li>Fixed test fails with the newer version of OpenSSL. Pull request #2507 by SHIBATA Hiroshi.</li>
<li>Fix broken symlink that points to ../*. Pull request #2516 by Akira Matsuda.</li>
<li>Fix remote fetcher tests. Pull request #2520 by Luis Sagastume.</li>
<li>Fix tests when –program-suffix and similar ruby configure options are used. Pull request #2529 by Jeremy Evans.</li>
</ul>
<p><em>Compatibility changes:</em></p>
<ul>
<li>IO.binread is not provided at Ruby 1.8. Pull request #2093 by SHIBATA Hiroshi.</li>
<li>Ignored to publish rdoc documentation of rubygems for docs.seattlerb.org. Pull request #2105 by SHIBATA Hiroshi.</li>
<li>Support pre-release RubyGems. Pull request #2128 by SHIBATA Hiroshi.</li>
<li>Relax minitest version for 5. Pull request #2131 by SHIBATA Hiroshi.</li>
<li>Remove zentest from dev dependency. Pull request #2132 by SHIBATA Hiroshi.</li>
<li>Remove hoe for test suite. Pull request #2160 by SHIBATA Hiroshi.</li>
<li>Cleanup deprecated tasks. Pull request #2162 by SHIBATA Hiroshi.</li>
<li>Drop to support Ruby < 2.2. Pull request #2182 by SHIBATA Hiroshi.</li>
<li>Cleanup deprecated style. Pull request #2193 by SHIBATA Hiroshi.</li>
<li>Remove CVEs from the rubygems repo. Pull request #2195 by Colby Swandale.</li>
<li>Removed needless condition for old version of ruby. Pull request #2206 by SHIBATA Hiroshi.</li>
<li>Removed deprecated methods over the limit day. Pull request #2216 by SHIBATA Hiroshi.</li>
<li>Remove syck support. Pull request #2222 by SHIBATA Hiroshi.</li>
<li>Removed needless condition for Encoding. Pull request #2223 by SHIBATA Hiroshi.</li>
<li>Removed needless condition for String#force_encoding. Pull request #2225 by SHIBATA Hiroshi.</li>
<li>Removed needless OpenSSL patch for Ruby 1.8. Pull request #2243 by SHIBATA Hiroshi.</li>
<li>Removed compatibility code for Ruby 1.9.2. Pull request #2244 by SHIBATA Hiroshi.</li>
<li>Removed needless version condition for the old ruby. Pull request #2252 by SHIBATA Hiroshi.</li>
<li>Remove needless define/respond_to condition. Pull request #2255 by SHIBATA Hiroshi.</li>
<li>Use File.realpath directlry in Gem::Package. Pull request #2284 by SHIBATA Hiroshi.</li>
<li>Removed needless condition for old versions of Ruby. Pull request #2286 by SHIBATA Hiroshi.</li>
<li>Remove the –rdoc and –ri options from install/update. Pull request #2354 by Colby Swandale.</li>
<li>Move authors assigner to required attributes section of Gem::Specification. Pull request #2406 by Grey Baker.</li>
<li>Remove rubyforge_page functionality. Pull request #2436 by Nick Schwaderer.</li>
<li>Drop ruby 1.8 support and use IO.popen. Pull request #2441 by Nobuyoshi Nakada.</li>
<li>Drop ruby 2.2 support. Pull request #2487 by David Rodríguez.</li>
<li>Remove some old compatibility code. Pull request #2488 by David Rodríguez.</li>
<li>Remove .document from src. Pull request #2489 by Colby Swandale.</li>
<li>Remove old version support. Pull request #2493 by Nobuyoshi Nakada.</li>
<li>[BudlerVersionFinder] set .filter! and .compatible? to match only on major versions. Pull request #2515 by Colby Swandale.</li>
</ul>
<p><em>Style changes:</em></p>
<ul>
<li>Add Rubocop. Pull request #2250 by Colby Swandale.</li>
<li>Removed explicitly declaration of thread library. Pull request #2324 by SHIBATA Hiroshi.</li>
<li>Remove Trailing whitespace with rubocop. Pull request #2394 by SHIBATA Hiroshi.</li>
<li>Update rubocop and also use correct pessimistic version. Pull request #2404 by Colby Swandale.</li>
<li>Enable more rubocop rules. Pull request #2435 by Ellen Marie Dash.</li>
<li>Fix and lock rubocop. Pull request #2465 by David Rodríguez.</li>
<li>Add a rubocop binstub. Pull request #2468 by David Rodríguez.</li>
<li>Restore the <code class="language-plaintext highlighter-rouge">rubocop</code> task. Pull request #2470 by David Rodríguez.</li>
<li>Remove trailing blank lines. Pull request #2471 by David Rodríguez.</li>
<li>Remove empty lines around method bodies. Pull request #2473 by David Rodríguez.</li>
<li>Enable Style/MethodDefParentheses in Rubocop. Pull request #2478 by Colby Swandale.</li>
<li>Enable Style/MultilineIfThen in Rubocop. Pull request #2479 by Luis Sagastume.</li>
<li>Remove trailing ‘then’ from generated code. Pull request #2480 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-3.0.0.tgz<br />
04204a3238cebd778ac42755684719c0cad926ca84b2742103a3f8f1e122025c</li>
<li>rubygems-3.0.0.zip<br />
e658d2a786734ef8b355506718ece44b726907786ab234a1b48d70068b17a756</li>
<li>rubygems-update-3.0.0.gem<br />
5987f6b12aa22edab74abf381fc5781dc03cb9487f4bc6dd99d6ce1ae1e22ab9</li>
</ul>
November 2018 RubyGems Updates2018-12-09T00:00:00+00:00http://blog.rubygems.org/2018/12/09/november-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In November, we updated 19 dependencies on RubyGems.org including security updates to rack and activejob. Thanks to a report that came in from HackerOne, we fixed a bug that would allow an attacker to guess an <code class="language-plaintext highlighter-rouge">api_key</code> by sending all of their guesses as an array along with the request. We also fixed some other issues reported through HackerOne, including rate limits on forgotten password requests, and profile pages being viewable after logout using the browser back button. We also removed the only use of IFrames (GitHub stars), and updated our CSP. Finally, we now have better Dutch translations thanks to <a href="https://github.com/sharkwouter">@sharkwouter</a>, a first time contributor to RubyGems.org.</p>
<p>This month, RubyGems.org gained 37 commits from 6 authors, making changes to 60 files with 1,796 insertions and 1,038 deletions.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>RubyGems saw a lot of cleanup and bugfixes this month. We also merged <a href="https://github.com/ecnelises">@ecnelises</a>’s Google Summer of Code Project, which adds support for two-factor authentication to RubyGems.org. 2FA is a huge boost to account security, and once we have everything released and working, we’ll encourage everyone to turn it on. In total, RubyGems gained 125 new commits, contributed by 12 authors. There were 1,532 additions and 1,500 deletions across 268 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
October 2018 RubyGems Updates2018-11-05T00:00:00+00:00http://blog.rubygems.org/2018/11/05/october-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In October, we updated 23 dependencies, including the update to Rails 5.2 (thanks <a href="https://github.com/thomasdziedzic">@thomasdziedzic</a>) and a security update to loofah. Thanks to <a href="https://github.com/fwilkens">@fwilkens</a>, we added a new endpoint to our API which can be used to <a href="https://guides.rubygems.org/rubygems-org-api/#get---apiv1timeframe_versionsjson">query for gem updates within a given time range</a>. We also merged improvements to the French and Chinese translations of our site.</p>
<p>Early in October, we had to disable the endpoint that powers the reverse dependencies list on the website, because it was interfering with the stability of the rest of the site. We sincerely apologize for any inconvenience. We’ve since done significant work to improve that endpoint’s performance, and it is back online. Unfortunately, this meant, we had to say goodbye to one of our beloved libraries, will_paginate, which we <a href="https://github.com/rubygems/rubygems.org/pull/1807">replaced with kaminari</a>.</p>
<p>We also undertook some refactoring work to improve our Code Climate score and we are happy to report that our maintainability score is an A!</p>
<p>This month, RubyGems.org gained 55 commits from 7 authors, making changes to 72 files with 342 insertions and 1226 deletions.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>RubyGems changes this month included removing insecure DNS lookups on gem servers (thanks <a href="https://github.com/arlandism">@arlandism</a>!), fixed an issue where RubyGems might load files from a different copy of RubyGems on disk (thanks <a href="https://github.com/deivid-rodriguez">@deivid-rodriguez</a>), and did ongoing administration and maintenance. We also merged in changes from ruby-core, improving compatibility with the upcoming Ruby 2.6.</p>
<p>This month, RubyGems gained 49 new commits, contributed by 11 authors. There were 747 additions and 604 deletions across 73 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
2.7.8 Released2018-11-02T00:00:00+00:00http://blog.rubygems.org/2018/11/02/2.7.8-released<p>RubyGems 2.7.8 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>[Requirement] Treat requirements with == versions as equal. Pull request #2230 by Samuel Giddins.</li>
<li>Fix exec_name documentation. Pull request #2239 by Luis Sagastume.</li>
<li>[TarHeader] Extract the empty header into a constant. Pull request #2247 by Samuel Giddins.</li>
<li>Simplify the code that lets us call the original, non-monkeypatched Kernel#require. Pull request #2267 by Leon Miller-Out.</li>
<li>Add install alias documentation. Pull request #2320 by ota42y.</li>
<li>[Rakefile] Set bundler build metadata when doing a release. Pull request #2335 by Samuel Giddins.</li>
<li>Backport commits from ruby core . Pull request #2347 by SHIBATA Hiroshi.</li>
<li>Sign in to the correct host before push. Pull request #2366 by Luis Sagastume.</li>
<li>Bump bundler-1.16.4. Pull request #2381 by SHIBATA Hiroshi.</li>
<li>Improve bindir flag description. Pull request #2383 by Luis Sagastume.</li>
<li>Update bundler-1.16.6. Pull request #2423 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix #1470: generate documentation when –install-dir is present. Pull request #2229 by Elias Hernandis.</li>
<li>Fix no proxy checking. Pull request #2249 by Luis Sagastume.</li>
<li>Validate SPDX license exceptions. Pull request #2257 by Mikit.</li>
<li>Retry api specification spec with original platform. Pull request #2275 by Luis Sagastume.</li>
<li>Fix approximate recommendation with prereleases. Pull request #2345 by David Rodríguez.</li>
<li>Gem::Version should handle nil like it used to before. Pull request #2363 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.8.tgz<br />
f0d04b15a2dcf16c30895839366b0f0735651ade6cdaa424b15c0fe77e2fdf58</li>
<li>rubygems-2.7.8.zip<br />
d2c7b16599d8077326c11ae7acf96943e23d5b28668946dba15cc66b285ad8a3</li>
<li>rubygems-update-2.7.8.gem<br />
690ccea28d62f4f4127559de33ac4be1db2cd8714e44f3e1349a84349b6fb021</li>
</ul>
September 2018 RubyGems Updates2018-10-15T00:00:00+00:00http://blog.rubygems.org/2018/10/15/rubygems-september-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in September.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>This month, we updated seven dependencies on rubygems.org and simplified and sped up some rack-attack integration tests with the help of <a href="https://github.com/mjankowski">@mjankowski</a>. We also discovered that it was possible to create “hidden” gems that would not show up in gem lists, and <a href="https://github.com/kerrizor">@kerrizor</a> implemented a fix. Overall, rubygems.org got 15 commits from 2 authors making 146 additions and 263 deletions across 8 files.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>This month, RubyGems merged 12 pull requests, including downloading multiple gems in parallel during install, setting up a new mergebot, and adding a <code class="language-plaintext highlighter-rouge">--resign</code> flag to the cert command. There were 26 new commits, contributed by 6 authors, with 251 additions and 163 deletions across 28 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
August 2018 RubyGems Updates2018-09-10T00:00:00+00:00http://blog.rubygems.org/2018/09/10/rubygems-august-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in August.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In August, we blacklisted several gems with names that were close to other popular gems, in response to CVE-2018-3779. We’re starting to investigate ways to protect RubyGems.org from malicious gems—if you’re interested in helping work on that, let us know! We also reviewed and merged performance improvements to the “rubygems#show” and “version#index” pages, contributed by <a href="https://github.com/nateberkopec">@nateberkopec</a>.</p>
<p>In total, RubyGems.org gained 11 commits from 5 authors, making 44 additions and 35 deletions across 8 files.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>In RubyGems, we fixed some bugs, including the ability to <a href="https://github.com/rubygems/rubygems/pull/2380">auto re-sign expired certs</a>, fixed some tests, and made sure that gems with <code class="language-plaintext highlighter-rouge">allowed_push_host</code> set will be pushed to the correct host by <code class="language-plaintext highlighter-rouge">gem push</code>.</p>
<p>In total there were 19 new commits, contributed by 5 authors, with 112 additions and 26 deletions across 13 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
July 2018 RubyGems Updates2018-08-10T00:00:00+00:00http://blog.rubygems.org/2018/08/10/rubygems-july-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in July.</p>
<h2 id="rubygemsorg-news">rubygems.org news</h2>
<p>In July, we updated 15 dependencies in RubyGems.org, and we released the alpha version of <a href="https://github.com/rubygems/rubygems.org/pull/1729">two-factor authentication</a> for logging into the website. If you’d like to try it now, enable it by running <code class="language-plaintext highlighter-rouge">document.cookie='mfa_feature=true;path=/'</code> in your browser console. We’re working on adding support for multiple factors to the CLI as well, and you should see more updates on it next month. We also fixed a few small bugs around the dashboard and Atom feeds for users who are logged out.</p>
<p>This month, RubyGems.org gained 38 commits from 4 authors, making 1,124 additions and 183 deletions across 84 files.</p>
<h2 id="rubygems-news">rubygems news</h2>
<p>RubyGems saw better symlink handling, some improved warning messages, and better testing on windows. We also made the flags for the <code class="language-plaintext highlighter-rouge">pristine</code> and <code class="language-plaintext highlighter-rouge">cleanup</code> commands more consistent with the existing <code class="language-plaintext highlighter-rouge">install</code> command, and did some code cleanup. Finally, we imported some fixes from ruby-core to make sure RubyGems continues to work when OpenSSL is not available in Ruby.</p>
<p>This month, RubyGems gained 70 new commits, contributed by 9 authors. There were 429 additions and 186 deletions across 41 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
June 2018 RubyGems Updates2018-07-12T00:00:00+00:00http://blog.rubygems.org/2018/07/12/rubygems-june-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in June.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In June, we updated over 25 dependencies, including nokogiri and the sprockets security release, and updated to Rails 5.1. We also fixed a longstanding and frustrating issue where multiple CI builds pushing a new gem version at the same time could result in a checksum error when trying to install the new version. On June 27, we deprecated the “gem edit” page and it will be removed altogether on July 10.</p>
<p>Instead of editing gem metadata at rubygems.org, we recommend using the gem specification itself. Use <a href="https://guides.rubygems.org/specification-reference/#metadata"><code class="language-plaintext highlighter-rouge">Gem::Specification#metadata</code></a> to setting links to a gem’s homepage, changelog, documentation, and other websites. This will help us reduce the complexity of rubygems.org by making <code class="language-plaintext highlighter-rouge">Gem::Specification#metadata</code> the single source of truth and it will also allow gem owners to set different URLs by version.</p>
<p>This month, rubygems.org saw 28 commits making 159 additions and 74 deletions across 29 files.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>RubyGems saw a lot of activity this month, with 29 merged pull requests. Changes included some support for the upcoming Ruby 2.7, test improvements, a fix for a leaking tempfile, better support for frozen string literals, and better support for case-insensitive file systems. We also added more deprecations for the upcoming 3.0 release, improved the way RubyGems interacts with Bundler 1.16.2 and the upcoming 2.0, and fixed some edge cases with stub gem specifications. We shipped most those changes by releasing RubyGems 2.7.7 on June 8.</p>
<p>After releasing 2.7.7, we merged several fixes for installing gems directly from an AWS S3 bucket source, improved some warning messages, and fixed issues activating gems when the same gem is installed for more than one platform at once.</p>
<p>In total, RubyGems gained 67 new commits, contributed by 12 authors. There were 439 additions and 62 deletions across 24 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementations, writing and/or updating documentation, and bug triage.</p>
May 2018 RubyGems Updates2018-06-07T00:00:00+00:00http://blog.rubygems.org/2018/06/07/rubygems-may-2018-update<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in May.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>RubyGems.org saw 17 gem updates and performance improvements for the search page. In addition, <a href="https://github.com/rubygems/rubygems.org/commit/8de0296d1222e9819ca3a70f678baca0484b99b1">we revised the site footer</a> to better clarify how Ruby Central, Ruby Together, and Fastly work together on RubyGems.org.</p>
<p>This month, RubyGems.org gained 27 new commits, contributed by 7 authors. There were 218 additions and 215 deletions across 13 files.</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>RubyGems saw several bug fixes, support for reproducible gem builds, a new command alias <code class="language-plaintext highlighter-rouge">i</code> for <code class="language-plaintext highlighter-rouge">install</code>, and for a pre-release of version 3. It gained 25 new commits, contributed by 4 authors. There were 132 additions and 80 deletions across 21 files.</p>
2.7.7 Released2018-05-18T00:00:00+00:00http://blog.rubygems.org/2018/05/18/2.7.7-released<p>RubyGems 2.7.7 includes minor enhancements, bug fixes and compatibility changes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>[RequestSet] Only suggest a gem version with an installable platform. Pull request #2175 by Samuel Giddins.</li>
<li>Fixed no assignment variables about default gems installation. Pull request #2181 by SHIBATA Hiroshi.</li>
<li>Backport improvements for test-case from Ruby core. Pull request #2189 by SHIBATA Hiroshi.</li>
<li>Fix ruby warnings in test suite. Pull request #2205 by Colby Swandale.</li>
<li>To use Gem::Specification#bindir of bundler instead of hard coded path. Pull request #2208 by SHIBATA Hiroshi.</li>
<li>Update gem push –help description. Pull request #2215 by Luis Sagastume.</li>
<li>Backport ruby core commits. Pull request #2264 by SHIBATA Hiroshi.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Frozen string fix - lib/rubygems/bundler_version_finder.rb. Pull request #2115 by MSP-Greg.</li>
<li>Fixed tempfile leak for RubyGems 2.7.6. Pull request #2194 by SHIBATA Hiroshi.</li>
<li>Add missing requires. Pull request #2196 by David Rodríguez.</li>
<li>Fix Gem::Version.correct?. Pull request #2203 by Masato Nakamura.</li>
<li>Fix verify_entry regex for metadata. Pull request #2212 by Luis Sagastume.</li>
<li>Fix path checks for case insensitive filesystem. Pull request #2211 by Lars Kanis.</li>
</ul>
<p><em>Compatibility changes:</em></p>
<ul>
<li>Deprecate unused code before removing them at #1524. Pull request #2197 by SHIBATA Hiroshi.</li>
<li>Deprecate for rubygems 3. Pull request #2214 by SHIBATA Hiroshi.</li>
<li>Mark deprecation to <code class="language-plaintext highlighter-rouge">ubygems.rb</code> for RubyGems 4. Pull request #2269 by SHIBATA Hiroshi.</li>
<li>Update bundler-1.16.2. Pull request #2291 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.7.tgz<br />
4cb2c9a36c0e4a3d5c20eb6795638632858fd72236d281963140221946ab55cb</li>
<li>rubygems-2.7.7.zip<br />
f1eb64674fd8e3792e42f9936ca568f5059f35d77b921d2091eb76a73e4a7817</li>
<li>rubygems-update-2.7.7.gem<br />
1df4c1883656593eb1b48f572a085f16f73e7c759e69dcafe26189a6eca7cc0f</li>
</ul>
March 2018 RubyGems Updates2018-04-09T00:00:00+00:00http://blog.rubygems.org/2018/04/09/rubygems-march-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in March.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>This month, RubyGems.org saw ongoing system updates, security patches, and general maintenance. Thank you <a href="https://github.com/dwradcliffe">@dwradcliffe</a> for all your hard work!</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>RubyGems saw another 25 pull requests merged in March. We started <a href="https://github.com/rubygems/rubygems/pull/2182">implementing the plan for RubyGems 3</a>, <a href="https://github.com/rubygems/rubygems/pull/2242">improved a common and annoying warning</a>, and fixed many, many bugs.</p>
<p>In March, RubyGems gained 73 new commits, contributed by 8 authors. There were 860 additions and 1,092 deletions across 66 files.</p>
<p>Learn more about contributing to RubyGems by visiting the <a href="https://github.com/rubygems/rubygems/blob/master/CONTRIBUTING.rdoc#how-to-contribute">RubyGems Contributing Guide</a>. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and/or updating documentation, and bug triage.</p>
February 2018 RubyGems Updates2018-03-09T00:00:00+00:00http://blog.rubygems.org/2018/03/09/rubygems-february-2018-updates<p>Welcome to the RubyGems monthly update! As part of our efforts at <a href="http://rubytogether.org">Ruby Together</a>, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.</p>
<h2 id="rubygemsorg-news">RubyGems.org News</h2>
<p>In February, we continued to apply security patches and other updates to the servers running RubyGems.org. We also made progress on a new project, collecting metrics from the server logs about what Ruby, RubyGems, and Bundler versions are being actively used. Hopefully we’ll have something to show everyone next month!</p>
<h2 id="rubygems-news">RubyGems News</h2>
<p>RubyGems saw a lot of activity this month, including the release 2.7.5 and 2.7.6 with <em>tons</em> of bug fixes. The version 2.7.6 release contained some <a href="https://blog.rubygems.org/2018/02/15/2.7.6-released.html">critical security fixes</a>, and is a strongy recommended upgrade. Get out there and run <code class="language-plaintext highlighter-rouge">gem update --system</code> today!</p>
<p>On top of releasing new code, we also managed to <a href="https://github.com/rubygems/rubygems/pull/2202">write out the Ruby version support and release policies</a>, and <a href="https://github.com/rubygems/rubygems/pull/2182#issuecomment-364631805">draft of a minimally disruptive plan for RubyGems 3 and 4</a>.</p>
<p>In total, RubyGems gained 130 new commits, contributed by 12 authors. There were 755 additions and 340 deletions across 50 files.</p>
TLS 1.0 and 1.1 Deprecation Notice2018-02-24T00:00:00+00:00http://blog.rubygems.org/2018/02/24/tls-10-and-11-deprecation-notice<p>Security is one of our top concerns for RubyGems.org. It’s a constant balance between providing easy access for all users and providing only the most secure ways of connecting. For the last few years, we’ve continued to allow several outdated, insecure, and weak cryptographic standards.</p>
<p>With this post, we are announcing the immediate deprecation and future disabling of TLSv1 and TLSv1.1 for all HTTPS connections to RubyGems.org. Both TLSv1 and TLSv1.1 will be disabled, and TLSv1.2 will be required, starting on <strong>April 30th, 2018</strong>.</p>
<p>As of February 2018, almost all HTTPS traffic to RubyGems.org already uses TLSv1.2. Based on current usage statistics, we expect this cutoff to impact less than 1.5% of requests made to RubyGems.org.</p>
<h3 id="why-disable-old-versions-of-tls">Why disable old versions of TLS?</h3>
<p>There are several reasons, but ultimately all of the reasons come down to keeping HTTPS connections as secure as they claim to be. Connections that use TLSv1.0 or TLSv1.1 are no longer considered fully secure by the industry, and it is misleading to allow “secure” connections that are not truly secure.</p>
<p>The various security issues with older versions of TLS have resulted in industry-wide changes to stop supporting them. The <a href="https://www.pcisecuritystandards.org">PCI Security Standards Council</a> has mandated that any website that processes payments <a href="https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf">must stop using TLSv1.0 or TLSv1.1</a>. As a result of those requirements, developer websites like GitHub are also <a href="https://githubengineering.com/crypto-removal-notice/">removing support for older TLS versions</a>. Additionally, our upstream provider Fastly will be <a href="https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan">removing support for older TLS versions</a> no later than June 30, 2018.</p>
<p>While we don’t process payments directly on RubyGems.org, we serve code that is used to process payments. To keep our users secure, we will be adopting the same security standards as the PCI SSC and the rest of the industry.</p>
<h3 id="compatibility-check-and-troubleshooting">Compatibility check and troubleshooting</h3>
<p>We have created an <a href="https://github.com/indirect/ruby-ssl-check/blob/master/check.rb">automatic SSL check</a> to tell you whether your Ruby will be able to connect to RubyGems.org after April 30. To run that script immediately, use this command: <code class="language-plaintext highlighter-rouge">$ curl -sL https://git.io/vQhWq | ruby</code>. If you’d like more details about the situation, including troubleshooting steps if you run into problems, check out the <a href="http://bundler.io/v1.16/guides/rubygems_tls_ssl_troubleshooting_guide.html#why-am-i-seeing-read-server-hello-a">Bundler and RubyGems TLS/SSL troubleshooting guide</a>.</p>
<h3 id="known-incompatible-clients">Known incompatible clients</h3>
<p>Ruby linked against OpenSSL versions 1.0.0t or lower will not be able to connect to RubyGems.org. This is because support for TLSv1.2 was added in OpenSSL 1.0.1, released March 12, 2012. You can check the version of OpenSSL that your Ruby links against by running <code class="language-plaintext highlighter-rouge">ruby -ropenssl -e 'puts OpenSSL::OPENSSL_LIBRARY_VERSION'</code>.</p>
<p>JRuby running on JVM 6 or lower will not be able to connect to RubyGems.org. This is because the JVM added support for TLSv1.2 in Java 7, released July 28, 2011. You can check your Java version by running <code class="language-plaintext highlighter-rouge">java -version</code>, and looking for text like <code class="language-plaintext highlighter-rouge">java version "1.7.0_71"</code>. If you are running Java 7, the version number will start with 1.7.</p>
<h3 id="further-help">Further help</h3>
<p>If you are unable to connect to RubyGems.org after April 30, 2018, please refer to the <a href="http://bundler.io/v1.16/guides/rubygems_tls_ssl_troubleshooting_guide.html#additional-help">additional help section of the guide</a> for instructions on how to troubleshoot the issue, and how to open a ticket if necessary.</p>
2.7.6 Released2018-02-15T00:00:00+00:00http://blog.rubygems.org/2018/02/15/2.7.6-released<p>RubyGems 2.7.6 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin and David Fifield, fixed by Jonathan Claudius and Samuel Giddins.</li>
<li>Fix possible Unsafe Object Deserialization Vulnerability in gem owner. Fixed by Jonathan Claudius.</li>
<li>Strictly interpret octal fields in tar headers. Discoved by plover, fixed by Samuel Giddins.</li>
<li>Raise a security error when there are duplicate files in a package. Discovered by plover, fixed by Samuel Giddins.</li>
<li>Enforce URL validation on spec homepage attribute. Discovered by Yasin Soliman, fixed by Jonathan Claudius.</li>
<li>Mitigate XSS vulnerability in homepage attribute when displayed via <code class="language-plaintext highlighter-rouge">gem server</code>. Discovered by Yasin Soliman, fixed by Jonathan Claudius.</li>
<li>Prevent Path Traversal issue during gem installation. Discovered by nmalkin and David Fifield.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.6.tgz<br />
67f714a582a9ce471bbbcb417374ea9cf9c061271c865dbb0d093f3bc3371eeb</li>
<li>rubygems-2.7.6.zip<br />
d6faa4cdde966db45f3e8d9d517f13bad511f7f0042b448688513ab4fb92d598</li>
<li>rubygems-update-2.7.6.gem<br />
ee5ef219ac97f5499c31e6071eae424c3265620ece33b5cc66e09fa30f22086a</li>
</ul>
2.7.5 Released2018-02-06T00:00:00+00:00http://blog.rubygems.org/2018/02/06/2.7.5-released<p>RubyGems 2.7.5 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>To use bundler-1.16.1 #2121 by SHIBATA Hiroshi.</li>
<li>Fixed leaked FDs. Pull request #2127 by Nobuyoshi Nakada.</li>
<li>Support option for <code class="language-plaintext highlighter-rouge">--destdir</code> with upgrade installer. #2169 by Thibault Jouan.</li>
<li>Remove PID from gem index directory. #2155 by SHIBATA Hiroshi.</li>
<li>Avoid a #mkdir race condition #2148 by Samuel Giddins.</li>
<li>Gem::Util.traverse_parents should not crash on permissions error #2147 by Robert Ulejczyk.</li>
<li>Use <code class="language-plaintext highlighter-rouge">File.open</code> instead of <code class="language-plaintext highlighter-rouge">open</code>. #2142 by SHIBATA Hiroshi.</li>
<li>Set whether bundler is used for gemdeps with an environmental variable #2126 by SHIBATA Hiroshi.</li>
<li>Fix undefined method error when printing alert #1884 by Robert Ross.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.5.tgz<br />
38e02c26ef524688dff1a21075297ce0be6543e12c8210ac6c075dc78983c403</li>
<li>rubygems-2.7.5.zip<br />
7babef9df5376a6c1573c1d03ed47a2a21765cde875c12401f9f210688b155d4</li>
<li>rubygems-update-2.7.5.gem<br />
0118283da75d6895ddfa3028496330fd314586166442e10de401cb99757c1cdd</li>
</ul>
2.7.4 Released2017-12-25T00:00:00+00:00http://blog.rubygems.org/2017/12/25/2.7.4-released<p>RubyGems 2.7.4 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed leaked FDs. Pull request #2127 by Nobuyoshi Nakada.</li>
<li>Avoid to warnings about gemspec loadings in rubygems tests. Pull request #2125 by SHIBATA Hiroshi.</li>
<li>Fix updater with rubygems-2.7.3 Pull request #2124 by SHIBATA Hiroshi.</li>
<li>Handle environment that does not have <code class="language-plaintext highlighter-rouge">flock</code> system call. Pull request #2107 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.4.tgz<br />
bbe35ce6646e4168fcb1071d5f83b2d1154924f5150df0f5fca0f37d2583a182</li>
<li>rubygems-2.7.4.zip<br />
4d2bf70700f4864c806b375d593c25a58c291488f7e121b3ad4fa0ab635efdca</li>
<li>rubygems-update-2.7.4.gem<br />
492c481e20e2a784ddc919802d0ce56f3bf3ecf4fab25434934fac3825dc4bb9</li>
</ul>
2.7.3 Released2017-11-28T00:00:00+00:00http://blog.rubygems.org/2017/11/28/2.7.3-released<p>RubyGems 2.7.3 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Removed needless version lock. Pull request #2074 by SHIBATA Hiroshi.</li>
<li>Add –[no-]check-development option to cleanup command. Pull request #2061 by Lin Jen-Shin (godfat).</li>
<li>Merge glob pattern using braces. Pull request #2072 by Kazuhiro NISHIYAMA.</li>
<li>Removed warnings of unused variables. Pull request #2084 by SHIBATA Hiroshi.</li>
<li>Call SPDX.org using HTTPS. Pull request #2102 by Olle Jonsson.</li>
<li>Remove multi load warning from plugins documentation. Pull request #2103 by Thibault Jouan.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix test failure on Alpine Linux. Pull request #2079 by Ellen Marie Dash.</li>
<li>Avoid encoding issues by using binread in setup. Pull request #2089 by Mauro Morales.</li>
<li>Fix rake install_test_deps once the rake clean_env does not exist. Pull request #2090 by Lucas Oliveira.</li>
<li>Prevent to delete to “bundler-“ prefix gem like bundler-audit. Pull request #2086 by SHIBATA Hiroshi.</li>
<li>Generate .bat files on Windows platform. Pull request #2094 by SHIBATA Hiroshi.</li>
<li>Workaround common options mutation in Gem::Command test. Pull request #2098 by Thibault Jouan.</li>
<li>Check gems dir existence before removing bundler. Pull request #2104 by Thibault Jouan.</li>
<li>Use setup command –regenerate-binstubs option flag. Pull request #2099 by Thibault Jouan.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.3.tgz<br />
cf234e4f1ffeb7cad951f2f87cd426132c6106bb6e303073c4bc9eaae6b3400b</li>
<li>rubygems-2.7.3.zip<br />
9ff7e11153e81d97b97e1882488036934b3109fd4dfaa51a7bb176f1fd260370</li>
<li>rubygems-update-2.7.3.gem<br />
49b624f7b4cdc29b06cc30c1b27531c89404050cb33a51f3d49c61aa9a2a2773</li>
</ul>
2.7.2 Released2017-11-08T00:00:00+00:00http://blog.rubygems.org/2017/11/08/2.7.2-released<p>RubyGems 2.7.2 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added template files to vendoerd bundler. Pull request #2065 by SHIBATA Hiroshi.</li>
<li>Added workaround for non-git environment. Pull request #2066 by SHIBATA Hiroshi.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.2.tgz<br />
715d0c1450146c700528b7f135d05030674f41b4eb2886ec40f8869ce7fedad3</li>
<li>rubygems-2.7.2.zip<br />
34ca397cd389b34db4619b614dd6da034ceabe1298ec9c67f107f3c8a4d9c84a</li>
<li>rubygems-update-2.7.2.gem<br />
49d49c8cfd3677aff90546360ea2c4848cbb4a86159edb6c5441079b506405a6</li>
</ul>
2.7.1 Released2017-11-03T00:00:00+00:00http://blog.rubygems.org/2017/11/03/2.7.1-released<p>RubyGems 2.7.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">gem update --system</code> with RubyGems 2.7+. Pull request #2054 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.1.tgz<br />
b5edd299eb12e503f2f4a47c1c5766ce8cca6711a894eb22f5142f5e9ce0048a</li>
<li>rubygems-2.7.1.zip<br />
dcaa7d23a0d7d3338ba2465d4156e312c90567c258a6ecc71d31238d50f5222e</li>
<li>rubygems-update-2.7.1.gem<br />
434c8e624ca1028112637d6b0109076c11788f500fa0877e324bcc437adc4d02</li>
</ul>
2.7.0 Released2017-11-01T00:00:00+00:00http://blog.rubygems.org/2017/11/01/2.7.0-released<p>RubyGems 2.7.0 includes major enhancements, minor enhancements, compatibility changes and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>Update vendored bundler-1.16.0. Pull request #2051 by Samuel Giddins.</li>
<li>Use Bundler for Gem.use_gemdeps. Pull request #1674 by Samuel Giddins.</li>
<li>Add command <code class="language-plaintext highlighter-rouge">signin</code> to <code class="language-plaintext highlighter-rouge">gem</code> CLI. Pull request #1944 by Shiva Bhusal.</li>
<li>Add Logout feature to CLI. Pull request #1938 by Shiva Bhusal.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Added message to uninstall command for gem that is not installed. Pull request #1979 by anant anil kolvankar.</li>
<li>Add –trust-policy option to unpack command. Pull request #1718 by Nobuyoshi Nakada.</li>
<li>Show default gems for all platforms. Pull request #1685 by Konstantin Shabanov.</li>
<li>Add Travis and Appveyor build status to README. Pull request #1918 by Jun Aruga.</li>
<li>Remove warning <code class="language-plaintext highlighter-rouge">no email specified</code> when no email. Pull request #1675 by Leigh McCulloch.</li>
<li>Improve -rubygems performance. Pull request #1801 by Samuel Giddins.</li>
<li>Improve the performance of Kernel#require. Pull request #1678 by Samuel Giddins.</li>
<li>Improve user-facing messages by consistent casing of Ruby/RubyGems. Pull request #1771 by John Labovitz.</li>
<li>Improve error message when Gem::RuntimeRequirementNotMetError is raised. Pull request #1789 by Luis Sagastume.</li>
<li>Code Improvement: Inheritance corrected. Pull request #1942 by Shiva Bhusal.</li>
<li>[Source] Autoload fileutils. Pull request #1906 by Samuel Giddins.</li>
<li>Use Hash#fetch instead of if/else in Gem::ConfigFile. Pull request #1824 by Daniel Berger.</li>
<li>Require digest when it is used. Pull request #2006 by Samuel Giddins.</li>
<li>Do not index the doc folder in the <code class="language-plaintext highlighter-rouge">update_manifest</code> task. Pull request #2031 by Colby Swandale.</li>
<li>Don’t use two postfix conditionals on one line. Pull request #2038 by Ellen Marie Dash.</li>
<li>[SafeYAML] Avoid warning when Gem::Deprecate.skip is set. Pull request #2034 by Samuel Giddins.</li>
<li>Update gem yank description. Pull request #2009 by David Radcliffe.</li>
<li>Fix formatting of installation instructions in README. Pull request #2018 by Jordan Danford.</li>
<li>Do not use #quick_spec internally. Pull request #1733 by Jon Moss.</li>
<li>Switch from docs to guides reference. Pull request #1886 by Jonathan Claudius.</li>
<li>Happier message when latest version is already installed. Pull request #1956 by Jared Beck.</li>
<li>Update specification reference docs. Pull request #1960 by Grey Baker.</li>
<li>Allow Gem.finish_resolve to respect already-activated specs. Pull request #1910 by Samuel Giddins.</li>
<li>Update cryptography for Gem::Security. Pull request #1691 by Sylvain Daubert.</li>
<li>Don’t output mkmf.log message if compilation didn’t fail. Pull request #1808 by Jeremy Evans.</li>
<li>Matches_for_glob - remove root path. Pull request #2010 by ahorek.</li>
<li>Gem::Resolver#search_for update for reliable searching/sorting. Pull request #1993 by MSP-Greg.</li>
<li>Allow local installs with transitive prerelease requirements. Pull request #1990 by Samuel Giddins.</li>
<li>Small style fixes to Installer Set. Pull request #1985 by Arthur Marzinkovskiy.</li>
<li>Setup cmd: Avoid terminating option string w/ dot. Pull request #1825 by Olle Jonsson.</li>
<li>Warn when no files are set. Pull request #1773 by Aidan Coyle.</li>
<li>Ensure <code class="language-plaintext highlighter-rouge">to_spec</code> falls back on prerelease specs. Pull request #1755 by André Arko.</li>
<li>[Specification] Eval setting default attributes in #initialize. Pull request #1739 by Samuel Giddins.</li>
<li>Sort ordering of sources is preserved. Pull request #1633 by Nathan Ladd.</li>
<li>Retry with :prerelease when no suggestions are found. Pull request #1696 by Aditya Prakash.</li>
<li>[Rakefile] Run <code class="language-plaintext highlighter-rouge">git submodule update --init</code> in <code class="language-plaintext highlighter-rouge">rake newb</code>. Pull request #1694 by Samuel Giddins.</li>
<li>[TestCase] Address comments around ui changes. Pull request #1677 by Samuel Giddins.</li>
<li>Eagerly resolve in activate_bin_path. Pull request #1666 by Samuel Giddins.</li>
<li>[Version] Make hash based upon canonical segments. Pull request #1659 by Samuel Giddins.</li>
</ul>
<p><em>Compatibility changes:</em></p>
<ul>
<li>Use <code class="language-plaintext highlighter-rouge">-rrubygems</code> instead of <code class="language-plaintext highlighter-rouge">-rubygems.rb</code>. Because ubygems.rb is unavailable on Ruby 2.5. Pull request #2028 #2027 #2029 by SHIBATA Hiroshi.</li>
<li>Deprecate Gem::InstallerTestCase#util_gem_bindir and Gem::InstallerTestCase#util_gem_dir. Pull request #1729 by Jon Moss.</li>
<li>Deprecate passing options to Gem::GemRunner. Pull request #1730 by Jon Moss.</li>
<li>Add deprecation for Gem#datadir. Pull request #1732 by Jon Moss.</li>
<li>Add deprecation warning for Gem::DependencyInstaller#gems_to_install. Pull request #1731 by Jon Moss.</li>
<li>Update Code of Conduct to Contributor Covenant v1.4.0. Pull request #1796 by Matej.</li>
<li>Add Ruby Together CTA, rearrange README a bit. Pull request #1775 by Michael Bernstein.</li>
<li>Update Contributing.rdoc with new label usage. Pull request #1716 by Lynn Cyrin.</li>
<li>Add –host sample to help. Pull request #1709 by Code Ahss.</li>
<li>Add a helpful suggestion when <code class="language-plaintext highlighter-rouge">gem install</code> fails due to required_rub…. Pull request #1697 by Samuel Giddins.</li>
<li>Add cert expiration length flag. Pull request #1725 by Luis Sagastume.</li>
<li>Add submodule instructions to manual install. Pull request #1727 by Joseph Frazier.</li>
<li>Allow usage of multiple <code class="language-plaintext highlighter-rouge">--version</code> operators. Pull request #1546 by James Wen.</li>
<li>Warn when requiring deprecated files. Pull request #1939 by Ellen Marie Dash.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix issue for MinGW / MSYS2 builds and testing. Pull request #1876 by MSP-Greg.</li>
<li>Fixed broken links and overzealous URL encoding in gem server. Pull request #1809 by Nicole Orchard.</li>
<li>Fix a typo. Pull request #1722 by Koichi ITO.</li>
<li>Fix error message Gem::Security::Policy. Pull request #1724 by Nobuyoshi Nakada.</li>
<li>Fixing links markdown formatting in README. Pull request #1791 by Piotr Kuczynski.</li>
<li>Fix failing Bundler 1.8.7 CI builds. Pull request #1820 by Samuel Giddins.</li>
<li>Fixed test broken on ruby-head . Pull request #1842 by SHIBATA Hiroshi.</li>
<li>Fix typos with misspell. Pull request #1846 by SHIBATA Hiroshi.</li>
<li>Fix gem open to open highest version number rather than lowest. Pull request #1877 by Tim Pope.</li>
<li>Fix test_self_find_files_with_gemfile to sort expected files. Pull request #1878 by Kazuaki Matsuo.</li>
<li>Fix typos in CONTRIBUTING.rdoc. Pull request #1909 by Mark Sayson.</li>
<li>Fix some small documentation issues in installer. Pull request #1972 by Colby Swandale.</li>
<li>Fix links in Policies document. Pull request #1964 by Alyssa Ross.</li>
<li>Fix NoMethodError on bundler/inline environment. Pull request #2042 by SHIBATA Hiroshi.</li>
<li>Correct comments for Gem::InstallerTestCase#setup. Pull request #1741 by MSP-Greg.</li>
<li>Use File.expand_path for certification and key location. Pull request #1987 by SHIBATA Hiroshi.</li>
<li>Rescue EROFS. Pull request #1417 by Nobuyoshi Nakada.</li>
<li>Fix spelling of ‘vulnerability’. Pull request #2022 by Philip Arndt.</li>
<li>Fix metadata link key names. Pull request #1896 by Aditya Prakash.</li>
<li>Fix a typo in uninstall_command.rb. Pull request #1934 by Yasuhiro Horimoto.</li>
<li>Gem::Requirement.create treat arguments as variable-length. Pull request #1830 by Toru YAGI.</li>
<li>Display an explanation when rake encounters an ontological problem. Pull request #1982 by Wilson Bilkovich.</li>
<li>[Server] Handle gems with names ending in <code class="language-plaintext highlighter-rouge">-\d</code>. Pull request #1926 by Samuel Giddins.</li>
<li>[InstallerSet] Avoid reloading <em>all</em> local gems multiple times during dependency resolution. Pull request #1925 by Samuel Giddins.</li>
<li>Modify the return value of Gem::Version.correct?. Pull request #1916 by Tsukuru Tanimichi.</li>
<li>Validate metadata link keys. Pull request #1834 by Aditya Prakash.</li>
<li>Add changelog to metadata validation. Pull request #1885 by Aditya Prakash.</li>
<li>Replace socket error text message. Pull request #1823 by Daniel Berger.</li>
<li>Raise error if the email is invalid when building cert. Pull request #1779 by Luis Sagastume.</li>
<li>[StubSpecification] Don’t iterate through all loaded specs in #to_spec. Pull request #1738 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.7.0.tgz<br />
632176935beb9562ccfbc32d23126d7b10a1b199050d7ffa2ccb2ad598b73fd1</li>
<li>rubygems-2.7.0.zip<br />
3a551bd15cee9f5e9ca2d9bcb60c475055a9428614efb9b843461df5e06ad23f</li>
<li>rubygems-update-2.7.0.gem<br />
17ab15e566f8f48573ec7bf37a56d103903841633eb0351653c2170dccabe6c3</li>
</ul>
Unsafe Object Deserialization Vulnerability in RubyGems2017-10-09T00:00:00+00:00http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability<p>Hello everyone! An unsafe object deserialization vulnerability was found in
RubyGems. Unfortunately this vulnerability can be used as a way to escalate to
a remote code execution exploit. The good news is that this issue was
responsibly reported to the RubyGems team by <a href="https://mastodon.mit.edu/@maxj">Max
Justicz</a>, and we were able to promptly fix it.
The RubyGems team audited all Gems, and using the data available to us we can
say we have high confidence that no recently published Gems have been impacted,
but due to the amount of time this bug has been in production, we cannot say
for sure that <em>zero</em> Gems have been impacted.</p>
<p>You can read the CVE announcement for RubyGems <a href="https://groups.google.com/forum/#!topic/ruby-security-ann/i_1Nx25ma9A">here</a>.</p>
<h2 id="what-was-the-bug">What was the bug?</h2>
<p>This bug was an “unsafe object deserialization vulnerability”. What that means
is that an attacker is able to inject an instance of an object of their
choosing in the target system. A clever attacker can inject an object that is
able to interact with the system in such a way that will allow the attacker to
execute arbitrary code.</p>
<p>This particular case has to do with the way RubyGems stores checksums inside
Gem files. Checksums are stored in YAML inside the Gem, and before this fix,
they were read <a href="https://github.com/rubygems/rubygems/blob/bdadcaf3f638bbe0959a05bb9b047354243e13f6/lib/rubygems/package.rb#L466-L474">with just a bare <code class="language-plaintext highlighter-rouge">YAML.load</code></a>.
<code class="language-plaintext highlighter-rouge">YAML</code>, like <code class="language-plaintext highlighter-rouge">Marshal</code>, is meant to serialize and deserialize arbitrary Ruby
objects. When RubyGems.org processes a Gem upload, it <a href="https://github.com/rubygems/rubygems.org/blob/master/app/models/pusher.rb#L48">reads the Gem specification</a>, which in turn <a href="https://github.com/rubygems/rubygems/blob/bdadcaf3f638bbe0959a05bb9b047354243e13f6/lib/rubygems/package.rb#L500-L522">reads the checksums in the Gem</a>. A clever attacker could write a checksum file to a Gem that contains
YAML formatted in such a way as to inject an arbitrary Ruby object and use that
object as an escalation point.</p>
<h2 id="what-is-the-impact">What is the impact?</h2>
<p>The impact of this bug is that an attacker could execute arbitrary Ruby code
on RubyGems.org. However, after several audits of the Gem files, we found no
tampering with the data in the database or any tampering with the Gem files in
S3 storage. Gem files are stored in a versioned S3 bucket, so we were able to
compare checksums stored in the database to versions stored in the S3 buckets.
Any Gem tampering would be indicated by new Gem versions as well as checksum
differences.</p>
<h2 id="what-was-the-timeline">What was the timeline?</h2>
<ul>
<li>October 6th: Max Justicz reported the issue</li>
<li>October 6th: David Radcliffe verified the issue and hotpatched the servers</li>
<li>October 7th & 8th: RubyGems team conducted an audit of all Gems</li>
<li>October 9th: RubyGems is released <a href="https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49">with fixes</a> and <a href="http://blog.rubygems.org/2017/10/09/2.6.14-released.html">announcement</a></li>
</ul>
<h2 id="how-long-has-rubygemsorg-been-vulnerable">How long has RubyGems.org been vulnerable?</h2>
<p>The bug was introduced to RubyGems in <a href="https://github.com/rubygems/rubygems/commit/3f2e05972c85d4f4d9cd5e56e5b033bfb4d11b84">this commit</a> in 2012, so it’s possible
that RubyGems.org was vulnerable since then.</p>
<h2 id="what-did-we-do-to-fix-it">What did we do to fix it?</h2>
<p>To fix this issue we added some code to monkey patch RubyGems such that only
safe types could be deserialized. Since this monkey patch is patching RubyGems
and <em>not</em> RubyGems.org, we decided it would be better to patch RubyGems itself.
This is why the CVE was issued for RubyGems, and a patch created for RubyGems.</p>
<h2 id="how-did-we-verify-gems">How did we verify gems?</h2>
<p>Gems are stored in versioned S3 buckets. We also store checksums of each gem,
but checksums weren’t stored before Feb 8th, 2015. We were able to verify that
checksums matched for Gems created after Feb 8th, 2015. We were also able to
verify that new versions weren’t created for older Gems.</p>
<p>Since this vulnerability has possibly been around since 2012, in concert with the
dates from which RubyGems.org started recording Gem checksums, it’s impossible
for us to say with 100% confidence that not one single Gem has been compromised.
We can only say with very high confidence that no recently published Gems have
been compromised.</p>
<h2 id="how-will-we-prevent-more-issues">How will we prevent more issues?</h2>
<p>In the past, when <a href="http://blog.rubygems.org/2013/01/31/data-verification.html">similar issues arose</a>, RubyGems was not treated as “the vulnerable code” and RubyGems.org
was patched. The reason for this is because RubyGems is typically used as a
client library, and a fundamental part of Gem installation is executing arbitrary
Ruby code. So this type of vulnerability was seen as a problem with RubyGems.org
and not RubyGems even though the vulnerable code is in RubyGems itself.</p>
<p>To prevent further issues like this, we are now treating security issues in
RubyGems.org that are triggered by code in RubyGems as security issues in
RubyGems itself. In other words, if a problem arises in RubyGems.org due to
a problem in RubyGems, we will patch RubyGems. This policy will help to keep
RubyGems, RubyGems.org, and any services that are using RubyGems safe.</p>
2.6.14 Released2017-10-09T00:00:00+00:00http://blog.rubygems.org/2017/10/09/2.6.14-released<p>RubyGems 2.6.14 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.14.tgz<br />
406a45d258707f52241843e9c7902bbdcf00e7edc3e88cdb79c46659b47851ec</li>
<li>rubygems-2.6.14.zip<br />
247d1b704bc1b56cf2f8d26a663ea8b35aec990465cea662181d195a4ad06055</li>
<li>rubygems-update-2.6.14.gem<br />
ecaedf77483549e73a33a6779f4769aff6198c7f50df124256cc869cc905ffae</li>
</ul>
2.6.13 Released2017-08-27T00:00:00+00:00http://blog.rubygems.org/2017/08/27/2.6.13-released<p>RubyGems 2.6.13 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. (CVE-2017-0902)</li>
<li>Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. (CVE-2017-0899)</li>
<li>Fix a DOS vulernerability in the <code class="language-plaintext highlighter-rouge">query</code> command. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0900)</li>
<li>Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. (CVE-2017-0901)</li>
</ul>
<p>As always, please report any security issues discovered in RubyGems to the <a href="https://hackerone.com/rubygems">RubyGems project on HackerOne</a>.</p>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.13.tgz<br />
d041502ae77e8d49e0a436483fb91f9ad6cc1489e49e0735e7c4a7cf10e728c9</li>
<li>rubygems-2.6.13.zip<br />
08011f0d41b5cd2e49a134bc24183476983bfe14be4cc3a630ab21fe1d3817fd</li>
<li>rubygems-update-2.6.13.gem<br />
20abbf7754b82c46aacf12c831339870f4cd1ec069d256d338f1041298badda9</li>
</ul>
2.6.12 Released2017-04-30T00:00:00+00:00http://blog.rubygems.org/2017/04/30/2.6.12-released<p>RubyGems 2.6.12 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix test_self_find_files_with_gemfile to sort expected files. Pull request #1880 by Kazuaki Matsuo.</li>
<li>Fix issue for MinGW / MSYS2 builds and testing. Pull request #1879 by MSP-Greg.</li>
<li>Fix gem open to open highest version number rather than lowest. Pull request #1877 by Tim Pope.</li>
<li>Add a test for requiring a default spec as installed by the ruby installer. Pull request #1899 by Samuel Giddins.</li>
<li>Fix broken –exact parameter to gem command. Pull request #1873 by Jason Frey.</li>
<li>[Installer] Generate backwards-compatible binstubs. Pull request #1904 by Samuel Giddins.</li>
<li>Fix pre-existing source recognition on add action. Pull request #1883 by Jonathan Claudius.</li>
<li>Prevent negative IDs in output of #inspect. Pull request #1908 by Vít Ondruch.</li>
<li>Allow Gem.finish_resolve to respect already-activated specs. Pull request #1910 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.12.tgz<br />
37b745cc1f957170cff4f698f473531e607827b1a6407d12c55c338257990d8d</li>
<li>rubygems-2.6.12.zip<br />
0b7754071c32fef8c2e00901bb2232fcb5f91ebbd73d7fdfb531d9b1bf2c54f4</li>
<li>rubygems-update-2.6.12.gem<br />
2b724ce280daa4d0a0a209fe44c2bbe01dacb78b95301b35f8a6d40ce3ff05b6</li>
</ul>
2.6.11 Released2017-03-16T00:00:00+00:00http://blog.rubygems.org/2017/03/16/2.6.11-released<p>RubyGems 2.6.11 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed broken tests on ruby-head. Pull request #1841 by SHIBATA Hiroshi.</li>
<li>Update vendored Molinillo to 0.5.7. Pull request #1859 by Samuel Giddins.</li>
<li>Avoid activating Ruby 2.5 default gems when possible. Pull request #1843 by Samuel Giddins.</li>
<li>Use improved resolver sorting algorithm. Pull request #1856 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.11.tgz<br />
aebec768c9010c97830d5ee7f55fa068ea470327fa073a1044f63cd4a341ae55</li>
<li>rubygems-2.6.11.zip<br />
d41e2fc6898eea499e6cd0dd51a453cbbb11b4bf9ab5ad70f2706322148960e4</li>
<li>rubygems-update-2.6.11.gem<br />
0058ac67b8d70c851f661cace817b053eaff1f00101b563b5076cd88f161078a</li>
</ul>
Funding Rubygems.org2017-03-15T00:00:00+00:00http://blog.rubygems.org/2017/03/15/rubygems-funding<p>Since the early days of Ruby, Ruby Central, Inc. has served as an organizational anchor for our community. Starting in 2001, with the organization of the first International Ruby Conference, we have been responsible for running RubyConf and subsequently RailsConf. Thanks to you all, our conferences have enjoyed broad, sustainable success, endowing us with a solid financial foundation, which we then happily invest back into the community.</p>
<p>That financial foundation is what makes Ruby Central the natural guardian of the RubyGems project. Not only was RubyGems started by our past Directors, but it has – since its inception in 2006 – also been supported financially by Ruby Central. This includes many years of server and hosting costs, as well as the coordination of volunteers, directors, and sponsors operating the service.</p>
<p>The growing use of RubyGems feeds a virtuous cycle where Ruby and Rails continue to grow more popular with a broader base of companies. This, in turn, makes sponsoring services (like Fastly has done with CDNs) and sponsoring conferences (RailsConf & RubyConf) more attractive. It also means that there are more companies willing to assign their programmers to work on the services and contribute to their maintenance. Success begets usage which begets success.</p>
<p>Our guardianship of RubyGems has, in the past year, been complemented by the work of Ruby Together. Developers paid by donations made to Ruby Together have created new features and fixed bugs in the gem distribution system, Bundler in particular. This work and the attention paid to improving the software used to access RubyGems.org has been a tremendous addition to the whole community.</p>
<p>Unfortunately, this past year has also given rise to some misunderstandings about this relationship in some quarters: chiefly, that by donating to Ruby Together, companies were paying for the operations of RubyGems. And in turn, that if enough companies didn’t donate to Ruby Together, RubyGems would subsequently be in a perilous situation. This isn’t so.</p>
<p>No one in the Ruby community should worry about the availability or security of RubyGems being connected in any way to the fundraising of Ruby Together. Funds raised by Ruby Together go primarily towards paying developers to add features and fix bugs. Ruby Central, on the other hand, is wholly responsible for the operations and baseline stability of the system. While these two efforts go hand-in-hand, it’s vitally important to understand that they are two different things. Ruby Together’s requests for donations do not mean that there is any reason for concern about RubyGems’ continued existence or operation.</p>
<p>To further allay any fears that may still linger in the community about our commitment to provide and support the RubyGems service for all, we’re working to renew involvment with projects to further help assist in the operation of the services and the software, as well as to always be on the ready to deal with availability, security, or compatibility issues.</p>
<p>An explicit team – the Rubygems Infrastructure Team – is being put together to provide the community with a core group of folks that can be relied on. This team will work across Bundler, RubyGems, and RubyGems.org to ensure that the community can always rest assured in the knowledge that all links in the gem distribution system are properly looked after.</p>
<p>Who is on that team and how it will function will be announced at a later time.</p>
<p><em>NOTE: A previous iteration of this post spelled out specific team members. While those individuals are still involved, the post was revised because their inclusion made it sound like the hard working members on those various projects not listed were being removed. That was far from the case, and so we’re looking to make announcements about the team at a future time.</em></p>
<p>Ruby Central has also worked with Ruby Together to clear up some of the language and positioning that could have contributed to these past misunderstandings. Ruby Central and the new RubyGems Infrastructure Team will continue to work closely with developers paid by Ruby Together to improve and strengthen the gem distribution system.</p>
<p>We’re very fortunate in the Ruby community to have access to such a great mix of volunteers, company-sponsored developers, and donation-sponsored developers.</p>
<p>If you have any questions about this, please don’t hesitate to contact us at <a href="mailto:contact@rubycentral.org">contact@rubycentral.org</a></p>
2.6.10 Released2017-01-23T00:00:00+00:00http://blog.rubygems.org/2017/01/23/2.6.10-released<p>RubyGems 2.6.10 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix <code class="language-plaintext highlighter-rouge">require</code> calling the wrong <code class="language-plaintext highlighter-rouge">gem</code> method when it is overridden. Pull request #1822 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.10.tgz<br />
364c0eee8e0c9e8ab4879c5035832e5a27f0c97292d2264af5ae0020585280f0</li>
<li>rubygems-2.6.10.zip<br />
c20feec88c66577f704532d9d574d1e81c3dc56d402ca9a31a8de23b20346b11</li>
<li>rubygems-update-2.6.10.gem<br />
9d69bbba7af33cf21d4ed65e431978e7ee1f5d7b1c553570e3b50c129476b9a5</li>
</ul>
2.6.9 Released2017-01-20T00:00:00+00:00http://blog.rubygems.org/2017/01/20/2.6.9-released<p>RubyGems 2.6.9 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Allow initializing versions with empty strings. Pull request #1767 by Luis Sagastume.</li>
<li>Fix TypeError on 2.4. Pull request #1788 by Nobuyoshi Nakada.</li>
<li>Don’t output mkmf.log message if compilation didn’t fail. Pull request #1808 by Jeremy Evans.</li>
<li>Fixed broken links and overzealous URL encoding in gem server. Pull request #1809 by Nicole Orchard.</li>
<li>Update vendored Molinillo to 0.5.5. Pull request #1812 by Samuel Giddins.</li>
<li>RakeBuilder: avoid frozen string issue. Pull request #1819 by Olle Jonsson.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.9.tgz<br />
2608a9f8447b3657fd96e3b2d91e1df3f0064efab6db56f00ecba744aba2bef5</li>
<li>rubygems-2.6.9.zip<br />
a5f4820520921c4e316167e39dfc56e0cfbcbb25a244caab1dd784c471ea3c9d</li>
<li>rubygems-update-2.6.9.gem<br />
021ba9ba5cb24f9073226df6479f8ab61ab3c477d8c7ac6600f1dbd7025746fd</li>
</ul>
2.6.8 Released2016-10-29T00:00:00+00:00http://blog.rubygems.org/2016/10/29/2.6.8-released<p>RubyGems 2.6.8 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Improve SSL verification failure message. Pull request #1751 by Eric Hodel.</li>
<li>Ensure <code class="language-plaintext highlighter-rouge">to_spec</code> falls back on prerelease specs. Pull request #1755 by André Arko.</li>
<li>Update vendored Molinillo to 0.5.3. Pull request #1763 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.8.tgz<br />
81aeb9f14e579c1753c90a8c70c76c3b2d510ee1a12e179cef8016cc9036d6ec</li>
<li>rubygems-2.6.8.zip<br />
56c1794e48d1104b206b32858bc22388c4f4d4c6de6a35a10e5149047e2b1e73</li>
<li>rubygems-update-2.6.8.gem<br />
c6f3511234767ab5b7aeb00377865f153f58d118810bbc2cff5188b2839c4e16</li>
</ul>
2.6.7 Released2016-09-27T00:00:00+00:00http://blog.rubygems.org/2016/09/27/2.6.7-released<p>RubyGems 2.6.7 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Install native extensions in the correct location when using the <code class="language-plaintext highlighter-rouge">--user-install</code> flag. Pull request #1683 by Noah Kantrowitz.</li>
<li>When calling <code class="language-plaintext highlighter-rouge">Gem.sources</code>, load sources from <code class="language-plaintext highlighter-rouge">configuration</code> if present, else use the default sources. Pull request #1699 by Luis Sagastume.</li>
<li>Fail gracefully when attempting to redirect without a Location. Pull request #1711 by Samuel Giddins.</li>
<li>Update vendored Molinillo to 0.5.1. Pull request #1714 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.7.tgz<br />
0f07ef521859a4df4e0c0dbb90b05e76da9bcb64aeaff2891d8796252e156e5b</li>
<li>rubygems-2.6.7.zip<br />
8861dd997e6d917a56798e17cedead1d2a55c780574dcea90b47e34693ffa6e4</li>
<li>rubygems-update-2.6.7.gem<br />
288290980d5d0cdaa9c63f60673cd96d6ca5e9c6069015357935c7943a400078</li>
</ul>
2.6.6 Released2016-06-22T00:00:00+00:00http://blog.rubygems.org/2016/06/22/2.6.6-released<p>RubyGems 2.6.6 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system=2.6.6
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Sort installed versions to make sure we install the latest version when running <code class="language-plaintext highlighter-rouge">gem update --system</code>. As a one-time fix, run <code class="language-plaintext highlighter-rouge">gem update --system=2.6.6</code>. Pull request #1601 by David Radcliffe.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.6.tgz<br />
78e63243fc5a2bfd298276ff98c2b4a29915995e4d9ac4f302ed0893396d1474</li>
<li>rubygems-2.6.6.zip<br />
20e6bb28cb71b4150b7eb211c5dcb87eedfd49f1c4868d8c15f0a0668f71ab3a</li>
<li>rubygems-update-2.6.6.gem<br />
f5e91c83910d9c51acad29826ca85ce4c9fb4bd2aa2c038fc42fb7accc3a0220</li>
</ul>
2.6.5 Released2016-06-21T00:00:00+00:00http://blog.rubygems.org/2016/06/21/2.6.5-released<p>RubyGems 2.6.5 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Support for unified Integer in Ruby 2.4. Pull request #1618 by SHIBATA Hiroshi.</li>
<li>Update vendored Molinillo to 0.5.0 for performance improvements. Pull request #1638 by Samuel Giddins.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Raise an explicit error if Signer#sign is called with no certs. Pull request #1605 by Daniel Berger.</li>
<li>Update <code class="language-plaintext highlighter-rouge">update_bundled_ca_certificates</code> utility script for directory nesting. Pull request #1583 by James Wen.</li>
<li>Fix broken symlink support in tar writer (+ fix broken test). Pull request #1578 by Cezary Baginski.</li>
<li>Remove extension directory before (re-)installing. Pull request #1576 by Jeremy Hinegardner.</li>
<li>Regenerate test CA certificates with appropriate extensions. Pull request #1611 by rhenium.</li>
<li>Rubygems does not terminate on failed file lock when not superuser. Pull request #1582 by Ellen Marie Dash.</li>
<li>Fix tar headers with a 101 character name. Pull request #1612 by Paweł Tomulik.</li>
<li>Add Gem.platform_defaults to allow implementations to override defaults. Pull request #1644 by Charles Oliver Nutter.</li>
<li>Run Bundler tests on TravisCI. Pull request #1650 by Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.5.tgz<br />
0f3be3bcfe39d6f158cd8e5e13cb77c833f09a6049c44d81d859c35bea527c60</li>
<li>rubygems-2.6.5.zip<br />
dfebee8ca0281e4319b16c5ce7594cbde7f42de0826b7a6cca7020ee8707f8ad</li>
<li>rubygems-update-2.6.5.gem<br />
7a1ce68fdd1aebfe85b86d6aa8ab76ec9484ae360929844be978b00651e148a8</li>
</ul>
RubyGems.org 2016 Push2016-05-20T00:00:00+00:00http://blog.rubygems.org/2016/05/20/rubygems-org-2016-push<p>Here’s a few ideas for directions to push RubyGems.org into a better place for the rest of 2016. If you love RubyGems and hope to see it improve, this is for you!</p>
<p><img src="/images/push-heart.gif" width="100%" /></p>
<h2 id="team-formation">Team Formation</h2>
<p>Historically, we’ve had a team of people that have been interested in working on RubyGems.org. When Gemcutter first started, I used to give commit access to anyone who had a Pull Request or commit accepted into the repo, following the pattern that Rubinius used. As time went on, that fell out of practice. People would still get involved through the same channels: GitHub Issues or helping on the #rubygems IRC channel, but it’s kind of unclear now how people join.</p>
<p>Recently, <a href="http://rubytogether.org">RubyTogether</a> has helped out by paying developers to work on RubyGems.org and Bundler. This is huge! But from the outside it’s hard to tell how this works, or how to get involved. We have a big <a href="http://guides.rubygems.org/contributing/">Contribution Guide</a> but it spans across all RubyGems projects. Our <a href="https://github.com/rubygems/rubygems.org/blob/master/CONTRIBUTING.md">CONTRIBUTING.md</a> covers mostly technical aspects and not the social ones.</p>
<p>Let’s make this process open. Here’s what I’d love to see:</p>
<ol>
<li>A new team page on RubyGems.org showing who’s on it, and what roles are (active, advisory, retired, etc)</li>
<li>Explain how RubyGems.org relates to other projects + organizations in the RubyGems ecosystem better</li>
<li>Clear, defined ways to get on the team, how to “move up” from being on the outside, to committing, to deploying, and how to “retire” if need be</li>
</ol>
<p>We owe it to the community and to ourselves to make this an empowering and inclusive process, and to keep this critical piece of infrastructure not just well-oiled, but well-kept.</p>
<h2 id="policies">Policies</h2>
<p>We’re long past due forming real written policies about how RubyGems.org makes decisions and treats our users’ data. This is due to the a legacy of being a volunteer run service, but that’s a bad excuse for not having any formal ways of handling situations. Thanks to some collaboration with NPM, we have a great start to a suite of policies for our packages and servicing our community. Alongside of our established <a href="https://github.com/rubygems/rubygems.org/blob/master/CONDUCT.md">Code of Conduct</a>, we have draft policies ready for:</p>
<ol>
<li>Gem Name Disputes</li>
<li>Privacy</li>
<li>Receiving Abuse Reports</li>
</ol>
<p>We have most of these in effect already, especially as we’ve dealt with various support issues over the years. However - spoken policies are liable to change on a whim, and aren’t transparent enough for an open source project. I’m hoping by the end of the year we can publish these and get more feedback on them from the community.</p>
<h2 id="self-support">Self-Support</h2>
<p>Our <a href="http://help.rubygems.org">help site</a> response time is not the best. Here’s some stats from 2015 and 2016 so far:</p>
<p><img src="/images/push-2015.png" width="100%" /></p>
<p><img src="/images/push-2016.png" width="100%" /></p>
<p>Embarrassing. It usually takes <strong>months</strong> to get a response! I’m sorry if you have waited forever for a resolution from us. We’ve tried different strategies of dealing with the queue in the past without much success. Luckily, our volume is quite low, but this does not inspire confidence in the Ruby ecosystem. We need to fix some of the core issues that cause support requests, including:</p>
<ul>
<li>Better automation of gem ownership transfers</li>
<li>Merging user accounts</li>
<li>Removing user accounts</li>
<li>Recovering a lost email / user account</li>
</ul>
<p>For some of these problems, we have a set of support scripts that help automate those tasks. It’s time to expose more of these features to the UI so others can use them, and we can lessen the cognitive load on the RubyGems.org team going forward. Ideally, I’d like the goal here to be closing the help site, which means that all tasks <em>must</em> be automated. I think this is only fair, as support of a service is labor, and I don’t think it’s a cost we can continue to run on a volunteer basis anymore.</p>
<h2 id="how-can-you-help">How can you help?</h2>
<p>If you’re interested in helping out with anything here, I’d love to get more people involved. There’s definitely “cooler” features to work on in the future, but I strongly feel we need to push to get the help queue back under control first.</p>
<p>Feel free to <a href="nick@quaran.to">email me</a> and I’ll get in touch. Thanks for reading!</p>
<p><small>PS: If you’d like a RubyGems.org sticker…stay tuned!</small></p>
Simplifying our stack2016-05-19T00:00:00+00:00http://blog.rubygems.org/2016/05/19/simplifying-our-stack<p>Hello Ruby community,</p>
<p>Today we have some good news to announce: We no longer need Redis to run RubyGems.org and we are removing the Nginx SPOF (single point of failure). We have a brand new download stats system in place and we have shut down our Redis instances.</p>
<h2 id="is-redis-bad">Is Redis bad?</h2>
<p>Not at all, if used correctly! A lot of companies use Redis and there are many valid use cases for it. One of the main use cases for Redis is to use it as a queue for background jobs. We use PostgreSQL and DelayedJob for our background jobs instead, so we don’t need Redis for that. Our problems came from the way we were using it and how much data we were storing. We were storing all the data in a permanent, never expiring fashion with quite a bit of storage and memory growth.
The main problem we encountered with Redis was the memory required to load the data into a running instance. This was resource intensive and time intensive. If an instance would go down for any reason it would take many minutes to become usable again as it re-loaded everything into memory. We had some Redis failures that took us about 45 minutes to bring it back up. This is not usually a problem when you don’t have a lot of data in Redis (like the background job case).</p>
<h2 id="our-previous-stats-architecture">Our previous stats architecture</h2>
<p><img src="/images/stats_changes_before.png" width="100%" /></p>
<p>We mainly were using Redis for the gem download counts. The architecture for many years was this:</p>
<ol>
<li>Every time a gem was downloaded the request would first pass through our Nginx load balancers.</li>
<li>Nginx would send a secondary http request to an internal service with the gem information before redirecting the user to our gem CDN.</li>
<li>This internal service was a small C backend that would parse the request, and increment counters in Redis.</li>
<li>Those counters from Redis were shown on the various RubyGems.org pages and API responses.</li>
</ol>
<p>As you can imagine, RubyGems.org receives a lot of download requests. We wanted to serve downloads directly from our CDN but we needed the requests to hit Nginx first to track the downloads. Also, if any part of this architecture was down we would permanently lose download counts.</p>
<h2 id="what-are-we-using-now">What are we using now</h2>
<p><img src="/images/stats_changes_after.png" width="100%" /></p>
<p>We can now serve all gem downloads directly from <a href="https://www.fastly.com">Fastly</a>, our CDN provider. Here’s what our new architecture looks like:</p>
<ol>
<li>Gems download requests hit Fastly, where the gems may already be cached geographically close to the user.</li>
<li>Fastly generates a log file every five minutes, and pushes that log file to S3.</li>
<li>S3 pushes a SQS notification message to a queue.</li>
<li>The RubyGems.org Rails app consumes those SQS messages and schedules a background job to process each new S3 file.</li>
<li>DelayedJob works the background job and updates the counters in PostgreSQL.</li>
<li>The Rails app can now use the counters directly from the PostgreSQL database.</li>
</ol>
<h2 id="drawbacks-of-the-new-architecture">Drawbacks of the new architecture</h2>
<ul>
<li>Counters are only updated every five minutes. However this is a small price to pay and allows us to do more caching.</li>
</ul>
<h2 id="wins-on-the-new-architecture">Wins on the new architecture</h2>
<ul>
<li>We can serve .gem downloads directly from CDN at edge locations.</li>
<li>The number of permanent data stores goes down from 2 to 1, which is a huge win for the resiliency of our service.</li>
<li>Nginx is no longer required for gem downloads, removing a SPOF.</li>
<li>Our stack became simpler.</li>
<li>Smaller downtimes windows.</li>
<li>Easier local development setup.</li>
<li>We can pause the background processing or even recount download counts altogether if needed.</li>
</ul>
<h2 id="future-plans">Future plans</h2>
<p>At the time this was written we are still serving gems via Nginx and a redirect to Fastly. This will be changed in the near future as we complete the full transition to <a href="https://www.fastly.com">Fastly</a>. Expect another blog post explaining this transition too.</p>
<h2 id="links">Links</h2>
<ul>
<li><a href="https://github.com/rubygems/rubygems-infrastructure/issues/35">https://github.com/rubygems/rubygems-infrastructure/issues/35</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/1208">https://github.com/rubygems/rubygems.org/issues/1208</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/1089">https://github.com/rubygems/rubygems.org/issues/1089</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/1176">https://github.com/rubygems/rubygems.org/pull/1176</a></li>
</ul>
<h2 id="special-thanks-to">Special thanks to:</h2>
<p><a href="https://github.com/ktheory">Aaron Suggs</a>, <a href="https://github.com/dwradcliffe">David Radcliffe</a>, <a href="https://github.com/arthurnn">Arthur Neves</a> for working hard on this project.</p>
2.6.4 Released2016-04-26T00:00:00+00:00http://blog.rubygems.org/2016/04/26/2.6.4-released<p>RubyGems 2.6.4 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Use Gem::Util::NULL_DEVICE instead of hard coded strings. Pull request #1588 by Chris Charabaruk.</li>
<li>Use File.symlink on MS Windows if supported. Pull request #1418 by Nobuyoshi Nakada.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Redact uri password from error output when gem fetch fails. Pull request #1565 by Brian Fletcher.</li>
<li>Suppress warnings. Pull request #1594 by Nobuyoshi Nakada.</li>
<li>Escape user-supplied content served on web pages by <code class="language-plaintext highlighter-rouge">gem server</code> to avoid potential XSS vulnerabilities. Samuel Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.4.tgz<br />
94d71f42462e12b31054e8c939374f8314f024b1ae5ec1c68ecfc6290da260e8</li>
<li>rubygems-2.6.4.zip<br />
e17cdc670df66555af1fa8f508b1b5b25192cf4c9ab212de96fb19491d2523b2</li>
<li>rubygems-update-2.6.4.gem<br />
2b3e548dbda80728b8c5b2500a210cd13d5f8deb707e295f0224b48bed111e13</li>
</ul>
RubyGems.org gem replacement vulnerability and mitigation2016-04-06T00:00:00+00:00http://blog.rubygems.org/2016/04/06/gem-replacement-vulnerability-and-mitigation<h2 id="summary">Summary</h2>
<p>RubyGems.org contained a bug that could allow an attacker to replace some .gem files on our servers with a different file that they supplied. We deployed a partial fix on April 2nd and a complete fix on April 4th, 2016. We also verified every .gem uploaded after Feb 8th, 2015, and found that none of them had been replaced. Gems whose name contains a dash (e.g. ‘blank-blank’) uploaded before that date should be verified by their authors. We’ve provided instructions on how to do that below.</p>
<h2 id="details">Details</h2>
<p>On April 2nd, 2016 the RubyGems.org security team was made aware of a vulnerability that allowed an unauthorized user to update existing gem files for existing gem versions in certain circumstances. The security team evaluated the report and confirmed the bug that lead to this possibility. We deployed a fix later on April 2nd for this issue and confirmed that the exploit was no longer possible.</p>
<p>Upon further examination we discovered another similar attack vector not fixed with the original patch. We deployed a fix for this on April 4th and confirmed that this was also no longer possible.</p>
<p>In both attack vectors, an attacker could exploit the gem and version name combination to force the replacement of an existing .gem file in our S3 bucket.</p>
<p>We also found that a gem file pushed via this method would not be installable via the standard <code class="language-plaintext highlighter-rouge">gem install</code> command.</p>
<h2 id="verification-of-existing-gems">Verification of existing gems</h2>
<p>We verified the sha256 checksum in all the gems, and there were no gems that were maliciously changed. We only started calculating <a href="https://github.com/rubygems/rubygems.org/commit/5243ca33c090fac687ad44ae836b2cd4ac462edc">sha256</a> checksums on gem pushes Feb 8th, 2015. Gems pushed before that date didn’t have sha256 calculated at the push time. Therefore, if the gem was compromised before, we don’t have a way to verify it.</p>
<p>To clarify:</p>
<ul>
<li>Gems pushed after Feb 8th, 2015: 100% verified.</li>
<li>Gems pushed before Feb 8th, 2015: Verified no changes since Feb 8th, 2015.</li>
</ul>
<p>We also verified that there have been no cases of the second attack vector, for all gems, all dates.</p>
<p>As an extra verification step, we verified all the gems with two or more S3 object versions of the same file. We found a list of 750+ gems with multiple object versions in S3. We iterated over the multiple object versions and compared the last modification date on it against the creation of the entry on the DB. We found 6 gems out of that list that had a delta bigger than five seconds. Out of those six gems, we ran a checksum on the different versions, and only two gems had a different checksum. We manually ran a diff on the contents of those gems and ensured they were safe.</p>
<h2 id="history">History</h2>
<p>The first part of this security vulnerability was introduced on <a href="https://github.com/rubygems/rubygems.org/commit/87312bcfa5b1b5cef932caae0c90f2cfe9d4e4a2">Jun 11, 2014</a>.</p>
<p>The second part has been present since the beginning of RubyGems.org.</p>
<h2 id="impact">Impact</h2>
<p>Gems with a dash in the name (for example, ‘blank-blank’) pushed between June 11th, 2014 and April 2nd, 2016 were vulnerable. (Gems pushed between Feb 8th, 2015 and April 2nd, 2016 have been verified already.)</p>
<h2 id="what-should-i-do">What should I do?</h2>
<p>If you have a gem version that matches the impact section:</p>
<ol>
<li>Download your gem</li>
<li>Run <code class="language-plaintext highlighter-rouge">gem unpack file.gem</code></li>
<li>Ensure there are no unexpected changes in it</li>
<li>Run <code class="language-plaintext highlighter-rouge">gem spec file.gem</code></li>
<li>Ensure there are no unexpected changes to the gemspec</li>
</ol>
<p>If there are, please <code class="language-plaintext highlighter-rouge">gem yank</code> the gem, and contact the <a href="mailto:security@rubygems.org">RubyGems.org security team</a> as soon as possible, and please include the .gem file for investigation.</p>
<h2 id="credits">Credits</h2>
<p>Special thanks to Eric Chapweske for finding this and for his detailed report.
David Radcliffe and Arthur Neves for working on the fixes and verifications.
Aaron Patterson, Nick Quaranto, André Arko, and Samuel Giddins for reviewing and verifying.</p>
2.6.3 Released2016-04-04T00:00:00+00:00http://blog.rubygems.org/2016/04/04/2.6.3-released<p>RubyGems 2.6.3 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Lazily calculate Gem::LoadError exception messages. Pull request #1550 by Aaron Patterson.</li>
<li>New fastly cert. Pull request #1548 by David Radcliffe.</li>
<li>Organize and cleanup SSL certs. Pull request #1555 by James Wen.</li>
<li>[RubyGems] Make deprecation message for paths= more helpful. Pull request #1562 by Samuel Giddins.</li>
<li>Show default gems when using “gem list”. Pull request #1570 by Luis Sagastume.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Stub ordering should be consistent regardless of how cache is populated. Pull request #1552 by Aaron Patterson.</li>
<li>Handle cases when the @@stubs variable contains non-stubs. Pull request #1558 by Per Lundberg.</li>
<li>Fix test on Windows for inconsistent temp path. Pull request #1554 by Hiroshi Shirosaki.</li>
<li>Fix <code class="language-plaintext highlighter-rouge">Gem.find_spec_for_exe</code> picks oldest gem. Pull request #1566 by Shinichi Maeshima.</li>
<li>[Owner] Fallback to email and userid when owner email is missing. Pull request #1569 by Samuel Giddins.</li>
<li>[Installer] Handle nil existing executable. Pull request #1561 by Samuel Giddins.</li>
<li>Allow two digit version numbers in the tests. Pull request #1575 by unak.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.3.tgz<br />
c32a806c31223a2e8061d4bd46f7cd7a17be3773bcccf7ef33b5b7f2d23bbd53</li>
<li>rubygems-2.6.3.zip<br />
eeb35951cf2009235da1792e01166346decfbf62a09203682f9e1f7f99160356</li>
<li>rubygems-update-2.6.3.gem<br />
40524c41820cacc23f6e57dfe89cf83df705b475d7a5cbe4d920233d600581d5</li>
</ul>
2.6.2 Released2016-03-13T00:00:00+00:00http://blog.rubygems.org/2016/03/13/2.6.2-released<p>RubyGems 2.6.2 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix wrong version of gem activation for bin stub. Pull request #1527 by Aaron Patterson.</li>
<li>Speed up gem activation failures. Pull request #1539 by Aaron Patterson.</li>
<li>Fix platform sorting in the resolver. Pull request #1542 by Samuel E. Giddins.</li>
<li>Ensure we unlock the monitor even if try_activate throws. Pull request #1538 by Charles Oliver Nutter.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.2.tgz<br />
fe9bcd5624579215314e8585852d8214e9be48357e9ab6cb70a594c8a25402c8</li>
<li>rubygems-2.6.2.zip<br />
496643f6870a7ec589931d1976ceb9dcbcb524bbb29be25b57a984fe439bef92</li>
<li>rubygems-update-2.6.2.gem<br />
5cd54b1ddbbc6b0d3764f64ea0250486830b6e6ba61f4b6e7c98f906f10da45d</li>
</ul>
2.6.1 Released2016-02-28T00:00:00+00:00http://blog.rubygems.org/2016/02/28/2.6.1-released<p>RubyGems 2.6.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Ensure <code class="language-plaintext highlighter-rouge">default_path</code> and <code class="language-plaintext highlighter-rouge">home</code> are set for paths. Pull request #1513 by Aaron Patterson.</li>
<li>Restore but deprecate support for Array values on <code class="language-plaintext highlighter-rouge">Gem.paths=</code>. Pull request #1514 by Aaron Patterson.</li>
<li>Fix invalid gem file preventing gem install from working. Pull request #1499 by Luis Sagastume.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.1.tgz<br />
c9c4d1a8367a1c05bc568fa0eb5c830974d0f328dd73827cc129c0905aae1f4f</li>
<li>rubygems-2.6.1.zip<br />
2c1cc0fdfb13b1d70fd458c8904e135d30f8537ada80c4df5def727a6163819c</li>
<li>rubygems-update-2.6.1.gem<br />
51aea79ac9c87750ce56b74d6cbbb6f25ea901445a250b29e2bb36fab9f92848</li>
</ul>
2.6.0 Released2016-02-25T00:00:00+00:00http://blog.rubygems.org/2016/02/25/2.6.0-released<p>RubyGems 2.6.0 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems now defaults the <code class="language-plaintext highlighter-rouge">gem push</code> to the gem’s “allowed_push_host” metadata setting. Pull request #1486 by Josh Lane.</li>
<li>Update bundled Molinillo to 0.4.3. Pull request #1493 by Samuel E. Giddins.</li>
<li>Add version option to gem open command. Pull request #1483 by Hrvoje Šimić.</li>
<li>Feature/add silent flag. Pull request #1455 by Luis Sagastume.</li>
<li>Allow specifying gem requirements via env variables. Pull request #1472 by Samuel E. Giddins.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems now stores <code class="language-plaintext highlighter-rouge">gem push</code> credentials under the host you signed-in for. Pull request #1485 by Josh Lane.</li>
<li>Move <code class="language-plaintext highlighter-rouge">coding</code> location to first line. Pull request #1471 by SHIBATA Hiroshi.</li>
<li>[PathSupport] Handle a regexp path separator. Pull request #1469 by Samuel E. Giddins.</li>
<li>Clean up the PathSupport object. Pull request #1094 by Aaron Patterson.</li>
<li>Join with File::PATH_SEPARATOR in Gem.use_paths. Pull request #1476 by Samuel E. Giddins.</li>
<li>Handle when the gem home and gem path arent set in the config file. Pull request #1478 by Samuel E. Giddins.</li>
<li>Terminate TimeoutHandler. Pull request #1479 by Nobuyoshi Nakada.</li>
<li>Remove redundant cache. Pull request #1482 by Eileen M. Uchitelle.</li>
<li>Freeze <code class="language-plaintext highlighter-rouge">Gem::Version@segments</code> instance variable. Pull request #1487 by Ben Dean.</li>
<li>Gem cleanup is trying to uninstall gems outside GEM_HOME and reporting an error after it tries. Pull request #1353 by Luis Sagastume.</li>
<li>Avoid duplicated sources. Pull request #1489 by Luis Sagastume.</li>
<li>Better description for quiet flag. Pull request #1491 by Luis Sagastume.</li>
<li>Raise error if find_by_name returns with nil. Pull request #1494 by Zoltán Hegedüs.</li>
<li>Find_files only from loaded_gems when using gemdeps. Pull request #1277 by Michal Papis.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.6.0.tgz<br />
dc2cce61cc9eda9cc85a47cd95f5477f60eb1bb34256b6c0ecd10b3f6f9ddfa1</li>
<li>rubygems-2.6.0.zip<br />
8db0f9fb31d71e05a2ad7bf94cd2a1a8e43c91b7b0dfe2b79277e3703429721a</li>
<li>rubygems-update-2.6.0.gem<br />
609190ecad637f9df6a1928e47c8522d1ee00b4080b76176b525547182efef11</li>
</ul>
2.5.2 Released2016-02-01T00:00:00+00:00http://blog.rubygems.org/2016/02/01/2.5.2-released<p>RubyGems 2.5.2 includes bug fixes and minor enhancements.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix memoization of Gem::Version#prerelease? Pull request #1125 by Matijs van Zuijlen.</li>
<li>Handle trailing colons in GEM_PATH, by Damien Robert.</li>
<li>Improve the Gemfile <code class="language-plaintext highlighter-rouge">gemspec</code> method, fixing #1204 and #1033. Pull request #1276 by Michael Papis.</li>
<li>Warn only once when a gemspec license is invalid. Pull request #1414 by Samuel E. Giddins.</li>
<li>Check for exact constants before using them, fixing Ruby bug #11940. Pull request #1438 by Nobuyoshi Nakada.</li>
<li>Fix building C extensions on Ruby 1.9.x on Windows. Pull request #1453 by Marie Markwell.</li>
<li>Handle symlinks containing “..” correctly. Pull request #1457 by Samuel E. Giddins.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Add <code class="language-plaintext highlighter-rouge">--no-rc</code> flag, which skips loading <code class="language-plaintext highlighter-rouge">.gemrc</code>. Pull request #1329 by Luis Sagastume.</li>
<li>Allow basic auth to be excluded from <code class="language-plaintext highlighter-rouge">allowed_push_host</code>. By Josh Lane.</li>
<li>Add <code class="language-plaintext highlighter-rouge">gem list --exact</code>, which finds gems by string match instead of regex. Pull request #1344 by Luis Sagastume.</li>
<li>Suggest alternatives when gem license is unknown. Pull request #1443 by Samuel E. Giddins.</li>
<li>Print a useful error if a binstub expects a newer version of a gem than is installed. Pull request #1407 by Samuel E. Giddins.</li>
<li>Allow the (supported) s3:// scheme to be used with <code class="language-plaintext highlighter-rouge">--source</code>. Pull request #1416 by Dave Adams.</li>
<li>Add <code class="language-plaintext highlighter-rouge">--[no-]post-install-message</code> to <code class="language-plaintext highlighter-rouge">install</code> and <code class="language-plaintext highlighter-rouge">update</code>. Pull request #1162 by Josef Šimánek.</li>
<li>Add <code class="language-plaintext highlighter-rouge">--host</code> option to <code class="language-plaintext highlighter-rouge">yank</code>, providing symmetry with <code class="language-plaintext highlighter-rouge">pull</code>. Pull request #1361 by Mike Virata-Stone.</li>
<li>Update bundled Molinillo to 0.4.1. Pull request #1452 by Samuel E. Giddins.</li>
<li>Allow calling <code class="language-plaintext highlighter-rouge">build</code> without ‘.gemspec’. Pull request #1454 by Stephen Blackstone.</li>
<li>Add support for <code class="language-plaintext highlighter-rouge">source</code> option on gems in Gemfile. Pull request #1355 by Michael Papis.</li>
<li>Function correctly when string literals are frozen on Ruby 2.3. Pull request #1408 by Samuel E. Giddins.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.5.2.tgz<br />
5171ce6fa04c74606991f9c318a924f095241d7ce18c21a00455c8ebe4aeecca</li>
<li>rubygems-2.5.2.zip<br />
aeb9b7c75b639acc3ce264d13bbd34ae579fe136278042dbe90a9104dac157d3</li>
<li>rubygems-update-2.5.2.gem<br />
8f3b445f69bc2b39b74a492f38ea1c1e68d8c7bf00612f66a291d15dc430cb88</li>
</ul>
2.5.1 Released2015-12-10T00:00:00+00:00http://blog.rubygems.org/2015/12/10/2.5.1-released<p>RubyGems 2.5.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Ensure platform sorting only uses strings. Affected binary installs on Windows. Issue #1369 reported by Ryan Atball (among others). Pull request #1375 by Samuel E. Giddins.</li>
<li>Revert PR #1332. Unable to reproduce, and nil should be impossible.</li>
<li>Gem::Specification#to_fullpath now returns .rb extensions when such a file exists. Pull request #1114 by y-yagi.</li>
<li>RubyGems now handles Net::HTTPFatalError instead of crashing. Pull request #1314 by Samuel E. Giddins.</li>
<li>Updated bundled Molinillo to 0.4.0. Pull request #1322, #1396 by Samuel E. Giddins.</li>
<li>Improved performance of spec loading by reducing likelihood of loading he complete specification. Pull request #1373 by Aaron Patterson.</li>
<li>Improved caching of requirable files Pull request #1377 by Aaron Patterson.</li>
<li>Fixed activation of gems with development dependencies. Pull request #1388 by Samuel E. Giddins.</li>
<li>RubyGems now uses the same Molinillo vendoring strategy as Bundler. Pull request #1397 by Samuel E. Giddins.</li>
<li>Fixed documentation of Gem::Requirement.parse. Pull request #1398 by Juanito Fatas.</li>
<li>RubyGems no longer warns when a prerelease gem has prerelease dependencies. Pull request #1399 by Samuel E. Giddins.</li>
<li>Fixed Gem::Version documentation example. Pull request #1401 by Guilherme Goettems Schneider.</li>
<li>Updated documentation links to https://. Pull request #1404 by Suriyaa Kudo.</li>
<li>Fixed double word typo. Pull request #1411 by Jake Worth.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.5.1.tgz<br />
02d4bb76687983d973ea8700912e798ca23be32bcce7956171254c93a2365273</li>
<li>rubygems-2.5.1.zip<br />
7352a68c8e285147416a51a9caa269bb6f5cf5c07aeb6cbcdb15fe32b3d70202</li>
<li>rubygems-update-2.5.1.gem<br />
04d22ea0c9628b59530b53a30701b875f6aca8487b02235d077eedacb88d2133</li>
</ul>
2.5.0 Released2015-11-03T00:00:00+00:00http://blog.rubygems.org/2015/11/03/2.5.0-released<p>RubyGems 2.5.0 includes major enhancements, minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://docs.seattlerb.org/rubygems/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="http://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>
<p>Added the Gem::Licenses class which provides a set of standard license identifiers as set by spdx.org. This is now used by the Gem::Specification#license attribute to try to standardize (though not enforce) licenses set by gem authors.</p>
<p>Pull request #1249 by Kyle Mitchell.</p>
</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Use Molinillo as the resolver library. This is the same resolver as used by Bundler. Pull request #1189 by Samuel E. Giddins.</li>
<li>Add <code class="language-plaintext highlighter-rouge">--skip=gem_name</code> to Pristine command. Pull request #1018 by windwiny.</li>
<li>The parsed gem dependencies file is now available via Gem.gemdeps following Gem.use_gemdeps. Pull request #1224 by Hsing-Hui Hsu, issue #1213 by Michal Papis.</li>
<li>Moved description attribute to recommended for Gem::Specification. Pull request #1046 by Michal Papis</li>
<li>Moved <code class="language-plaintext highlighter-rouge">Gem::Indexer#abbreviate</code> and <code class="language-plaintext highlighter-rouge">#sanitize</code> to <code class="language-plaintext highlighter-rouge">Gem::Specification</code>. Pull request #1145 by Arthur Nogueira Neves</li>
<li>Cache Gem::Version segments for <code class="language-plaintext highlighter-rouge">#bump</code> and <code class="language-plaintext highlighter-rouge">#release</code>. Pull request #1131 by Matijs van Zuijlen</li>
<li>Fix edge case in <code class="language-plaintext highlighter-rouge">levenshtein_distance</code> for comparing longer strings. Pull request #1173 by Richard Schneeman</li>
<li>Remove duplication from List#to_a, improving from O(n^2) to O(n) time. Pull request #1200 by Marc Siegel.</li>
<li>Gem::Specification.add_specs is deprecated and will be removed from version 3.0 with no replacement. To add specs, install the gem, then reset the cache.</li>
<li>Gem::Specification.add_spec is deprecated and will be removed from version 3.0 with no replacement. To add specs, install the gem, then reset the cache.</li>
<li>Gem::Specification.remove_spec is deprecated and will be removed from version 3.0 with no replacement. To remove specs, uninstall the gem, then reset the cache by calling Gem::Specification.reset.</li>
<li>Call Array#compact before calling Array#uniq for minor speed improvement in the Gem::Specification#files method. Pull request #1253 by Marat Amerov.</li>
<li>Use stringio instead of custom String classes. Pull request #1250 by Petr Skocik.</li>
<li>Use URI#host instead of URI#hostname to retain backwards compatibility with Ruby 1.9.2 and earlier in util library. Pull request #1288 by Joe Rafaniello.</li>
<li>Documentation update for gem sources. Pull request #1324 by Ilya Vassilevsky.</li>
<li>Documentation update for required_ruby_version. Pull request #1321 by Matt Patterson.</li>
<li>Documentation update for gem update. Pull request #1306 by Tim Blair.</li>
<li>Emit a warning on SRV resolve failure. Pull request #1023 by Ivan Kuchin.</li>
<li>Allow duplicate dependencies between runtime and development. Pull request #1032 by Murray Steele.</li>
<li>The gem env command now shows the user installation directory. Pull request #1343 by Luis Sagastume.</li>
<li>The Gem::Platform#=== method now treats a nil cpu arch the same as ‘universal’. Pull request #1356 by Daniel Berger.</li>
<li>Improved memory performance in Gem::Specification.traverse. Pull request #1188 by Aaron Patterson.</li>
<li>RubyGems packages now support symlinks. Pull request #1209 by Samuel E. Giddins.</li>
<li>RubyGems no longer outputs mkmf.log if it does not exist. Pull request #1222 by Andrew Hooker.</li>
<li>Added Bitrig platform. Pull request #1233 by John C. Vernaleo.</li>
<li>Improved error message for first-time RubyGems developers. Pull request #1241 by André Arko</li>
<li>Improved performance of Gem::Specification#load with cached specs. Pull request #1297 by Samuel E. Giddins.</li>
<li>Gem::RemoteFetcher allows users to set HTTP headers. Pull request #1363 by Agis Anastasopoulos.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed Rake homepage url in example for Gem::Specification#homepage. Pull request #1171 by Arthur Nogueira Neves</li>
<li>Don’t crash if partially uninstalled gem can’t be found. Pull request #1283 by Cezary Baginski.</li>
<li>Test warning cleanup. Pull request #1298 by Samuel E. Giddins.</li>
<li>Documentation fix for GemDependencyAPI. Pull request #1308 by Michael Papis.</li>
<li>Fetcher now ignores ENOLCK errors in single threaded environments. This handles an issue with gem installation on NFS as best we can. Addresses issue #1176 by Ryan Moore. Pull request #1327 by Daniel Berger.</li>
<li>Fix some path quoting issues in the test suite. Pull request #1328 by Gavin Miller.</li>
<li>Fix NoMethodError in running ruby processes when gems are uninstalled. Pull request #1332 by Peter Drake.</li>
<li>Fixed a potential NoMethodError for gem cleanup. Pull request #1333 by Peter Drake.</li>
<li>Fixed gem help bug. Issue #1352 reported by bogem, pull request #1357 by Luis Sagastume.</li>
<li>Remove temporary directories after tests finish. Pull request #1181 by Nobuyoshi Nokada.</li>
<li>Update links in RubyGems documentation. Pull request #1185 by Darío Hereñú.</li>
<li>Prerelease gem executables can now be run. Pull request #1186 by Samuel E. Giddins.</li>
<li>Updated RubyGems travis-ci ruby versions. Pull request #1187 by Samuel E. Giddins.</li>
<li>Fixed release date of RubyGems 2.4.6. Pull request #1190 by Frieder Bluemle.</li>
<li>Fixed bugs in gem activation. Pull request #1202 by Miklós Fazekas.</li>
<li>Fixed documentation for <code class="language-plaintext highlighter-rouge">gem list</code>. Pull request #1228 by Godfrey Chan.</li>
<li>Fixed #1200 history entry. Pull request #1234 by Marc Siegel.</li>
<li>Fixed synchronization issue when resetting the Gem::Specification gem list. Pull request #1239 by Samuel E. Giddins.</li>
<li>Fixed running tests in parallel. Pull request #1257 by SHIBATA Hiroshi.</li>
<li>Fixed running tests with <code class="language-plaintext highlighter-rouge">--program-prefix</code> or <code class="language-plaintext highlighter-rouge">--program-suffix</code> for ruby. Pull request #1258 by Shane Gibbs.</li>
<li>Fixed Gem::Specification#to_yaml. Pull request #1262 by Hiroaki Izu.</li>
<li>Fixed taintedness of Gem::Specification#raw_require_paths. Pull request #1268 by Sam Ruby.</li>
<li>Fixed sorting of platforms when installing gems. Pull request #1271 by nonsequitur.</li>
<li>Use <code class="language-plaintext highlighter-rouge">--no-document</code> over deprecated documentation options when installing dependencies on travis. Pull request #1272 by takiy33.</li>
<li>Improved support for IPv6 addresses in URIs. Pull request #1275 by Joe Rafaniello.</li>
<li>Spec validation no longer crashes if a file does not exist. Pull request #1278 by Samuel E. Giddins.</li>
<li>Gems can now be installed within <code class="language-plaintext highlighter-rouge">rescue</code>. Pull request #1282 by Samuel E. Giddins.</li>
<li>Increased Diffie-Hellman key size for tests for modern OpenSSL. Pull request #1290 by Vít Ondruch.</li>
<li>RubyGems handles invalid config files better. Pull request #1367 by Agis Anastasopoulos.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.5.0.tgz<br />
a39e95acb86f52fdca38b1484b2eed61a7f76551119079d7a9f8c67c5be78831</li>
<li>rubygems-2.5.0.zip<br />
e5256076a4cabacc32c4369bd665dd0af8167d8895500426970f39bc74b6c228</li>
<li>rubygems-update-2.5.0.gem<br />
bb63b29e0b1604b48784a6c0646e9d727135c829c8466406ab8dd2f253f5c091</li>
</ul>
Post-Mortem of Connectivity Issues on August 10th2015-08-13T00:00:00+00:00http://blog.rubygems.org/2015/08/13/postmortem<p>RubyGems.org had intermittent connectivity problems for several periods on August 10th from about 7:08 UTC until 10:40 UTC, and again from 19:03 UTC until 19:19 UTC. This primarily disrupted gem downloads, and may have caused intermittent errors for gem pushes as well. This post aims to explain the issue and how we’ll work to prevent a similar problem in the future.</p>
<p>All gems are stored in Amazon’s Simple Storage Service, also known as S3. On August 10th, AWS had an extended outage in their Virginia region that affected several services, including S3. Requests to S3 to get gem files (and gemspecs) where intermittently failing, as well as requests to save new gems/gemspecs into S3. Our monitoring showed that <strong>during this period, about 4% of download requests were failing</strong>.</p>
<p>All gem downloads pass through Fastly, our CDN partner, where we cache gems in locations near you all around the world. Caching really saved us, since about 88% of requests were cached and didn’t need to hit S3 at all. This means that 8% of all requests were hitting S3 successfully during this period.</p>
<p>That being said, having all our files stored in one region is still not ideal. We have plans to start replicating all our files into a second region. This will provide a backup for disaster recovery and hopefully we will also be able to serve download requests from the second region if the primary region is down.</p>
<p>I’m sorry we had trouble serving requests this week, and we’re making some changes to improve this for the future.</p>
2.4.8 Released2015-06-08T00:00:00+00:00http://blog.rubygems.org/2015/06/08/2.4.8-released<p>RubyGems 2.4.8 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Tightened API endpoint checks for CVE-2015-3900</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.8.tgz<br />
5a4335fef5904ceb76d912a9d4a2464fbbb172df3b2abcb0c67003e77764845e</li>
<li>rubygems-2.4.8.zip<br />
02a06ce40030fda6916c5adab5b2da90b6dd2711b5574270c25e611b4d1bd617</li>
<li>rubygems-update-2.4.8.gem<br />
dbed858db605923d9cc77080de1a5f1ce6ac3c68924877c78665e0d85d7b3e73</li>
</ul>
2.2.5 Released2015-06-08T00:00:00+00:00http://blog.rubygems.org/2015/06/08/2.2.5-released<p>RubyGems 2.2.5 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Tightened API endpoint checks for CVE-2015-3900</li>
</ul>
CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier2015-05-14T00:00:00+00:00http://blog.rubygems.org/2015/05/14/CVE-2015-3900<p>RubyGems provides the ability of a domain to direct clients to a separate
host that is used to fetch gems and make API calls against. This mechanism
is implemented via DNS, specificly a SRV record _rubygems._tcp under the
original requested domain.</p>
<p>For example, this is the one that users who use rubygems.org see:</p>
<pre>
> dig _rubygems._tcp.rubygems.org SRV
;; ANSWER SECTION:
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org.
</pre>
<p>RubyGems did not validate the hostname returned in the SRV record before
sending requests to it.</p>
<p>This left clients open to a DNS hijack attack, whereby an attacker could
return a SRV of their choosing and get the client to use it. For example:</p>
<pre>
> dig _rubygems._tcp.rubygems.org SRV
;; ANSWER SECTION:
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 gems.nottobetrusted.wtf
</pre>
<p>The fix, detailed at <a href="https://github.com/rubygems/rubygems/commit/6bbee35">on github</a>,
shows that we validate the record now to be under the original domain. This
restricts the client to be using the original trust/security domain as they
would have otherwise.</p>
<p>RubyGems versions between 2.0 and 2.4.6 are vulnerable.</p>
<p>RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this
issue.</p>
<p>Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded
versions of RubyGems.</p>
<p>Patch for <a href="https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a">All versions</a></p>
<p>This vulnerability was reported by Jonathan Claudius <a href="mailto:JClaudius@trustwave.com">JClaudius@trustwave.com</a>.</p>
2.4.7 Released2015-05-14T00:00:00+00:00http://blog.rubygems.org/2015/05/14/2.4.7-released<p>RubyGems 2.4.7 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Backport: Limit API endpoint to original security domain for CVE-2015-3900. Fix by claudijd</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.7.tgz<br />
62fabf8b1a3009cf65f0fc9c2bad68754aa229780d7139232c4ca9f4708ad6ec</li>
<li>rubygems-2.4.7.zip<br />
d9fa0e3f2acc2f9b6568c634da8f643aeb4f38ee7ae230caed459079adba6efc</li>
<li>rubygems-update-2.4.7.gem<br />
3ae1d969324b53be658c854e684e8f7fac6d2925affa791e8b62a29ef99f8917</li>
</ul>
2.2.4 Released2015-05-14T00:00:00+00:00http://blog.rubygems.org/2015/05/14/2.2.4-released<p>RubyGems 2.2.4 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Backport: Limit API endpoint to original security domain for CVE-2015-3900. Fix by claudijd</li>
</ul>
Policy change about gem yank2015-04-13T00:00:00+00:00http://blog.rubygems.org/2015/04/13/permadelete-on-yank<h1 id="heads-up-policy-change-about-gem-yank">Heads up: Policy change about <code class="language-plaintext highlighter-rouge">gem yank</code></h1>
<p><code class="language-plaintext highlighter-rouge">gem yank</code> now deletes the gem permanently as of April 20th, 2015. (Finally!)</p>
<h2 id="why">Why?</h2>
<p>“Yanking” a gem was introduced as a way to remove a gem from the RubyGems.org index, usually because of an accidental <code class="language-plaintext highlighter-rouge">gem push</code> or someone wanting to allow others to take over the gem’s name.</p>
<p>Our policy has been to not permanently delete the .gem file when a gem was yanked, but over the years that has caused massive support backlogs. Most of the support cases are due to someone accidentally pushing a gem that has internal or sensitive code - and usually our team of volunteers can take weeks to months to respond and remove it.</p>
<p>One note about the new behavior: <code class="language-plaintext highlighter-rouge">gem yank</code> will remove the .gem file from S3 and our CDN, but it will not stop unofficial mirrors from copying the gem or anyone publicly downloading <a href="http://guides.rubygems.org/rubygems-org-api/#webhook-methods">via webhooks</a>. If you’ve pushed a gem with internal code, you still need to reset API keys, URLs, or anything else sensitive despite the new behavior.</p>
<p>The policy around pushing the same version has not changed. A gem version can not be published twice. So if you <code class="language-plaintext highlighter-rouge">gem yank</code> a version, you cannot quickly fix something then push a new version. You still need to bump the version number - luckily you won’t run out of numbers anytime soon!</p>
<h2 id="a-final-note">A final note</h2>
<p>A concern of ours about <code class="language-plaintext highlighter-rouge">gem yank</code> and its behavior was that someone could maliciously or accidentally remove gems that others depended on. However, we’ve been using an Amazon S3 bucket to store the gems for years now <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html">with versioning</a> on - so if someone does remove gems that are necessary, we can easily restore them. We hope it won’t ever be.</p>
<p>Hopefully we’ll see this reduce <a href="http://help.rubygems.org">our support load</a>. Thanks for bearing with us if you’ve had to deal with <code class="language-plaintext highlighter-rouge">gem yank</code>’s behavior in the past.</p>
2.4.6 Released2015-02-15T00:00:00+00:00http://blog.rubygems.org/2015/02/15/2.4.6-released<p>RubyGems 2.4.6 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed resolving gems with both upper and lower requirement boundaries. Issue #1141 by Jakub Jirutka.</li>
<li>Moved extension directory after require_paths to fix missing constant bugs in some gems with C extensions. Issue #784 by André Arko, pull request #1137 by Barry Allard.</li>
<li>Use Gem::Dependency#requirement when adding a dependency to an existing dependency instance. Pull request #1101 by Josh Cheek.</li>
<li>Fixed warning of shadowed local variable in Gem::Specification. Pull request #1109 by Rohit Arondekar</li>
<li>Gem::Requirement should always sort requirements before coercion to Hash. Pull request #1139 by Eito Katagiri.</li>
<li>The <code class="language-plaintext highlighter-rouge">gem open</code> command should change the current working directory before opening the editor. Pull request #1142 by Alex Wood.</li>
<li>Ensure quotes are stripped from the Windows launcher script used to install gems. Pull request #1115 by Youngjun Song.</li>
<li>Fixed errors when writing 0444 files to NFS. Issue #1161 by Emmanuel Hadoux.</li>
<li>Removed dead code in Gem::StreamUI. Pull request #1117 by mediaslave24.</li>
<li>Fixed typos. Pull request #1096 by hakeda.</li>
<li>Relaxed CMake dependency for RHEL 6 and CentOS 6. Pull request #1124 by Vít Ondruch.</li>
<li>Relaxed Psych dependency. Pull request #1128 by Vít Ondruch.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.6.tgz<br />
76d3f3b10aa824d23a511f098ab777c6473b98ffa733f7be4222408897b68db9</li>
<li>rubygems-2.4.6.zip<br />
9370bd2d6df98e638ae8cd8627a79e58c80691684f0a4924d94a4538bbacc101</li>
<li>rubygems-update-2.4.6.gem<br />
e11368dc8987461fd8858113fe3aa02f46723e521c5014c6b6293ed4317f2f98</li>
</ul>
Writing history, actually re-writing it.2015-02-01T00:00:00+00:00http://blog.rubygems.org/2015/02/01/rewriting-history<h1 id="problem">Problem</h1>
<p>RubyGems.org was getting out of hand, not in terms of code, but the git repository was way too big. Everytime someone wanted to clone the repo, it would take a long time, as the repo was over 500MB. The code itself is not big at all, but we need to vendor all the gems we use.
You might be wondering why we need to vendor the RubyGems.org gem dependencies. Most projects can simply install gems from RubyGems.org when they are deployed. But RubyGems.org itself might have a critical bug that causes it to be unavailable. The only way to deploy a fix to such a bug is to ensure the RubyGems.org codebase does not depend on the RubyGems.org service being available.
Vendoring more than 100 gems cost space, also everytime a new gem is updated, the old versions live forever in the history. Git is distruibuted source control, and when you clone the repo you clone all branches, tags and history attached to them. That said, the repository would just grow and became harder and harder to be cloned.</p>
<p>(<a href="https://github.com/rubygems/rubygems.org/issues/610">See GitHub issue</a>)</p>
<h1 id="alternative-solution">Alternative solution</h1>
<p>Running <code class="language-plaintext highlighter-rouge">git clone --depth=1</code> would be an easier solution. However the problem about this is that everyone that clones the repo would have to know about the <code class="language-plaintext highlighter-rouge">depth</code> flag. Another problem about it, is that you would not clone the history locally, so searches or things like <code class="language-plaintext highlighter-rouge">git-blame</code> would not work.</p>
<h1 id="solution">Solution</h1>
<p>Create a separate <code class="language-plaintext highlighter-rouge">vendor/cache</code> folder in a another git repository, and add that as a git submodule. If <code class="language-plaintext highlighter-rouge">vendor/cache</code> folder is not part of the main repo, history on that folder would not be tracked by the main repo. Therefore the RubyGems.org repository would not grow immensely with every gem update.</p>
<p>However that would not solve the problem of having a 600MB repository. In order to fix that, we would have to rewrite history of the repository to remove all the vendored files from history. And that’s exactly what we did. As we were rewriting history we also decided to remove a few other big folders and files from the history:</p>
<ul>
<li>server/rubygems.html</li>
<li>rubygems.txt</li>
<li>server/rubygems.txt</li>
<li>vendor/bundler_gems</li>
<li>vendor/gems</li>
<li>vendor/rails</li>
<li>vendor/plugins</li>
</ul>
<p>And lastly we moved <code class="language-plaintext highlighter-rouge">vendor/cache</code> out of the history to <a href="https://github.com/rubygems/rubygems.org-vendor">another repository</a></p>
<h1 id="why">Why?</h1>
<p>RubyGems.org is an open source project, and contributions are always welcome, so a small and faster repository is key to make the project more approachable for the community.</p>
<h1 id="final-results">Final results</h1>
<pre>
<code class="bash">
$ git clone git@github.com:rubygems/rubygems.org-backup.git
$ du -skh .
536M .
$ git clone git@github.com:rubygems/rubygems.org.git
$ du -skh .
11M .
</code>
</pre>
<h1 id="impact-on-development">Impact on development</h1>
<h2 id="everyone-must-rebase">Everyone must rebase</h2>
<p>Everyone that has a PR to <code class="language-plaintext highlighter-rouge">rubygems/rubygems.org</code>, must rebase against the new history. Locally, this means that clones of <code class="language-plaintext highlighter-rouge">rubygems/rubygems.org</code> can either delete and clone it again, or just <code class="language-plaintext highlighter-rouge">git fetch --all; git pull --rebase</code>.</p>
<h2 id="installing-dependencies">Installing dependencies</h2>
<p>Nothing changed, still <code class="language-plaintext highlighter-rouge">bundle install</code> will do its job.</p>
<h2 id="updating-or-adding-a-new-gem">Updating or adding a new gem</h2>
<p>Just add the gem to <code class="language-plaintext highlighter-rouge">Gemfile</code> or run <code class="language-plaintext highlighter-rouge">bundle update gem_name</code>, and send a PR with changes to <code class="language-plaintext highlighter-rouge">Gemfile</code> and <code class="language-plaintext highlighter-rouge">Gemfile.lock</code> only. There is no need to update the <code class="language-plaintext highlighter-rouge">vendor/cache</code> folder anymore, or to send a PR to the vendor repo. The RubyGems team will make sure to update the vendor folder.</p>
2.4.4 Released2014-11-14T00:00:00+00:00http://blog.rubygems.org/2014/11/14/2.4.4-released<p>RubyGems 2.4.4 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Add alternate Root CA for upcoming certificate change. Fixes #1050 by Protosac</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.4.tgz<br />
c2658ffc6f9c75b34fea5498defa003f6e4e5df79eeeca84a1d57614ade5d2ab</li>
<li>rubygems-2.4.4.zip<br />
e587a116886411c79610724d78c0a0f5e9f3680fecaca62ff35fefcff258214f</li>
<li>rubygems-update-2.4.4.gem<br />
9ec22b1f44eaf27706803abfc93e9661b3decbe152e98b730cdc6bc1184f3597</li>
</ul>
2.4.3 Released2014-11-10T00:00:00+00:00http://blog.rubygems.org/2014/11/10/2.4.3-released<p>RubyGems 2.4.3 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fix redefine MirrorCommand issue. Pull request #1044 by @akr.</li>
<li>Fix typo in platform= docs. Pull request #1048 by @jasonrclark</li>
<li>Add root SSL certificates for upcoming certificate change. Fixes #1050 by Protosac</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.3.tgz<br />
23b22a88c6d6d403c1a0c4346d0882a019f544b7d669de478ab3e5393103f105</li>
<li>rubygems-2.4.3.zip<br />
a6faf40398ae78c0cce38bbb99266de6c618e59960e802dfa56b5585302b62ef</li>
<li>rubygems-update-2.4.3.gem<br />
32fe3db16fa5746c622ed2c6e865854a3ec2c19c5fe566e325338dc84a14bf1d</li>
</ul>
2.4.2 Released2014-10-01T00:00:00+00:00http://blog.rubygems.org/2014/10/01/2.4.2-released<p>RubyGems 2.4.2 includes this release was sponsored by ruby central and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>This release was sponsored by Ruby Central.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems now correctly matches wildcard no_proxy hosts. Issue #997 by voelzemo.</li>
<li>Added support for missing git_source method in the gem dependencies API.</li>
<li>Fixed handling of git gems with an alternate install directory.</li>
<li>Lockfiles will no longer be truncated upon resolution errors.</li>
<li>Fixed messaging for <code class="language-plaintext highlighter-rouge">gem owner -a</code>. Issue #1004 by Aaron Patterson, Ryan Davis.</li>
<li>Removed meaningless ensure. Pull request #1003 by gogotanaka.</li>
<li>Improved wording of –source option help. Pull request #989 by Jason Clark.</li>
<li>Empty build_info files are now ignored. Issue #903 by Adan Alvarado.</li>
<li>Gem::Installer ignores dependency checks when installing development dependencies. Issue #994 by Jens Willie.</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> now continues after dependency errors. Issue #993 by aaronchi.</li>
<li>RubyGems no longer warns about semantic version dependencies for the 0.x range. Issue #987 by Jeff Felchner, pull request #1006 by Hsing-Hui Hsu.</li>
<li>Added minimal lock to allow multithread installation of gems. Issue #982 and pull request #1005 by Yorick Peterse</li>
<li>RubyGems now considers prerelease dependencies as it did in earlier versions when –prerelease is given. Issue #990 by Jeremy Tryba.</li>
<li>Updated capitalization in README. Issue #1010 by Ben Bodenmiller.</li>
<li>Fixed activating gems from a Gemfile for default gems. Issue #991 by khoan.</li>
<li>Fixed windows stub script generation for Cygwin. Issue #1000 by Brett DiFrischia.</li>
<li>Allow gem bindir and ruby.exe to live in separate diretories. Pull request #942 by Ian Flynn.</li>
<li>Fixed handling of gemspec in gem dependencies files to match Bundler behavior. Issue #1020 by Michal Papis.</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem update</code> when updating to prereleases. Issue #1028 by Santiago Pastorino.</li>
<li>RubyGems now fails immediately when a git reference cannot be found instead of spewing git errors. Issue #1031 by Michal Papis</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.2.tgz<br />
34cf28c3066e7e16a579d087fc2978949b4628f1f9398279f7a5dfb5135da6e8</li>
<li>rubygems-2.4.2.zip<br />
47b3074e30ca5fd0a28ad72065173b6121a28b1867ec88369118cab94ed55ceb</li>
<li>rubygems-update-2.4.2.gem<br />
92b7b460a01208af3f59758816d9a314414f38e480c7870b18c75ea11d582360</li>
</ul>
Post-Mortem of Today's Connectivity Issues2014-08-07T00:00:00+00:00http://blog.rubygems.org/2014/08/07/postmortem<p>The RubyGems.org web interface and API were intermittently down for a period on August 7th from about 8:43 UTC until 14:07 UTC. This post aims to explain the issue and how we’ll work to prevent similar problems in the future.</p>
<p>In the early morning hours eastern US time, RubyGems.org internal and external monitoring systems began sending alerts to the operations team. Due to the timing of the alerts no one with access to diagnose and fix the issue was awake, which caused the alerts to go unacknowledged for a period of time. Eventually members of the operations team were online and began diagnosing the problem. As we began digging into the logs across our application tier it became obvious that there were a large number of requests which resulted in a 404 getting returned to the client from the application itself. Rather than requests which result in 404’s from our load balancers, like a gem file which doesn’t exist, these requests began consuming all the available worker processes across our application servers. The load on our database shot up and the application would stop responding to requests in a timely manner. Given the various timeouts we have in place across our systems, requests would get processed properly until the workers and database got overwhelmed.</p>
<p>We moved quickly to isolate the source of the traffic and immediately put a fix in place across our load balancer tier. From the information we were able to collect it seems as though someone configured RubyGems.org as a repository in their <code class="language-plaintext highlighter-rouge">pom.xml</code>, a file which is used by Maven to configured and run various build-related tasks. Given the address space we saw traffic originating from, it seems likely that the <code class="language-plaintext highlighter-rouge">pom.xml</code> was distributed to a build farm with many machines. We’ve blocked all requests which include certain keywords, such as <code class="language-plaintext highlighter-rouge">.jar</code> to prevent any further such requests.</p>
<p>Over the next few days and weeks we’ll be putting better monitoring in place around worker usage. We’d already been talking about setting up an on-call rotation and plan to have that in place soon.</p>
<p>I’m very sorry this happened and prevented users from being able to effectively use RubyGems.org. Feel free to <a href="mailto:shk@linux.com">email me</a> with any questions or concerns you’ve got.</p>
2.4.1 Released2014-07-17T00:00:00+00:00http://blog.rubygems.org/2014/07/17/2.4.1-released<p>RubyGems 2.4.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems can now be updated on Ruby implementations that do not support vendordir in RbConfig::CONFIG. Issue #974 by net1957.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.1.tgz<br />
8e40e23fa995d064b00c474c3d3e5c4022755e27975c06d69d9e1c383a33f932</li>
<li>rubygems-2.4.1.zip<br />
a5012e0ed91629cf234cceb2567db971610b99135005db59e180bea18e9009d6</li>
<li>rubygems-update-2.4.1.gem<br />
70bab9b876cd0c9087e9e03dea9c5c4afcc67770483a41fb02f6a4a6d484d759</li>
</ul>
2.4.0 Released2014-07-16T00:00:00+00:00http://blog.rubygems.org/2014/07/16/2.4.0-released<p>RubyGems 2.4.0 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>The contents command now supports a –show-install-dir option that shows only the directory the gem is installed in. Feature request #966 by Akinori MUSHA.</li>
<li>Added a –build-root option to the install command for packagers. Pull request #965 by Marcus Rückert.</li>
<li>Added vendor gem support to RubyGems. Package managers may now install gems in Gem.vendor_dir with the –vendor option to gem install. Issue #943 by Marcus Rückert.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Kernel#gem now respects the prerelease flag when activating gems. Previously this behavior was undefined which could lead to bugs when a prerelease version was unintentionally activated. Bug #938 by Joe Ferris.</li>
<li>RubyGems now prefers gems from git over installed gems. This allows gems from git to override an installed gem with the same name and version. Bug #944 by Thomas Kriechbaumer.</li>
<li>Fixed handling of git gems in a lockfile with unversioned dependencies. Bug #940 by Michael Kaiser-Nyman.</li>
<li>The ruby directive in a gem dependencies file is ignored when installing. Bug #941 by Michael Kaiser-Nyman.</li>
<li>Added open to list of builtin commands (<code class="language-plaintext highlighter-rouge">gem open</code> now works). Reported by Espen Antonsen.</li>
<li><code class="language-plaintext highlighter-rouge">gem open</code> now works with command-line editors. Pull request #962 by Tim Pope.</li>
<li><code class="language-plaintext highlighter-rouge">gem install -g</code> now respects <code class="language-plaintext highlighter-rouge">--conservative</code>. Pull request #950 by Jeremy Evans.</li>
<li>RubyGems releases announcements now now include checksums. Bug #939 by Alexander E. Fischer.</li>
<li>RubyGems now expands ~ in $PATH when checking if installed executables will be runnable. Pull request #945 by Alex Talker.</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem install -g --explain</code>. Issue #947 by Luis Lavena. Patch by Hsing-Hui Hsu.</li>
<li>RubyGems locks less during gem activation. Pull request #951 by Aaron Patterson and Justin Searls, #969 by Jeremy Tryba.</li>
<li>Kernel#gem is now thread-safe. Pull request #967 by Aaron Patterson.</li>
<li>RubyGems now handles spaces in directory names for some parts of extension building. Pull request #949 by Tristan Hill.</li>
<li>RubyGems no longer defines an empty Date class. Pull Request #948 by Benoit Daloze.</li>
<li>RubyGems respects –document options for <code class="language-plaintext highlighter-rouge">gem update</code> again. Bug 946 by jonforums. Patch by Hsing-Hui Hsu.</li>
<li>RubyGems generates documentation again with –ignore-dependencies. Bug #961 by Pulfer.</li>
<li>RubyGems can install extensions across partitions now. Pull request #970 by Michael Scherer.</li>
<li><code class="language-plaintext highlighter-rouge">-s</code> is now short for <code class="language-plaintext highlighter-rouge">--source</code> which resolves an ambiguity with –no-suggestions. Pull request #955 by Alexander Kahn.</li>
<li>Added extra test for ~> for 0.0.X versions. Pull request #958 by Mark Lorenz.</li>
<li>Fixed typo in gem updated help. Pull request #952 by Per Modin.</li>
<li>Clarified that the gem description should not be excessively long. Part of bug #956 by Renier Morales.</li>
<li>Hid documentation of outdated test_files related methods in Specification. Guides issue #90 by Emil Soman.</li>
<li>RubyGems now falls back to the old index if the rubygems.org API fails during gem resolution.</li>
</ul>
<p>SHA256 Checksums:</p>
<ul>
<li>rubygems-2.4.0.tgz<br />
9214ef24e1da07b5d0425b58520e3b2c37bf87dd37eab59cd5fdc86075b6a0d1</li>
<li>rubygems-2.4.0.zip<br />
e0c47141ec04a99b90567e14f38d3af68c1dd08bea8ce8250c63cd01918d0c83</li>
<li>rubygems-update-2.4.0.gem<br />
a169d30852ebfa7972d7a359be4930871cd442798244ad7fae01d94aa6dbec33</li>
</ul>
Maintenance window on July 14th2014-06-30T00:00:00+00:00http://blog.rubygems.org/2014/06/30/maintenance<p>The RubyGems.org operations team has been hard at work over the past few weeks
putting together completely rebuilt infrastructure to support our growth and
scale. All our systems have been built from scratch using Chef and a variety of
other tools to help ensure they’re rock solid.</p>
<p>As part of the migration to new systems, we’ll have to take down the rails
application which runs RubyGems.org to migrate data from the old databases to
the new ones. We’re planning on doing the switch over at 3:30 UTC on July 14th.
You can use <a href="http://www.thetimezoneconverter.com/?t=3:30&tz=UTC">this tool</a> find the time in
your local timezone. We expect the migration to take no more than 30 minutes.</p>
<p>So what does this all mean for you?</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem install</code> and <code class="language-plaintext highlighter-rouge">bundle install</code> will continue to work normally</li>
<li><code class="language-plaintext highlighter-rouge">gem push</code>, <code class="language-plaintext highlighter-rouge">gem yank</code>, and other commands which interact with the database
will not work</li>
<li>RubyGems.org will show a maintenance page if you go to the site in your
browser</li>
</ul>
<p>Thanks for your patience as we work to improve the stability and availability
of RubyGems.org.</p>
<p>As always, please feel free to <a href="mailto:shk@linux.com">reach out</a> to the
RubyGems.org operations team with any issues. Thanks for using RubyGems.org!</p>
2.3.0 Released2014-06-10T00:00:00+00:00http://blog.rubygems.org/2014/06/10/2.3.0-released<p>RubyGems 2.3.0 includes minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Added the <code class="language-plaintext highlighter-rouge">open</code> command which allows you to inspect the source of a gem using your editor. Issue #789 by Mike Perham. Pull request #804 by Vitali F.</li>
<li>The <code class="language-plaintext highlighter-rouge">update</code> command shows a summary of which gems were and were not updated. Issue #544 by Mark D. Blackwell. Pull request #777 by Tejas Bubane.</li>
<li>Improved “could not find ‘gem’” error reporting. Pull request #913 by Richard Schneeman.</li>
<li>Gem.use_gemdeps now accepts an argument specifying the path of the gem dependencies file. When the file is not found an ArgumentError is raised.</li>
<li>Writing a .lock file for a gem dependencies file is now controlled by the –[no-]lock option. Pull reuqest #774 by Jeremy Evans.</li>
<li>Suggestion of alternate names and spelling corrections during install can be suppressed with the –no-suggestions option. Issue #867 by Jimmy Cuadra.</li>
<li>Added mswin64 support. Pull request #881 by U. Nakamura.</li>
<li>A gem is installable from an IO again (as in RubyGems 1.8.x and older). Pull request #716 by Xavier Shay.</li>
<li>RubyGems no longer attempts to build extensions during activation. Instead a warning is issued instructing you to run <code class="language-plaintext highlighter-rouge">gem pristine</code> which will build the extensions for the current platform. Issue #796 by dunric.</li>
<li>Added Gem::UserInteraction#verbose which prints when the –verbose option is given. Pull request #811 by Aaron Patterson.</li>
<li>RubyGems can now fetch gems from private repositories using S3. Pull request #856 by Brian Palmer.</li>
<li>Added Gem::ConflictError subclass of Gem::LoadError so you can distinguish conflicts from other problems. Pull request #841 by Aaron Patterson.</li>
<li>Cleaned up unneeded load_yaml bootstrapping in Rakefile. Pull request #815 by Zachary Scott.</li>
<li>Improved performance of conflict resolution. Pull request #842 by Aaron Patterson.</li>
<li>Add documentation of “~> 0” to Gem::Version. Issue #896 by Aaron Suggs.</li>
<li>Added CONTRIBUTING file. Pull request #849 by Mark Turner.</li>
<li>Allow use of bindir in windows_stub_script in .bat Pull request #818 by @unak and @nobu</li>
<li>Use native File::PATH_SEPARATOR and remove $ before gem env on Gem::Dependency#to_specs. Pull request #915 by @parkr</li>
<li>RubyGems recommends SPDX IDs for licenses now. Pull request #917 by Benjamin Fleischer.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems now only fetches the latest specs to find misspellings which speeds up gem suggestions. Pull request #808 by Aaron Patterson.</li>
<li>The given .gem is installed again when multiple versions of the same gem exist in the current directory. Bug #875 by Prem Sichanugrist.</li>
<li>Local gems are preferred by name over remote gems again. Bug #834 by jonforums.</li>
<li>RubyGems can install local prerelease gems again. Pull request #866 by Aaron Patterson. Issue #813 by André Arko.</li>
<li>RubyGems installs development dependencies correctly again. Issue #893 by Jens Wille.</li>
<li>RubyGems only installs prerelease versions when they are requested again. Issue #853 by Seth Vargo, special thanks to Zachary Scott and Ben Moss. Issue #884 by Nathaniel Bibler.</li>
<li>Fixed RubyGems list and search command help. Pull request #905 and #928 by Gabriel Gilder.</li>
<li>The list of gems to uninstall is always sorted now. Bug #918 by postmodern.</li>
<li>The update command only updates exactly matching gem names now. Bug #919 by postmodern.</li>
<li>Gem::Server now supports prerelease versions. Bug #857 by Marcelo Alvim.</li>
<li>RubyGems no longer raises an exception immediately when gems are missing with RUBYGEMS_GEMDEPS. A warning is printed instead. Issue #886 by Michael Kaiser-Nyman.</li>
<li>Commands using the rubygems.org API no longer try to sign-in when a non-rubygems API key has been chosen. Bug #826 by Ben Sedat.</li>
<li>Updated documentation of Gem::Specification#executables to indicate that only ruby scripts are allowed. Bug #830 by Geoff Nixon.</li>
<li>Gem dependency API supports multiple platforms for #platform and #platforms now. Bug #821 by johnny5-.</li>
<li>Gem dependency API supports lockfiles without explicit sources. Bug #820 by johnny5-.</li>
<li>Gem dependency API supports lockfiles with multiple sources. Bug #822 by johnny5-, bug #851 by sumit shah.</li>
<li>Gem dependency API supports lockfiles with git sources using branch, tag and ref. Bug #822 by johnny5-, #931 by Christoph Blank.</li>
<li>Gem dependency API no longer raises an exception when a gem does not exist in one of the configured sources. Bug #897 by Michael Kaiser-Nyman.</li>
<li>Gem dependency API no longer lists development dependencies in the lockfile. Bug #768 by Diego Viola, #916 by Santiago Pastorino.</li>
<li>SSL configuration entries in ~/.gemrc are properly round-tripped. Bug #837 by Noah Luck Easterly.</li>
<li>The environment command now shows the system configuration directory where the all-users gemrc lives. Bug #827 by Ben Langfeld.</li>
<li>Improved speed of conflict checking when activating gems. Pull request #843 by Aaron Patterson.</li>
<li>Improved speed of levenshtein distance for gem suggestion misspellings. Pull requests #809, #812 by Aaron Patterson.</li>
<li>Restored persistent connections. Pull request #869 by Aaron Patterson.</li>
<li>Reduced requests when fetching gems with the bundler API. Pull request #773 by Charlie Somerville.</li>
<li>Reduced dependency prefetching to improve install speed. Pull requests #871, #872 by Matthew Draper.</li>
<li>RubyGems now avoids net/http auto-proxy detection. Issue #824 by HINOHARA Hiroshi.</li>
<li>Removed conversion of Gem::List (used for debugging installs) to unless necessary. Pull request #870 by Aaron Patterson.</li>
<li>RubyGems now prints release notes from the current release. Bug #814 by André Arko.</li>
<li>RubyGems allows installation of unsigned gems again with -P MediumSecurity and lower. Bug #859 by Justin S. Collins.</li>
<li>Fixed typo in Jim Weirich’s name. Ruby pull request #577 by Mo Khan.</li>
<li>Fixed typo in Gem.datadir documentation. Pull request #868 by Patrick Jones.</li>
<li>Fixed File.exists? warnings. Pull request #829 by SHIBATA Hiroshi.</li>
<li>Fixed show_release_notes test for LANG=C. Issue #862 by Luis Lavena.</li>
<li>Fixed Gem::Package from IO tests on windows. Patch from issue #861 by Luis Lavena.</li>
<li>Check for nil extensions as BasicSpecification does not initialize them. Pull request #882 by André Arko.</li>
<li>Fixed Gem::BasicSpecification#require_paths receives a String for @require_paths. Pull requrest #904 by @danielpclark</li>
<li>Fixed circular require warnings. Bug #908 by Zachary Scott.</li>
<li>Gem::Specification#require_paths can no longer accidentally be an Array. Pull requests #904, #909 by Daniel P. Clark.</li>
<li>Don’t build extensions if <code class="language-plaintext highlighter-rouge">build_dir/extensions</code> isn’t writable. Pull request #912 by @dunric</li>
<li>Gem::BasicSpecification#require_paths respects default_ext_dir_for now. Bug #852 by Vít Ondruch.</li>
</ul>
RubyGems.org's response to CVE-2014-0160 (heartbleed)2014-04-09T00:00:00+00:00http://blog.rubygems.org/2014/04/09/heartbleed<p>At this point you’ve probably heard about CVE-2014-0160, branded ‘heartbleed’. Just in case you’ve not, it’s a critical vulnerability in the immensely popular OpenSSL libary, which RubyGems.org, and a huge percentage of sites, applications, and systems use to secure communications. The vulnerability allows for an arbitrary 64k of memory to be accessed remotely. You can read more about heartbleed <a href="http://heartbleed.com/">here</a>.</p>
<p>As soon as we heard about the vulnerability we upgraded OpenSSL and applications linked against it and restarted our SSL termination layer. That prevents our private key and other sensitive information from potentially being accessed going forward. It is impossible to know whether private key material was leaked as a result of the vulnerability so we immediately moved to regenerate our SSL private key and certificate. That new certificate has been deployed for about 36 hours.</p>
<p>The SHA1 fingerprint of the new certificate is <code class="language-plaintext highlighter-rouge">F6 F6 C6 7A 91 D8 51 28 02 1D 19 8F 8A FB A5 7D 4E D3 9C 34</code>.</p>
<p>As always, please feel free to <a href="mailto:shk@linux.com">reach out</a> to the RubyGems.org operations team with any security issues. Thanks for using RubyGems.org!</p>
2.2.2 Released2014-02-05T00:00:00+00:00http://blog.rubygems.org/2014/02/05/2.2.2-released<p>RubyGems 2.2.2 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed ruby tests when BASERUBY is not set. Patch for #778 by Nobuyoshi Nakada.</li>
<li>Removed double requests in RemoteFetcher#cache_update_path to improve remote install speed. Pull request #772 by Charlie Somerville.</li>
<li>The mkmf.log is now placed next to gem_make.out when building extensions.</li>
<li><code class="language-plaintext highlighter-rouge">gem install -g --local</code> no longer accesses the network. Bug #776 by Jeremy Evans.</li>
<li>RubyGems now correctly handles URL passwords with encoded characters. Pull request #781 by Brian Fletcher.</li>
<li>RubyGems now correctly escapes URL characters. Pull request #788 by Brian Fletcher.</li>
<li>RubyGems can now unpack tar files where the type flag is not given. Pull request #790 by Cody Russell.</li>
<li>Typo corrections. Pull request ruby/ruby#506 by windwiny.</li>
<li>RubyGems now uses both the default certificates and ssl_ca_cert instead of one or the other. Pull request #795 by zebardy.</li>
<li>RubyGems can now use the bundler API against hosted gem servers in a directory. Pull request #801 by Brian Fletcher.</li>
<li>RubyGems bin stubs now ignore non-versions. This allows RubyGems bin stubs to list file names like “<em>foo</em>”. Issue #799 by Postmodern.</li>
<li>Restored behavior of Gem::Version::new when subclassed. Issue #805 by Sergio Rubio.</li>
</ul>
2.2.1 Released2014-01-06T00:00:00+00:00http://blog.rubygems.org/2014/01/06/2.2.1-released<p>RubyGems 2.2.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Platforms in the Gemfile.lock GEM section are now handled correctly. Bug #767 by Diego Viola.</li>
<li>RubyGems now displays which gem couldn’t be uninstalled from the home directory. Pull request #757 by Michal Papis.</li>
<li>Removed unused method Gem::Resolver#find_conflict_state. Pull request #759 by Smit Shah.</li>
<li>Fixed installing gems from local files without dependencies. Issue #760 by Arash Mousavi, pull request #764 by Tim Moore.</li>
<li>Removed TODO about syntax that works in Ruby 1.8.7. Pull request #765 by Benjamin Fleischer.</li>
<li>Switched Gem.ruby_api_version to use RbConfig::CONFIG[‘ruby_version’] which has the same value but is overridable by packagers through –with-ruby-version= when configuring ruby. Bug #770 by Jeremy Evans.</li>
<li>RubyGems now prefers the bundler API for <code class="language-plaintext highlighter-rouge">gem install</code> to reduce HTTP requests. (This change was intended for RubyGems 2.2.0 but was missed.) This should address bug #762 by Dan Peterson and bug #766 by mipearson.</li>
<li>Added Gem::BasicSpecification#source_paths so documentation or analysis tools can work properly as require_paths no longer returns extension source directories. Bug #758 Vít Ondruch.</li>
<li>Gem.read_binary can read read-only files again. This caused file:// repositories to stop working. Bug #761 by John Anderson.</li>
<li>Fixed specification file sorting for Ruby 1.8.7 compatibility. Pull request #763 by James Mead</li>
</ul>
2.2.0 Released2013-12-26T00:00:00+00:00http://blog.rubygems.org/2013/12/26/2.2.0-released<p>RubyGems 2.2.0 includes major enhancements, minor enhancements and bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Special thanks to Vít Ondruch and Michal Papis for testing and finding bugs in</em>
<em>RubyGems as it was prepared for the 2.2.0 release.</em></p>
<p><em>Major enhancements:</em></p>
<ul>
<li>
<p>RubyGems can check for gem dependencies files (gem.deps.rb or Gemfile) when rubygems executables are started and uses the found dependencies. This means <code class="language-plaintext highlighter-rouge">rake</code> will work similar to <code class="language-plaintext highlighter-rouge">bundle exec rake</code>. To enable this set the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> environment variable to the location of your dependencies file.</p>
<p>See Gem::use_gemdeps for further details.</p>
</li>
<li>
<p>A RubyGems directory may now be shared amongst multiple ruby versions. Upon activation RubyGems will automatically compile missing extensions for the current platform when the built objects are missing. Issue #596 by Michal Papis</p>
<p>By default different platforms do not share gem install locations so this
must be configured by setting GEM_HOME to a common directory. Some gems use
fixed paths for requiring extensions and are not compatible with sharing gem
directories.</p>
<p>The default sharing location may be configured by RubyGems packagers through
Gem.default_ext_dir_for. Pull Request #744 by Vít Ondruch.</p>
</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems checks the ‘allowed_push_host’ metadata value when pushing a gem to prevent an accidental push to a public repository (such as rubygems.org). If you have private gems you should set this value in your gem specification metadata. Pull request #603 by Seamus Abshere.</li>
<li><code class="language-plaintext highlighter-rouge">gem list</code> now shows results for multiple arguments. Pull request #604 by Zach Rabinovich.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine --extensions</code> will restore only gems with extensions. Issue #619 by Postmodern.</li>
<li>Gem::Specification#files is now sorted. Pull request #612 by Justin George.</li>
<li>For <code class="language-plaintext highlighter-rouge">gem list</code> and friends, “LOCAL” and “REMOTE” headers are omitted if only local or remote gem information is requested with –quiet. Pull request #615 by Michal Papis.</li>
<li>Added Gem::Specification#full_require_paths which is like require_paths, but returns a fully-qualified results. Pull request #632 by Vít Ondruch.</li>
<li>RubyGems now looks for the https_proxy environment variable for https:// sources. RubyGems will fall back to http_proxy if there is no https_proxy. Issue #610 by mkristian.</li>
<li>RubyGems now creates directories in .gem files. Issue #631 by marksolaris.</li>
<li>RubyGems raises an exception when a specification includes its gem. Issue #623 by notEthan.</li>
<li>RubyGems now displays relevant release note information when updating RubyGems. Issue #647 by Trevor Wennblom.</li>
<li>Deprecated Gem::Installer::ExtensionBuildError in favor of Gem::Ext::BuildError. The old constant is an alias for the new constant.</li>
<li>When extensions are built the gem_make.out file is always written now, even on success. This will help with debugging bad builds that report success.</li>
<li>If a specification fails to validate RubyGems shows a link to the specification reference guide. Issue #656 by Markus Heiler.</li>
<li>When using <code class="language-plaintext highlighter-rouge">gem install -g</code>, RubyGems now detects the presence of an Isolate, Gemfile or gem.deps.rb file.</li>
<li>Added Gem::StubSpecification#stubbed? to help determine if a user should run <code class="language-plaintext highlighter-rouge">gem pristine</code> to speed up gem loading. Pull request #694 and #701 by Jon Leighton.</li>
<li>RubyGems now warns when a gem has a pessimistic version dependency that may be too strict.</li>
<li>RubyGems now warns when a gem has an open-ended dependency.</li>
<li>RubyGems now raises an exception when a dependency for a gem is defined twice.</li>
<li>Marked the license specification attribute as recommended. Pull request #713 by Benjamin Fleischer.</li>
<li>RubyGems uses io/console instead of <code class="language-plaintext highlighter-rouge">stty</code> when available. Pull request #740 by Nobuyoshi Nakada</li>
<li>Relaxed Gem.ruby tests for platforms that override where ruby lives. Pull Request #755 by strzibny.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems now returns an error status when any file given to <code class="language-plaintext highlighter-rouge">gem which</code> cannot be found. Ruby bug #9004 by Eugene Vilensky.</li>
<li>Fixed command escaping when building rake extensions. Pull request #721 by Dmitry Ratnikov.</li>
<li>Fixed uninstallation of gems when GEM_HOME is a relative directory. Issue #708 by Ryan Davis.</li>
<li>Default gems are now ignored by Gem::Validator#alien. Issue #717 by David Bahar.</li>
<li>Fixed typos in RubyGems. Pull requests #723, #725, #731 by Akira Matsuda, pull request #736 by Leo Gallucci, pull request #746 by DV Suresh.</li>
<li>RubyGems now holds exclusive locks on cached gem files to prevent incorrect updates. Pull Request #737 by Smit Shah</li>
<li>Improved speed of <code class="language-plaintext highlighter-rouge">gem install --ignore-dependencies</code>. Patch by Terence Lee.</li>
</ul>
2.2.0.rc.1 Released2013-12-20T00:00:00+00:00http://blog.rubygems.org/2013/12/20/2.2.0.rc.1-released<p>RubyGems 2.2.0.rc.1 includes major enhancements, minor enhancements and bug fixes.</p>
<p>To update to the prerelease RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --prerelease --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>
<p>RubyGems can check for gem dependencies files (gem.deps.rb or Gemfile) when rubygems executables are started and uses the found dependencies. This means <code class="language-plaintext highlighter-rouge">rake</code> will work similar to <code class="language-plaintext highlighter-rouge">bundle exec rake</code>. To enable this set the <code class="language-plaintext highlighter-rouge">RUBYGEMS_GEMDEPS</code> environment variable to the location of your dependencies file.</p>
<p>See Gem::use_gemdeps for further details.</p>
</li>
<li>
<p>A RubyGems directory may now be shared amongst multiple ruby versions. Upon activation RubyGems will automatically compile missing extensions for the current platform when the built objects are missing. Issue #596 by Michal Papis</p>
<p>By default different platforms do not share gem install locations so this
must be configured by setting GEM_HOME to a common directory. Some gems use
fixed paths for requiring extensions and are not compatible with sharing gem
directories.</p>
<p>The default sharing location may be configured by RubyGems packagers through
Gem.default_ext_dir_for. Pull Request #744 by Vít Ondruch.</p>
</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems checks the ‘allowed_push_host’ metadata value when pushing a gem to prevent an accidental push to a public repository (such as rubygems.org). If you have private gems you should set this value in your gem specification metadata. Pull request #603 by Seamus Abshere.</li>
<li><code class="language-plaintext highlighter-rouge">gem list</code> now shows results for multiple arguments. Pull request #604 by Zach Rabinovich.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine --extensions</code> will restore only gems with extensions. Issue #619 by Postmodern.</li>
<li>Gem::Specification#files is now sorted. Pull request #612 by Justin George.</li>
<li>For <code class="language-plaintext highlighter-rouge">gem list</code> and friends, “LOCAL” and “REMOTE” headers are omitted if only local or remote gem information is requested with –quiet. Pull request #615 by Michal Papis.</li>
<li>Added Gem::Specification#full_require_paths which is like require_paths, but returns a fully-qualified results. Pull request #632 by Vít Ondruch.</li>
<li>RubyGems now looks for the https_proxy environment variable for https:// sources. RubyGems will fall back to http_proxy if there is no https_proxy. Issue #610 by mkristian.</li>
<li>RubyGems now creates directories in .gem files. Issue #631 by marksolaris.</li>
<li>RubyGems raises an exception when a specification includes its gem. Issue #623 by notEthan.</li>
<li>RubyGems now displays relevant release note information when updating RubyGems. Issue #647 by Trevor Wennblom.</li>
<li>Deprecated Gem::Installer::ExtensionBuildError in favor of Gem::Ext::BuildError. The old constant is an alias for the new constant.</li>
<li>When extensions are built the gem_make.out file is always written now, even on success. This will help with debugging bad builds that report success.</li>
<li>If a specification fails to validate RubyGems shows a link to the specification reference guide. Issue #656 by Markus Heiler.</li>
<li>When using <code class="language-plaintext highlighter-rouge">gem install -g</code>, RubyGems now detects the presence of an Isolate, Gemfile or gem.deps.rb file.</li>
<li>Added Gem::StubSpecification#stubbed? to help determine if a user should run <code class="language-plaintext highlighter-rouge">gem pristine</code> to speed up gem loading. Pull request #694 and #701 by Jon Leighton.</li>
<li>RubyGems now warns when a gem has a pessimistic version dependency that may be too strict.</li>
<li>RubyGems now warns when a gem has an open-ended dependency.</li>
<li>RubyGems now raises an exception when a dependency for a gem is defined twice.</li>
<li>Marked the license specification attribute as recommended. Pull request #713 by Benjamin Fleischer.</li>
<li>RubyGems uses io/console instead of <code class="language-plaintext highlighter-rouge">stty</code> when available. Pull request #740 by Nobuyoshi Nakada</li>
<li>Relaxed Gem.ruby tests for platforms that override where ruby lives. Pull Request #755 by strzibny.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>RubyGems now returns an error status when any file given to <code class="language-plaintext highlighter-rouge">gem which</code> cannot be found. Ruby bug #9004 by Eugene Vilensky.</li>
<li>Fixed command escaping when building rake extensions. Pull request #721 by Dmitry Ratnikov.</li>
<li>Fixed uninstallation of gems when GEM_HOME is a relative directory. Issue #708 by Ryan Davis.</li>
<li>Default gems are now ignored by Gem::Validator#alien. Issue #717 by David Bahar.</li>
<li>Fixed typos in RubyGems. Pull requests #723, #725, #731 by Akira Matsuda, pull request #736 by Leo Gallucci, pull request #746 by DV Suresh.</li>
<li>RubyGems now holds exclusive locks on cached gem files to prevent incorrect updates. Pull Request #737 by Smit Shah</li>
<li>Improved speed of <code class="language-plaintext highlighter-rouge">gem install --ignore-dependencies</code>. Patch by Terence Lee.</li>
</ul>
1.8.29 Released2013-11-23T00:00:00+00:00http://blog.rubygems.org/2013/11/23/1.8.29-released<p>RubyGems 1.8.29 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed installation when the LANG environment variable is empty.</li>
<li>Added DigiCert High Assurance EV Root CA to the default SSL certificates for cloudfront.</li>
</ul>
2.1.11 Released2013-11-12T00:00:00+00:00http://blog.rubygems.org/2013/11/12/2.1.11-released<p>RubyGems 2.1.11 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Gem::Specification::remove_spec no longer checks for existence of the spec to be removed. Issue #698 by Tiago Macedo.</li>
<li>Restored wildcard handling when installing gems. Issue #697 by Chuck Remes.</li>
<li>Added DigiCert High Assurance EV Root CA certificate for the cloudfront.net certificate change.</li>
<li>The Gem::RemoteFetcher tests now choose the test server port more reliably. Pull Request #706 by akr.</li>
</ul>
2.0.14 Released2013-11-12T00:00:00+00:00http://blog.rubygems.org/2013/11/12/2.0.14-released<p>RubyGems 2.0.14 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Gem::Specification::remove_spec no longer checks for existence of the spec to be removed. Issue #698 by Tiago Macedo.</li>
<li>Restored wildcard handling when installing gems. Issue #697 by Chuck Remes.</li>
<li>Added DigiCert High Assurance EV Root CA certificate for the cloudfront.net certificate change.</li>
<li>The Gem::RemoteFetcher tests now choose the test server port more reliably. Pull Request #706 by akr.</li>
</ul>
2.1.10 Released2013-10-24T00:00:00+00:00http://blog.rubygems.org/2013/10/24/2.1.10-released<p>RubyGems 2.1.10 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use class check instead of :version method check when creating Gem::Version objects. Fixes #674 by jkanywhere.</li>
<li>Fail during <code class="language-plaintext highlighter-rouge">gem update</code> when an error occurs checking for newer versions. This means RubyGems no longer reports “nothing to update” when it cannot communicate with the server. Issue #688 by Jimmy Dee.</li>
<li>Allow installation of gems when the home directory does not exist. Issue #689 by Laurence Rowe</li>
<li>Fix updating gems which have multiple platforms. Issue #693 by Ookami Kenrou.</li>
<li>The gem server now uses user-provided directories. Issue #696 by Marcelo Alvim.</li>
<li>Improved resolution of gems when specific versions have conflicting dependencies.</li>
<li>RubyGems installs local gems regardless of platform again. Issue #695</li>
<li>The <code class="language-plaintext highlighter-rouge">--ignore-dependencies</code> option for gem installation works again. Issue #695</li>
</ul>
2.0.13 Released2013-10-24T00:00:00+00:00http://blog.rubygems.org/2013/10/24/2.0.13-released<p>RubyGems 2.0.13 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Use class check instead of :version method check when creating Gem::Version objects. Fixes #674 by jkanywhere.</li>
<li>Allow installation of gems when the home directory does not exist. Issue #689 by Laurence Rowe</li>
<li>Fix updating gems which have multiple platforms. Issue #693 by Ookami Kenrou.</li>
<li>The gem server now uses user-provided directories. Issue #696 by Marcelo Alvim.</li>
</ul>
RubyGems.org now supports Gittip2013-10-14T00:00:00+00:00http://blog.rubygems.org/2013/10/14/gittip<p>You can now link to your <a href="https://www.gittip.com">Gittip</a> account from your
RubyGems profile page.</p>
<p>Gittip is a way to give small weekly cash gifts to people you love and are
inspired by. You can find more details on the <a href="https://www.gittip.com/about/">Gittip about
page</a>. If you don’t have a Gittip account you
can quickly create one by clicking the sign-in button in the top-right corner
and logging in through Twitter, Github or Bitbucket. You can also <a href="https://www.gittip.com/about/terms/">create a
Gittip account for an organization</a>.</p>
<p>After you’ve signed in, you can <a href="https://rubygems.org/profile/edit">edit your RubyGems
profile</a> to include your Gittip username.</p>
<p>PS: Here is the <a href="https://www.gittip.com/rubygems/">RubyGems.org team account</a></p>
2.1.9 Released2013-10-14T00:00:00+00:00http://blog.rubygems.org/2013/10/14/2.1.9-released<p>RubyGems 2.1.9 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Reduce sorting when fetching specifications. This speeds up the update and outdated commands, and others. Issue #657 by windwiny.</li>
<li>Proxy usernames and passwords are now escaped properly. Ruby Bug #8979 by Masahiro Tomita, Issue #668 by Kouhei Sutou.</li>
</ul>
2.0.12 Released2013-10-14T00:00:00+00:00http://blog.rubygems.org/2013/10/14/2.0.12-released<p>RubyGems 2.0.12 includes a bug fix.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Proxy usernames and passwords are now escaped properly. Ruby Bug #8979 and patch by Masahiro Tomita, Issue #668 by Kouhei Sutou.</li>
</ul>
2.1.8 Released2013-10-10T00:00:00+00:00http://blog.rubygems.org/2013/10/10/2.1.8-released<p>RubyGems 2.1.8 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed local installation of platform gem files. Issue #664 by Ryan Melton.</li>
<li>Files starting with “.” in the root directory are installed again. Issue #680 by Ivo Wever, Pull Request #681 by Jeremy Evans.</li>
<li>The index generator no longer indexes default gems. Issue #661 by Jeremy Hinegardner.</li>
</ul>
2.1.7 Released2013-10-09T00:00:00+00:00http://blog.rubygems.org/2013/10/09/2.1.7-released<p>RubyGems 2.1.7 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem sources --list</code> now displays a list of sources. Pull request #672 by Nathan Marley.</li>
<li>RubyGems no longer alters Gem::Specification.dirs when installing. Pull Request #670 by Vít Ondruch</li>
<li>Use RFC 2616-compatible time in HTTP headers. Pull request #655 by Larry Marburger.</li>
<li>RubyGems now gives a more descriptive message for missing licenses on validation. Issue #656 by Markus Heiler.</li>
<li>Expand unpack destination directory. This fixes problems when File.realpath is missing and $GEM_HOME contains “..”. Issue #679 by Charles Nutter.</li>
</ul>
2.1.6 Released2013-10-08T00:00:00+00:00http://blog.rubygems.org/2013/10/08/2.1.6-released<p>RubyGems 2.1.6 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added certificates to follow the s3.amazonaws.com certificate change. Fixes #665 by emeyekayee. Fixes #671 by jonforums.</li>
<li>Remove redundant built-in certificates not needed for https://rubygems.org Fixes #654 by Vít Ondruch.</li>
<li>Added test for missing certificates for https://s3.amazonaws.com or https://rubygems.org. Pull request #673 by Hannes Georg.</li>
<li>RubyGems now allows a Pathname for Kernel#require like the built-in Kernel#require. Pull request #663 by Aaron Patterson.</li>
<li>Required rbconfig in Gem::ConfigFile for Ruby 1.9.1 compatibility. (Ruby 1.9.1 is no longer receiving security fixes, so please update to a newer version.) Issue #676 by Michal Papis. Issue wayneeseguin/rvm#2262 by Thomas Sänger.</li>
</ul>
2.0.11 Released2013-10-08T00:00:00+00:00http://blog.rubygems.org/2013/10/08/2.0.11-released<p>RubyGems 2.0.1 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added certificates to follow the s3.amazonaws.com certificate change. Fixes #665 by emeyekayee. Fixes #671 by jonforums.</li>
<li>Remove redundant built-in certificates not needed for https://rubygems.org Fixes #654 by Vít Ondruch.</li>
<li>Added test for missing certificates for https://s3.amazonaws.com or https://rubygems.org. Pull request #673 by Hannes Georg.</li>
<li>RubyGems now allows a Pathname for Kernel#require like the built-in Kernel#require. Pull request #663 by Aaron Patterson.</li>
<li>Required rbconfig in Gem::ConfigFile for Ruby 1.9.1 compatibility. (Ruby 1.9.1 is no longer receiving security fixes, so please update to a newer version.) Issue #676 by Michal Papis. Issue wayneeseguin/rvm#2262 by Thomas Sänger.</li>
</ul>
1.8.28 Released2013-10-08T00:00:00+00:00http://blog.rubygems.org/2013/10/08/1.8.28-released<p>RubyGems 1.8.28 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Added certificates to follow the s3.amazonaws.com certificate change. Fixes #665 by emeyekayee. Fixes #671 by jonforums.</li>
<li>Remove redundant built-in certificates not needed for https://rubygems.org Fixes #654 by Vít Ondruch.</li>
<li>Added test for missing certificates for https://s3.amazonaws.com or https://rubygems.org. Pull request #673 by Hannes Georg.</li>
</ul>
CVE-2013-4363 Algorithmic complexity vulnerability in RubyGems 2.1.4 and older2013-09-24T00:00:00+00:00http://blog.rubygems.org/2013/09/24/CVE-2013-4363<p>The patch for CVE-2013-4363 was insufficiently verified so the combined
regular expression for verifying gem version remains vulnerable following
CVE-2013-4363.</p>
<p>RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to backtracking. For specially crafted RubyGems
versions attackers can cause denial of service through CPU consumption.</p>
<p>RubyGems versions 2.1.4 and older are vulnerable.</p>
<p>RubyGems versions <a href="/2013/09/24/2.1.5-released.html">2.1.5</a>, <a href="/2013/09/24/2.0.10-released.html">2.0.10</a>, <a href="/2013/09/24/1.8.27-released.html">1.8.27</a> and
<a href="/2013/09/24/1.8.23.2-released.html">1.8.23.2</a> contain fixes.</p>
<p>Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
versions of RubyGems.</p>
<p>It does not appear to be possible to exploit this vulnerability by installing a
gem for RubyGems 1.8.x or newer. Vulnerable uses of RubyGems API include
packaging a gem (through <code class="language-plaintext highlighter-rouge">gem build</code>, Gem::Package or Gem::PackageTask),
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
constants.</p>
<p>Notably, users of bundler that install gems from git are vulnerable if a
malicious author changes the gemspec to an invalid version.</p>
<p>The vulnerability can be fixed through one of the following patches to remove
infinite repetition in Gem::Version::ANCHORED_VERSION_PATTERN in
lib/rubygems/version.rb:</p>
<p>Patch for <a href="https://github.com/rubygems/rubygems/commit/dca0500bb24c7cba5551468a1ed28388876aded2">RubyGems 2.1.x</a></p>
<p>Patch for <a href="https://github.com/rubygems/rubygems/commit/20325c134b5ca1928a15338eeb7ead1239dbf2b9">RubyGems 2.0.x</a></p>
<p>Patch for <a href="https://github.com/rubygems/rubygems/commit/f63bfbc5c7b5725def5fecd6518ce2aa49e12ecd">RubyGems 1.8.x</a></p>
<p>Patch for <a href="https://github.com/rubygems/rubygems/commit/56d1f8c17bc81f0eb354d5099021c498a0be9b51">RubyGems 1.8.23.1</a></p>
<p>This vulnerability was discovered by Alexander Cherepanov <a href="mailto:cherepan@mccme.ru">cherepan@mccme.ru</a></p>
2.1.5 Released2013-09-24T00:00:00+00:00http://blog.rubygems.org/2013/09/24/2.1.5-released<p>RubyGems 2.1.5 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4363 for full details including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2 (for Ruby 1.9.3).</li>
</ul>
2.0.10 Released2013-09-24T00:00:00+00:00http://blog.rubygems.org/2013/09/24/2.0.10-released<p>RubyGems 2.0.10 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4363 for full details including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2 (for Ruby 1.9.3).</li>
</ul>
1.8.27 Released2013-09-24T00:00:00+00:00http://blog.rubygems.org/2013/09/24/1.8.27-released<p>RubyGems 1.8.27 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4363 for full details including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2 (for Ruby 1.9.3).</li>
</ul>
1.8.23.2 Released2013-09-24T00:00:00+00:00http://blog.rubygems.org/2013/09/24/1.8.23.2-released<p>RubyGems 1.8.23.2 includes security fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4363 for full details including vulnerable APIs. Fixed versions include 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2 (for Ruby 1.9.3).</li>
</ul>
Branch Maintenance Policies2013-09-19T00:00:00+00:00http://blog.rubygems.org/2013/09/19/branch-maintenance-policy<p>Currently RubyGems is maintaining the following:</p>
<ul>
<li>RubyGems 1.8.x for security and Ruby forward-compatibility</li>
<li>RubyGems 2.0.x for security and bug fixes</li>
<li>RubyGems master (currently 2.1.x, 2.2.0 soon) for security fixes, bug fixes
and new features</li>
</ul>
<p>The RubyGems 2.x series has been relatively problem-free despite some large
internal changes. The changes since RubyGems 1.8.x have made RubyGems easier
to work on and have made it easy to quickly respond to bugs with fixes. The
number of changes between 1.8.x and 2.x make it difficult to continue to
backport bug fixes to the 1.8.x branch, so users are recommended to upgrade to
RubyGems 2.x.</p>
<p>RubyGems 1.8.x will continue to receive security fixes as long as Ruby 1.9.3 is
receiving security fixes. RubyGems 1.8.x may receive fixes for
forward-compatibility (such as the changes to extension building in Ruby
2.0.0).</p>
<p>RubyGems 2.0.x receives bug fixes because it is included in Ruby 2.0.0. When
Ruby 2.1.0 is released, we may choose to discontinue bug fixes for RubyGems
2.0.x. RubyGems 2.0.x will receive security fixes as long as Ruby 2.0.0 is
receiving security fixes.</p>
<p>Bug fixes to RubyGems 2.1.x will stop receiving bug fixes when RubyGems 2.2.0
is released.</p>
<p>The RubyGems 2.x series will always support Ruby 1.8.7.</p>
2.1.4 Released2013-09-17T00:00:00+00:00http://blog.rubygems.org/2013/09/17/2.1.4-released<p>RubyGems 2.1.4 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem uninstall foo --all</code> now force-uninstalls all versions of foo. Issue #650 by Kyle (remkade).</li>
<li>Fixed uninstalling gems installed in the home directory (as in <code class="language-plaintext highlighter-rouge">--user-install</code>). Issue #653 by Lin Jen-Shin.</li>
</ul>
2.0.9 Released2013-09-13T00:00:00+00:00http://blog.rubygems.org/2013/09/13/2.0.9-released<p>RubyGems 2.0.9 is a bug-fix release for the Ruby 2.0.0 patchlevel series. To
update to the 2.0.9 release you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system=2.0.9
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p>Bug fixes:</p>
<ul>
<li>Gem fetch now fetches the newest (not oldest) gem when –version is given. Issue #643 by Brian Shirai.</li>
<li>Fixed credential creation for <code class="language-plaintext highlighter-rouge">gem push</code> when <code class="language-plaintext highlighter-rouge">--host</code> is not given. Pull request #622 by Arthur Nogueira Neves</li>
</ul>
2.1.3 Released2013-09-12T00:00:00+00:00http://blog.rubygems.org/2013/09/12/2.1.3-released<p>RubyGems 2.1.3 includes a bug fix.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fix:</em></p>
<ul>
<li>Gems with files entries starting with “./” no longer install 0 files. Issue #644 by Darragh Curran, #645 by Brandon Turner, #646 by Alex Tambellini</li>
</ul>
2.1.2 Released2013-09-11T00:00:00+00:00http://blog.rubygems.org/2013/09/11/2.1.2-released<p>RubyGems 2.1.2 includes bug fixes.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Restore concurrent requires following the fix for ruby bug #8374. Pull request #637 and issue #640 by Charles Nutter.</li>
<li>Gems with extensions are now installed correctly when the –install-dir option is used. Issue #642 by Lin Jen-Shin.</li>
<li>Gem fetch now fetches the newest (not oldest) gem when –version is given. Issue #643 by Brian Shirai.</li>
</ul>
2.1.1 Released2013-09-10T00:00:00+00:00http://blog.rubygems.org/2013/09/10/2.1.1-released<p>RubyGems 2.1.1 includes a bug fix.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Only matching gems matching your local platform are considered for installation. Issue #638 by José M. Prieto, issue #639 by sawanoboly.</li>
</ul>
CVE-2013-4287 Algorithmic complexity vulnerability in RubyGems 2.0.7 and older2013-09-09T00:00:00+00:00http://blog.rubygems.org/2013/09/09/CVE-2013-4287<p>RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to backtracking. For specially crafted RubyGems
versions attackers can cause denial of service through CPU consumption.</p>
<p>RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.</p>
<p>RubyGems versions <a href="/2013/09/09/2.1.0-released.html">2.1.0</a>, <a href="/2013/09/09/2.0.8-released.html">2.0.8</a>, <a href="/2013/09/09/1.8.26-released.html">1.8.26</a> and
<a href="/2013/09/09/1.8.23.1-released.html">1.8.23.1</a> contain fixes.</p>
<p>Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
versions of RubyGems.</p>
<p>It does not appear to be possible to exploit this vulnerability by installing a
gem for RubyGems 1.8.x or 2.0.x. Vulnerable uses of RubyGems API include
packaging a gem (through <code class="language-plaintext highlighter-rouge">gem build</code>, Gem::Package or Gem::PackageTask),
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
Gem::Version::VERSION_PATTERN or Gem::Version::ANCHORED_VERSION_PATTERN
constants.</p>
<p>Notably, users of bundler that install gems from git are vulnerable if a
malicious author changes the gemspec to an invalid version.</p>
<p>The vulnerability can be fixed by changing the first grouping to an atomic
grouping in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb. For
RubyGems 2.0.x:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>* VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
</code></pre></div></div>
<p>For RubyGems 1.8.x:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>* VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*' # :nodoc:
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
</code></pre></div></div>
<p>This vulnerability was discovered by Damir Sharipov <a href="mailto:dammer2k@gmail.com">dammer2k@gmail.com</a></p>
2.1.0 Released2013-09-09T00:00:00+00:00http://blog.rubygems.org/2013/09/09/2.1.0-released<p>RubyGems 2.1.0 includes several new features and a security update to fix
<a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a></p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See <a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a> for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.</li>
</ul>
<p><em>Major enhancements:</em></p>
<ul>
<li>RubyGems uses a new dependency resolver for gem installation which works similar to the bundler resolver. The new resolver can resolve conflicts the previous resolver could not and offers improved diagnostics when conflicts are discovered.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems now has improved platform matching for the ARM architecture. Gems built with a CPU of “arm” will match any specific ARM CPU. See <code class="language-plaintext highlighter-rouge">gem help platform</code> for further details. Fixes #532 by Kim Burgestrand.</li>
<li>
<p>The –version option now accepts compound requirements the same as in a gem dependency. The following invocation will install rails between 4.0.0.beta and 4.2:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install rails -v '>= 4.0.0.beta, < 4.2'
</code></pre></div> </div>
<p>Fixes #531 by Gary S. Weaver</p>
</li>
<li><code class="language-plaintext highlighter-rouge">gem clean</code> now allows <code class="language-plaintext highlighter-rouge">-n</code> as an alias for <code class="language-plaintext highlighter-rouge">--dryrun</code>. Pull Request #517 by Gastón Ramos</li>
<li>Added <code class="language-plaintext highlighter-rouge">gem update --system</code> to <code class="language-plaintext highlighter-rouge">gem help</code>. Pull Request #514 by Vince Wadhwani</li>
<li>Added PATH to <code class="language-plaintext highlighter-rouge">gem env</code> output. Pull Request #490 by Michal Papis</li>
<li>Added –host option to <code class="language-plaintext highlighter-rouge">gem owner</code> to match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares</li>
<li>Added –abort-on-dependent to <code class="language-plaintext highlighter-rouge">gem uninstall</code>. This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt.</li>
<li>RubyGems no longer alters Gem::Specification.dirs when installing. Based on Pull Request #452 by Vít Ondruch</li>
<li>RubyGems uses <code class="language-plaintext highlighter-rouge">MAKE</code> or <code class="language-plaintext highlighter-rouge">make</code> environment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe</li>
<li>RubyGems can now save remote source cache files in an alternate directory controlled by <code class="language-plaintext highlighter-rouge">ENV["GEM_SPEC_CACHE"]</code>. Pull Request #489 by Michal Papis</li>
<li>Generated private keys are now encrypted. Pull Request #453 by pietro</li>
<li>Separated Gem::Request from Gem::RemoteFetcher. Pull Request #283 by Steve Klabnik.</li>
<li>RubyGems indicates when a .gem’s content is corrupt while verifying. Bug #519 by William T Nelson.</li>
<li>Refactored common installer setup. Pull request #520 by Gastón Ramos</li>
<li>Moved activation tests to Gem::Specification. Pull request #521 by Gastón Ramos</li>
<li>When a –version option with a prerelease version is given RubyGems automatically enables prerelease versions but only the last version is used. If the first version is a prerelease version this is no longer sticky unless an explicit <code class="language-plaintext highlighter-rouge">--prerelease</code> or <code class="language-plaintext highlighter-rouge">--no-prerelease</code> was also given. Fixes part of #531.</li>
<li>RubyGems now supports an SSL client certificate. Pull request #550 by Robert Kenny.</li>
<li>RubyGems now suggests how to fix permission errors. Pull request #553 by Odin Dutton.</li>
<li>Added support for installing a gem as default gems for alternate ruby implementations. Pull request #566 by Charles Nutter.</li>
<li>Improved performance of Gem::Specification#load by caching the loaded gemspec. Pull request #569 by Charlie Somerville.</li>
<li>RubyGems now warns when an unsigned gem is verified if -P was given during installation even if the security policy allows unsigned gems and warns when an untrusted certificate is seen even if the security policy allows untrusted certificates. Issue #474 by Grant Olson</li>
<li>RubyGems can now rewrite executables with or without a shebang of /usr/bin/env via <code class="language-plaintext highlighter-rouge">gem pristine --all --only-executables --env-shebang</code> (or <code class="language-plaintext highlighter-rouge">--no-env-shebang</code>). Issue #579 by Paul Annesley.</li>
<li>RubyGems can now run its tests without OpenSSL. Ruby Bug #8557 by nobu.</li>
<li>Improved performance by caching Gem::Version objects and avoiding method_missing in Gem::Specification. Pull request #447 by Jon Leighton.</li>
<li>Files in a .gem now preserve their modification times. Pull request #582 by Jesse Bowes</li>
<li>Improved speed of looking up dependencies in SpecFetcher through Array#bsearch (when present). Pull request #595 by Andras Suller</li>
<li>Added <code class="language-plaintext highlighter-rouge">--all</code> option to <code class="language-plaintext highlighter-rouge">gem uninstall</code> which removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper.</li>
<li>Added Gem.find_latest_files which is equivalent to Gem.find_files but only returns matching files from the latest version of each gem. Issue #186 by Ryan Davis.</li>
<li>Improved performance of <code class="language-plaintext highlighter-rouge">gem outdated</code> by reducing duplicate work (it is still slow, but I see a near 50% improvement for 250 gems on a fast connection). See also Gem::Specification::outdated_and_latest_version</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>rubygems_plugin.rb files are now only loaded from the latest installed gem.</li>
<li>Fixed Gem.clear_paths when Security is defined at top-level. Pull request #625 by elarkin</li>
<li>Fixed credential creation for <code class="language-plaintext highlighter-rouge">gem push</code> when <code class="language-plaintext highlighter-rouge">--host</code> is not given. Pull request #622 by Arthur Nogueira Neves</li>
</ul>
2.0.8 Released2013-09-09T00:00:00+00:00http://blog.rubygems.org/2013/09/09/2.0.8-released<p>RubyGems 2.0.8 includes a bug fix and a security update to fix
<a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a></p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See <a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a> for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed Gem.clear_paths when Security is defined at top-level. Pull request #625 by elarkin</li>
</ul>
1.8.26 Released2013-09-09T00:00:00+00:00http://blog.rubygems.org/2013/09/09/1.8.26-released<p>RubyGems 1.8.26 includes a bug fix and a security update to fix
<a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a></p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See <a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a> for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed editing of a Makefile with 8-bit characters. Fixes #181</li>
</ul>
1.8.23.1 Released2013-09-09T00:00:00+00:00http://blog.rubygems.org/2013/09/09/1.8.23.1-released<p>RubyGems 1.8.23.1 includes a security update to fix <a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a>. This
release is designed to update the version of RubyGems in Ruby 1.9.3 to fix this
security problem.</p>
<p>To update to the latest RubyGems you can run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>If you need to upgrade or downgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade
RubyGems</a> instructions. To install RubyGems by hand see the
<a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p><em>Security fixes:</em></p>
<ul>
<li>RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See <a href="/2013/09/09/CVE-2013-4287.html">CVE-2013-4287</a> for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.</li>
</ul>
2.1.0 Release Candidate 22013-08-26T00:00:00+00:00http://blog.rubygems.org/2013/08/26/2.1.0.rc.2-released<p>RubyGems 2.1.0 is an upcoming release with many new features and some internal
changes. If you would like to try out RubyGems 2.1.0 you can install it with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system --prerelease
</code></pre></div></div>
<p>To downgrade to RubyGems 2.0.7 run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system=2.0.7
</code></pre></div></div>
<p>If you need further instructions for downgrading RubyGems after installing
2.1.0.rc.1 see the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">upgrading</a> documentation.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>RubyGems uses a new dependency resolver for gem installation which works
similar to the bundler resolver. The new resolver can resolve conflicts the
previous resolver could not and offers improved diagnostics when conflicts
are discovered.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems now has improved platform matching for the ARM architecture. Gems built with a CPU of “arm” will match any specific ARM CPU. See <code class="language-plaintext highlighter-rouge">gem help platform</code> for further details. Fixes #532 by Kim Burgestrand.</li>
<li>
<p>The –version option now accepts compound requirements the same as in a gem dependency. The following invocation will install rails between 4.0.0.beta and 4.2:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install rails -v '>= 4.0.0.beta, < 4.2'
</code></pre></div> </div>
<p>Fixes #531 by Gary S. Weaver</p>
</li>
<li><code class="language-plaintext highlighter-rouge">gem clean</code> now allows <code class="language-plaintext highlighter-rouge">-n</code> as an alias for <code class="language-plaintext highlighter-rouge">--dryrun</code>. Pull Request #517 by Gastón Ramos</li>
<li>Added <code class="language-plaintext highlighter-rouge">gem update --system</code> to <code class="language-plaintext highlighter-rouge">gem help</code>. Pull Request #514 by Vince Wadhwani</li>
<li>Added PATH to <code class="language-plaintext highlighter-rouge">gem env</code> output. Pull Request #490 by Michal Papis</li>
<li>Added –host option to <code class="language-plaintext highlighter-rouge">gem owner</code> to match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares</li>
<li>Added –abort-on-dependent to <code class="language-plaintext highlighter-rouge">gem uninstall</code>. This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt.</li>
<li>RubyGems no longer alters Gem::Specification.dirs when installing. Based on Pull Request #452 by Vít Ondruch</li>
<li>RubyGems uses <code class="language-plaintext highlighter-rouge">MAKE</code> or <code class="language-plaintext highlighter-rouge">make</code> environment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe</li>
<li>RubyGems can now save remote source cache files in an alternate directory controlled by <code class="language-plaintext highlighter-rouge">ENV["GEM_SPEC_CACHE"]</code>. Pull Request #489 by Michal Papis</li>
<li>Generated private keys are now encrypted. Pull Request #453 by pietro</li>
<li>Separated Gem::Request from Gem::RemoteFetcher. Pull Request #283 by Steve Klabnik.</li>
<li>RubyGems indicates when a .gem’s content is corrupt while verifying. Bug #519 by William T Nelson.</li>
<li>Refactored common installer setup. Pull request #520 by Gastón Ramos</li>
<li>Moved activation tests to Gem::Specification. Pull request #521 by Gastón Ramos</li>
<li>When a –version option with a prerelease version is given RubyGems automatically enables prerelease versions but only the last version is used. If the first version is a prerelease version this is no longer sticky unless an explicit <code class="language-plaintext highlighter-rouge">--prerelease</code> or <code class="language-plaintext highlighter-rouge">--no-prerelease</code> was also given. Fixes part of #531.</li>
<li>RubyGems now supports an SSL client certificate. Pull request #550 by Robert Kenny.</li>
<li>RubyGems now suggests how to fix permission errors. Pull request #553 by Odin Dutton.</li>
<li>Added support for installing a gem as default gems for alternate ruby implementations. Pull request #566 by Charles Nutter.</li>
<li>Improved performance of Gem::Specification#load by caching the loaded gemspec. Pull request #569 by Charlie Somerville.</li>
<li>RubyGems now warns when an unsigned gem is verified if -P was given during installation even if the security policy allows unsigned gems and warns when an untrusted certificate is seen even if the security policy allows untrusted certificates. Issue #474 by Grant Olson</li>
<li>RubyGems can now rewrite executables with or without a shebang of /usr/bin/env via <code class="language-plaintext highlighter-rouge">gem pristine --all --only-executables --env-shebang</code> (or <code class="language-plaintext highlighter-rouge">--no-env-shebang</code>). Issue #579 by Paul Annesley.</li>
<li>RubyGems can now run its tests without OpenSSL. Ruby Bug #8557 by nobu.</li>
<li>Improved performance by caching Gem::Version objects and avoiding method_missing in Gem::Specification. Pull request #447 by Jon Leighton.</li>
<li>Files in a .gem now preserve their modification times. Pull request #582 by Jesse Bowes</li>
<li>Improved speed of looking up dependencies in SpecFetcher through Array#bsearch (when present). Pull request #595 by Andras Suller</li>
<li>Added <code class="language-plaintext highlighter-rouge">--all</code> option to <code class="language-plaintext highlighter-rouge">gem uninstall</code> which removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper.</li>
<li>Added Gem.find_latest_files which is equivalent to Gem.find_files but only returns matching files from the latest version of each gem. Issue #186 by Ryan Davis.</li>
<li>Improved performance of <code class="language-plaintext highlighter-rouge">gem outdated</code> by reducing duplicate work (it is still slow, but I see a near 50% improvement for 250 gems on a fast connection). See also Gem::Specification::outdated_and_latest_version</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>rubygems_plugin.rb files are now only loaded from the latest installed gem.</li>
</ul>
2.0.7 Released2013-08-15T00:00:00+00:00http://blog.rubygems.org/2013/08/15/2.0.7-released<p>RubyGems 2.0.7 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Extensions may now be built in parallel (therefore gems may be installed in parallel). Bug #607 by Hemant Kumar.</li>
<li>Changed broken link to RubyGems Bookshelf to point to RubyGems guides. Ruby pull request #369 by 謝致邦.</li>
<li>Fixed various test failures due to platform differences or poor tests. Patches by Yui Naruse and Koichi Sasada.</li>
<li>Fixed documentation for Kernel#require.</li>
</ul>
2.1.0 Release Candidate 12013-07-25T00:00:00+00:00http://blog.rubygems.org/2013/07/25/2.1.0.rc.1-released<p>RubyGems 2.1.0 will contain new features. To update to RubyGems 2.1.0.rc.1
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system --prerelease
</code></pre></div></div>
<p>To downgrade to RubyGems 2.0.6 run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system=2.0.6
</code></pre></div></div>
<p>If you need further instructions for downgrading RubyGems after installing 2.1.0.rc.1 see the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">upgrading</a> documentation.</p>
<p><em>Major enhancements:</em></p>
<ul>
<li>RubyGems uses a new dependency resolver for gem installation which works similar to the bundler resolver. The new resolver can resolve conflicts the previous resolver could not and offers improved diagnostics when conflicts are discovered.</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>RubyGems now has improved platform matching for the ARM architecture. Gems built with a CPU of “arm” will match any specific ARM CPU. See <code class="language-plaintext highlighter-rouge">gem help platform</code> for further details. Fixes #532 by Kim Burgestrand.</li>
<li>
<p>The –version option now accepts compound requirements the same as in a gem dependency. The following invocation will install rails between 4.0.0.beta and 4.2:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install rails -v '>= 4.0.0.beta, < 4.2'
</code></pre></div> </div>
<p>Fixes #531 by Gary S. Weaver</p>
</li>
<li><code class="language-plaintext highlighter-rouge">gem clean</code> now allows <code class="language-plaintext highlighter-rouge">-n</code> as an alias for <code class="language-plaintext highlighter-rouge">--dryrun</code>. Pull Request #517 by Gastón Ramos</li>
<li>Added <code class="language-plaintext highlighter-rouge">gem update --system</code> to <code class="language-plaintext highlighter-rouge">gem help</code>. Pull Request #514 by Vince Wadhwani</li>
<li>Added PATH to <code class="language-plaintext highlighter-rouge">gem env</code> output. Pull Request #490 by Michal Papis</li>
<li>Added –host option to <code class="language-plaintext highlighter-rouge">gem owner</code> to match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares</li>
<li>Added –abort-on-dependent to <code class="language-plaintext highlighter-rouge">gem uninstall</code>. This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt.</li>
<li>RubyGems no longer alters Gem::Specification.dirs when installing. Based on Pull Request #452 by Vít Ondruch</li>
<li>RubyGems uses the <code class="language-plaintext highlighter-rouge">MAKE</code> or <code class="language-plaintext highlighter-rouge">make</code> environment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe</li>
<li>RubyGems can now save remote source cache files in an alternate directory controlled by <code class="language-plaintext highlighter-rouge">ENV["GEM_SPEC_CACHE"]</code>. Pull Request #489 by Michal Papis</li>
<li>Generated private keys are now encrypted. Pull Request #453 by pietro</li>
<li>Separated Gem::Request from Gem::RemoteFetcher. Pull Request #283 by Steve Klabnik.</li>
<li>RubyGems indicates when a .gem’s content is corrupt while verifying. Bug #519 by William T Nelson.</li>
<li>Refactored common installer setup. Pull request #520 by Gastón Ramos</li>
<li>Moved activation tests to Gem::Specification. Pull request #521 by Gastón Ramos</li>
<li>When a –version option with a prerelease version is given RubyGems automatically enables prerelease versions but only the last version is used. If the first version is a prerelease version this is no longer sticky unless an explicit <code class="language-plaintext highlighter-rouge">--prerelease</code> or <code class="language-plaintext highlighter-rouge">--no-prerelease</code> was also given. Fixes part of #531.</li>
<li>RubyGems now supports an SSL client certificate. Pull request #550 by Robert Kenny.</li>
<li>RubyGems now suggests how to fix permission errors. Pull request #553 by Odin Dutton.</li>
<li>Added support for installing a gem as default gems for alternate ruby implementations. Pull request #566 by Charles Nutter.</li>
<li>Improved performance of Gem::Specification#load by caching the loaded gemspec. Pull request #569 by Charlie Somerville.</li>
<li>RubyGems now warns when an unsigned gem is verified if -P was given during installation even if the security policy allows unsigned gems and warns when an untrusted certificate is seen even if the security policy allows untrusted certificates. Issue #474 by Grant Olson</li>
<li>RubyGems can now rewrite executables with or without a shebang of /usr/bin/env via <code class="language-plaintext highlighter-rouge">gem pristine --all --only-executables --env-shebang</code> (or <code class="language-plaintext highlighter-rouge">--no-env-shebang</code>). Issue #579 by Paul Annesley.</li>
<li>RubyGems can now run its tests without OpenSSL. Ruby Bug #8557 by nobu.</li>
<li>Improved performance by caching Gem::Version objects and avoiding method_missing in Gem::Specification. Pull request #447 by Jon Leighton.</li>
<li>Files in a .gem now preserve their modification times. Pull request #582 by Jesse Bowes</li>
<li>Improved speed of looking up dependencies in SpecFetcher through Array#bsearch (when present). Pull request #595 by Andras Suller</li>
<li>Added <code class="language-plaintext highlighter-rouge">--all</code> option to <code class="language-plaintext highlighter-rouge">gem uninstall</code> which removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper.</li>
<li>Added Gem.find_latest_files which is equivalent to Gem.find_files but only returns matching files from the latest version of each gem. Issue #186 by Ryan Davis.</li>
<li>Improved performance of <code class="language-plaintext highlighter-rouge">gem outdated</code> by reducing duplicate work (it is still slow, but I see a near 50% improvement for 250 gems on a fast connection). See also Gem::Specification::outdated_and_latest_version</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>rubygems_plugin.rb files are now only loaded from the latest installed gem.</li>
<li>Altered use of cryptography in the test suite to work on JRuby, but some tests still fail on JRuby. Bug #606 by Hemant Kumar.</li>
</ul>
2.0.6 Released2013-07-24T00:00:00+00:00http://blog.rubygems.org/2013/07/24/2.0.6-released<p>RubyGems 2.0.6 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed the <code class="language-plaintext highlighter-rouge">--no-install</code> and <code class="language-plaintext highlighter-rouge">-I</code> options to <code class="language-plaintext highlighter-rouge">gem list</code> and friends. Bug #593 by Blargel.</li>
<li>Fixed crash when installing gems with extensions under the <code class="language-plaintext highlighter-rouge">-V</code> flag. Bug #601 by Nick Hoffman.</li>
<li>Fixed race condition retrieving HTTP connections in Gem::Request on JRuby. Bug #597 by Hemant Kumar.</li>
<li>Fixed building extensions on ruby 1.9.3 under mingw. Bug #594 by jonforums, Bug #599 by Chris Riesbeck</li>
<li>Restored default of remote search to <code class="language-plaintext highlighter-rouge">gem search</code>.</li>
</ul>
2.0.5 Released2013-07-11T00:00:00+00:00http://blog.rubygems.org/2013/07/11/2.0.5-released<p>RubyGems 2.0.5 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed building of extensions that run ruby in their makefiles. Bug #589 by Zachary Salzbank.</li>
</ul>
2.0.4 Released2013-07-09T00:00:00+00:00http://blog.rubygems.org/2013/07/09/2.0.4-released<p>RubyGems 2.0.4 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed error caused by gem install not finding the right platform for your platform. Bug #576 by John Anderson</li>
<li>Fixed pushing gems with the default host. Bug #495 by Utkarsh Kukreti</li>
<li>Improved unhelpful error message from <code class="language-plaintext highlighter-rouge">gem owner --remove</code>. Bug #488 by Steve Klabnik</li>
<li>Fixed typo in <code class="language-plaintext highlighter-rouge">gem spec</code> help. Pull request #563 by oooooooo</li>
<li>Fixed creation of build_info with –install-dir. Bug #457 by Vít Ondruch.</li>
<li>RubyGems converts non-string dependency names to strings now. Bug #505 by Terence Lee</li>
<li>Outdated prerelease versions are now listed in <code class="language-plaintext highlighter-rouge">gem outdated</code>.</li>
<li>RubyGems now only calls fsync() on the specification when installing, not every file from the gem. This improves the performance of gem installation on some systems. Pull Request #556 by Grzesiek Kolodziejczyk</li>
<li>Removed surprise search term anchoring in <code class="language-plaintext highlighter-rouge">gem search</code> to restore 1.8-like search behavior while still defaulting to –remote. Pull request #562 by Ben Bleything</li>
<li>Fixed handling of DESTDIR when building extensions. Pull request #573 by Akinori MUSHA</li>
<li>Fixed documentation of <code class="language-plaintext highlighter-rouge">gem pristine</code> defaults (–all is not a default). Pull request #577 by Shannon Skipper</li>
<li>Fixed a windows extension-building test failure. Pull request #575 by Hiroshi Shirosaki</li>
<li>Fixed issue with <code class="language-plaintext highlighter-rouge">gem update</code> where it would attempt to use a Version instead of a Requirement to find the latest gem. Fixes #570 by Nick Cox.</li>
<li>RubyGems now ignores an empty but set RUBYGEMS_HOST environment variable. Based on pull request #558 by Robin Dupret.</li>
<li>Removed duplicate creation of gem subdirectories in Gem::DependencyInstaller. Pull Request #456 by Vít Ondruch</li>
<li>RubyGems now works with Ruby built with <code class="language-plaintext highlighter-rouge">--with-ruby-version=''</code>. Pull Request #455 by Vít Ondruch</li>
<li>Fixed race condition when two threads require the same gem. Ruby bug report #8374 by Joel VanderWerf</li>
<li>Cleaned up siteconf between extension build and extension install. Pull request #587 by Dominic Cleal</li>
<li>Fix deprecation warnings when converting gemspecs to yaml. Ruby commit r41148 by Yui Naruse</li>
</ul>
Post-Mortem of Today's Partial Outage2013-04-06T00:00:00+00:00http://blog.rubygems.org/2013/04/06/postmortem<p>Over a period of around 12 hours, from late last night (April 5th) eastern US time until approximately 10:45am this morning there was a partial outage of Rubygems.org. The root disk on the application server filled up completely because of some logs that didn’t get rotated. This prevented new account signups, password resets, and gem pushes from taking place. I’m sorry that this happened and will personally ensure steps are taken to alert the Rubygems.org operations team before outages of this nature happen again.</p>
<p>Right now there isn’t systems monitoring in place for the servers that run Rubygems.org, which makes debugging issues very difficult without accessing a remote machine and manually surfacing the problem. We were planning on deploying the Datadog agent onto the instances tonight even before this incident. In tandem with Pagerduty, Datadog will allow us to setup an on-call schedule for those contributors with access to the infrastructure. We’ll also be taking a look at the logrotate configurations and tune them appropriately to prevent disks from filling up in the future.</p>
<p>I’m very sorry this happened and prevented gem maintainers from being able to effectively use the service.</p>
New blog design2013-03-18T00:00:00+00:00http://blog.rubygems.org/2013/03/18/new-blog-design<p>We have a brand new blog design courtesy of <a href="https://thoughtbot.com">thoughtbot</a> and <a href="https://github.com/ehmorris">Edwin Morris</a>!</p>
<p>Some neat facts about this design:</p>
<ul>
<li>The code for the blog is all <a href="https://github.com/rubygems/rubygems.github.com">open source</a> and content is <a href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons</a> licensed.</li>
<li>It’s now responsive, so it will look great on any device!</li>
<li>It’s a great example for using <a href="http://bourbon.io/">Bourbon</a>, a simple set of SCSS mixins</li>
<li>All generated with <a href="http://quaran.to/blog/2013/01/09/use-jekyll-scss-coffeescript-without-plugins/">no Jekyll plugins!</a></li>
</ul>
<p>Huge thanks to thoughtbot for a continued commitment to making RubyGems awesome.</p>
2.0.3 Released2013-03-11T00:00:00+00:00http://blog.rubygems.org/2013/03/11/2.0.3-released<p>RubyGems 2.0.3 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Reverted automatic upgrade to HTTPS as it breaks RubyGems APIs. Fixes #506 by André Arko</li>
<li>Use File.realpath to remove extra / while checking if files are installable. Issue #508 by Jacob Evans.</li>
<li>When installing RubyGems on JRuby, the standard library is no longer deleted. Fixes #504 by Juan Sanchez, #507 by Charles Oliver Nutter.</li>
<li>When building extconf.rb extensions use the intermediate destination directory. This addresses further issues with C extension building.</li>
<li>Use the absolute path to the generated siteconf in case the extension changes directories to run extconf.rb (like memcached). Fixes #498 by Chris Morris.</li>
<li>Fixed default gem key and cert locations. Pull request #511 by Samuel Cochran.</li>
</ul>
2.0.2 Released2013-03-06T00:00:00+00:00http://blog.rubygems.org/2013/03/06/2.0.2-released<p>RubyGems 2.0.2 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page.</p>
<p>If you installed 2.0.1 and are unable to upgrade please follow the <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to
upgrade/downgrade RubyGems</a> instructions.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>SSL Certificates are now installed properly. Fixes #491 by hemanth.hm</li>
<li>Fixed HTTP to HTTPS upgrade for rubygems.org.</li>
</ul>
2.0.1 Released2013-03-05T00:00:00+00:00http://blog.rubygems.org/2013/03/05/2.0.1-released<p><em>NOTE:</em> This release has been yanked due to a bug in HTTPS handling that may
leave you unable to install gems or upgrade RubyGems. <a href="http://blog.rubygems.org/2013/03/06/2.0.2-released.html">2.0.2</a> has
been released to address these issues.</p>
<p>RubyGems 2.0.1 is a bug-fix release. To update to the latest RubyGems you can
run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system
</code></pre></div></div>
<p>To install RubyGems by hand see the <a href="https://rubygems.org/pages/download">Download RubyGems</a> page. To
downgrade RubyGems see <a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html">how to upgrade/downgrade RubyGems</a>.</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>HTTPS URLs are preferred over HTTP URLs. RubyGems will now attempt to upgrade any HTTP source to HTTPS. Credit to Alex Gaynor.</li>
<li>Lazily load RubyGems.org API credentials to avoid failure during RubyGems installation. Bug #465 by Isaac Sanders.</li>
<li>RubyGems now picks the latest prerelease to install. Fixes bug #468 by Santiago Pastorino.</li>
<li>Improved detection of missing Zlib::GzipReader encoding support. Works around JRuby-only bug #472 by Matt Beedle.</li>
<li>“Done installing documentation” is no longer displayed when documentation generation is disabled. Fixes bug #469 by Jeff Sandberg</li>
<li>The existing executable check now respects –format-executable. Pull request #471 by Jeremy Evans.</li>
<li>RubyGems no longer creates gem subdirectories when fetching gems. Fixes #482 by Loren Segal.</li>
<li>RubyGems does not require OpenSSL like RubyGems 1.8, but still prefers it. Fixes #481 by André Arko.</li>
<li>RubyGems only fetches specs for list, search and query commands when needed like RubyGems 1.x. Fixes bug #487 by bitbuerster, Ruby bug #8019 by Ike Miller.</li>
<li>Allow specification of mode for gem subdirectory creation. Ruby bug #7713 by nobu</li>
<li>Fix tests when an ‘a.rb’ exists. Ruby bug #7749 by nobu.</li>
</ul>
2.0.0 Released2013-02-24T00:00:00+00:00http://blog.rubygems.org/2013/02/24/2.0.0-released<p>RubyGems 2.0 includes several new features and many breaking changes. Some of
these changes will cause existing software to break. These changes are a
result of improvements to the internals of RubyGems that make it more
maintainable and improve APIs for RubyGems users.</p>
<p>If you are using bundler be sure to install a 1.3.0.prerelease version or
newer. Older versions of bundler will not work with RubyGems 2.0.</p>
<p>Changes since RubyGems 1.8.25 (including past pre-releases):</p>
<p><em>Breaking changes:</em></p>
<ul>
<li>Deprecated Gem.unresolved_deps in favor of
Gem::Specification.unresolved_deps</li>
<li>Merged Gem::Builder into Gem::Package. Use Gem::Package.build(spec)
instead of Gem::Builder.new(spec).build</li>
<li>Merged Gem::Format into Gem::Package. Use Gem::Package.new instead
of Gem::Format.from_file_by_path</li>
<li>Moved Gem::OldFormat to Gem::Package::Old. Gem::Package will
automatically detect old gems for you, so there is no need to refer to it.</li>
<li>Removed Gem::DocManager, replaced by Gem::RDoc and done_installing hook</li>
<li>Removed Gem::Package::TarInput in favor of Gem::Package</li>
<li>Removed Gem::Package::TarOutput in favor of Gem::Package</li>
<li>Removed Gem::RemoteFetcher#open_uri_or_path. (steveklabnik)</li>
<li>Removed Gem::SSL in favor of using OpenSSL directly</li>
<li>Removed Gem.loaded_path</li>
<li>Removed RSS generation from the gem indexer</li>
<li>Removed benchmark option from .gemrc</li>
<li>Removed broken YAML gemspec support in <code class="language-plaintext highlighter-rouge">gem build</code></li>
<li>Removed support for Ruby 1.9.1</li>
<li>Removed many deprecated methods</li>
</ul>
<p><em>Major enhancements:</em></p>
<ul>
<li>Improved support for default gems shipping with ruby 2.0.0+</li>
<li>A gem can have arbitrary metadata through Gem::Specification#metadata</li>
<li><code class="language-plaintext highlighter-rouge">gem search</code> now defaults to –remote and is anchored like gem list. Fixes #166</li>
<li>Added –document to replace –rdoc and –ri. Use –no-document to disable
documentation, –document=rdoc to only generate rdoc.</li>
<li>Only ri-format documentation is generated by default.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> uses RDoc::Servlet from RDoc 4.0 to generate HTML
documentation.</li>
<li>Add ability to install gems directly from a compatible gemdep
file (Gemfile, Isolate, gem.deps.rb)
<code>gem install --file path</code></li>
<li>Add ability to load gem activation information from a gemdeps
file (Gemfile, Isolate, gem.deps.rb).
Set RUBYGEMS_GEMDEPS=path to have it loaded. Use - as the path
to autodetect (current and parent directories are searched).</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Added <code class="language-plaintext highlighter-rouge">gem check --doctor</code> to clean up after failed uninstallation. Bug #419 by Erik Hollensbe</li>
<li>RubyGems no longer defaults to uninstalling gems if a dependency would be
broken. Now you must manually say “yes”. Pull Request #406 by Shannon
Skipper.</li>
<li>Gem::DependencyInstaller now passes build_args down to the installer.
Pull Request #412 by Sam Rawlins.</li>
<li>Added a cmake builder. Pull request #265 by Allan Espinosa.</li>
<li>Removed rubyforge page from gem list output</li>
<li>Added –only-executables option to <code class="language-plaintext highlighter-rouge">gem pristine</code>. Fixes #326</li>
<li>Added -I flag for ‘gem query’ to exclude installed items</li>
<li>Added Gem.install(name, version=default) for interactive sessions</li>
<li>Added Gem::FilePermissionError#directory</li>
<li>Added Gem::rubygems_version which is like Gem::ruby_version</li>
<li>Added RUBYGEMS_HOST documentation to <code class="language-plaintext highlighter-rouge">gem env</code></li>
<li>Added a post_installs hook that runs after Gem::DependencyInstaller
finishes installing a set of gems</li>
<li>Added a usage method for Gem::Commands::OwnerCommand. (ffmike)</li>
<li>Added an optional type parameter to Gem::Specification#doc_dir.</li>
<li>Added announcements url and clarified how to file tickets</li>
<li>Added guidance for how to use rdoc and ri in setup command. (jjb)</li>
<li>Attempting to install multiple gems with –version is now an error. You
can specify per-gem versions like <code>rake:0.9.5</code></li>
<li>Clarified Gem::CommandManager example code to avoid multi load problems.
(baroquebobcat)</li>
<li>Corrupt or bad cached specs are now re-downloaded. (cookrn)</li>
<li>Extension build arguments are saved from install and reused for pristine</li>
<li>If the OS allows it, documentation is built in a forked background
process. (alexch)</li>
<li>Imported gem yank from the gemcutter gem. Fixes #177, #343</li>
<li>Packaged gems now contain and verify SHA1 checksums</li>
<li>Removed commas from gem update summary so you can paste it back to
cleanup. (amatsuda)</li>
<li>RubyGems will now warn when building gems with prerelease dependencies.
Fixes #255</li>
<li>The RUBYGEMS_HOST environment variable is used to determine appropriate
API key for pushing or yanking gems</li>
<li>Uninstall is now performed in reverse topological order.</li>
<li>Users are told what to type when they try to uninstall a gem outside
GEM_HOME</li>
<li>When building gems with non-world-readable files a warning is shown.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Gem.refresh now maintains the active gem list. Clearing the list would
cause double-loads which would cause other bugs. Pull Request #427 by
Jeremy Evans</li>
<li>RubyGems now refuses to read the gem push credentials file if it has
insecure permissions. Pull Request #438 by Shannon Skipper</li>
<li>RubyGems now requires a local gem name to end in ‘.gem’. Issue #407 by
Santiago Pastorino.</li>
<li>Do not allow old-format gems to be installed with a security policy that
verifies data.</li>
<li>Gem installation will fail if RubyGems cannot load the specification from
the gem. Bug #419 by Erik Hollensbe</li>
<li>RubyGems tests now run in FIPS mode. Issue #365 by Vít Ondruch</li>
<li>Only update the spec cache when we have permission. Ruby Bug #7509</li>
<li>gem install now ignores directories and non .gem files that match the gem
to install. Bug #407 by Santiago Pastorino.</li>
<li>Added PID to setup bin_file while installing RubyGems to protect against
errors. Fixes #328 by ConradIrwin</li>
<li>Added missing require in Gem::Uninstaller when format_executable is set.
(sakuro)</li>
<li>Exact gem command name matches are now chosen even if a longer command
overlaps the exact name</li>
<li>Fixed Gem.loaded_path? with a Pathname instance. (mattetti)</li>
<li>Fixed Gem::Dependency.new mismatch with rubygems.org checks</li>
<li>Fixed SecurityError in Gem::Specification.load when $SAFE=1. (ged)</li>
<li>Fixed SystemStackError with “gem list -r -a” on 1.9 (cldwalker)</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem owners</code> command so that exceptions don’t stop the rest of the
command from completing</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem unpack uninstalled_gem</code> default version picker.</li>
<li>Fixed defunct rubyforge urls in gem command line help</li>
<li>Fixed documentation for the various hooks collections</li>
<li>Fixed documentation generation on setup when the gem directory does not
exist. Fixes #253</li>
<li>Fixed documentation to reflect where defaults overrides are loaded from.
(ferrous26)</li>
<li>Fixed editing of a Makefile with 8-bit characters. Fixes #181</li>
<li>Fixed gem loading issue caused by dependencies not resolving.</li>
<li>Fixed independent testing of test_gem_package_tar_output. Ruby Bug #4686
by Shota Fukumori</li>
<li>Fixed typo in uninstall message. (sandal)</li>
<li>Gem::Requirement#<=> returns nil on non-requirement arg.</li>
<li>Gem::Requirement.satisfied_by? raises ArgumentError if given a non-version
argument</li>
<li>Gem::Version#initialize no longer modifies its parameter. (miaout17)</li>
<li>Group-writable permissions are now allowed for gem repositories. (ctcherry)</li>
<li>Memoized values in Gem::Specification are now reset the version or
platform changes. Fixes #78</li>
<li>More specific errors are raised for bad requirements. (arsduo)</li>
<li>Removed reference to ‘sources’ gem in documentation</li>
<li>Removed unused block arguments to avoid creating Proc objects. (k-tsj)</li>
<li>RubyGems now asks before overwriting executable wrappers. Ruby Bug #1800</li>
<li>The bindir is now created with mkdir_p during install. (voxik)</li>
<li>URI scheme matching is no longer case-sensitive. Fixes #322</li>
<li>ext/builder now checks $MAKE as well as $make (okkez)</li>
</ul>
<p>Changes since RubyGems 2.0.0.rc.2:</p>
<p>Bug fixes:</p>
<ul>
<li>Gem.gzip and Gem.gunzip now return strings with BINARY encoding. Issue #450 by Jeremy Kemper</li>
<li>Fixed placement of executables with –user-install. Ruby bug #7779 by Jon
Forums.</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem update</code> with –user-install. Ruby bug #7779 by Jon Forums.</li>
<li>Fixed test_initialize_user_install for windows. Ruby bug #7885 by Luis
Lavena.</li>
<li>Create extension destination directory before building extensions. Ruby
Bug #7897 and patch by Kenta Murata.</li>
<li>Fixed verification of gems at LowSecurity due to missing signature.
Thanks to André Arko.</li>
</ul>
2.0.0.rc.2 Released2013-02-08T00:00:00+00:00http://blog.rubygems.org/2013/02/08/2.0.0.rc.2-released<p>As a preview release, please file bugs for any problems you have with RubyGems
at https://github.com/rubygems/rubygems/issues. To update to this preview
release use:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem update --system=2.0.0.rc.2
</code></pre></div></div>
<p>RubyGems 2.0 includes several new features and many breaking changes. Some of
these changes will cause existing software to break. These changes are a
result of improvements to the internals of RubyGems that make it more
maintainable and improve APIs for RubyGems users.</p>
<p>If you are using bundler be sure to install version 1.3.0.pre. Older versions
of bundler will not work with RubyGems 2.0.</p>
<p>Changes since RubyGems 1.8.25 (including past pre-releases):</p>
<p><em>Breaking changes:</em></p>
<ul>
<li>Deprecated Gem.unresolved_deps in favor of
Gem::Specification.unresolved_deps</li>
<li>Merged Gem::Builder into Gem::Package. Use Gem::Package.build(spec)
instead of Gem::Builder.new(spec).build</li>
<li>Merged Gem::Format into Gem::Package. Use Gem::Package.new instead
of Gem::Format.from_file_by_path</li>
<li>Moved Gem::OldFormat to Gem::Package::Old. Gem::Package will
automatically detect old gems for you, so there is no need to refer to it.</li>
<li>Removed Gem::DocManager, replaced by Gem::RDoc and done_installing hook</li>
<li>Removed Gem::Package::TarInput in favor of Gem::Package</li>
<li>Removed Gem::Package::TarOutput in favor of Gem::Package</li>
<li>Removed Gem::RemoteFetcher#open_uri_or_path. (steveklabnik)</li>
<li>Removed Gem::SSL in favor of using OpenSSL directly</li>
<li>Removed Gem.loaded_path</li>
<li>Removed RSS generation from the gem indexer</li>
<li>Removed benchmark option from .gemrc</li>
<li>Removed broken YAML gemspec support in <code class="language-plaintext highlighter-rouge">gem build</code></li>
<li>Removed support for Ruby 1.9.1</li>
<li>Removed many deprecated methods</li>
</ul>
<p><em>Major enhancements:</em></p>
<ul>
<li>Improved support for default gems shipping with ruby 2.0.0+</li>
<li>A gem can have arbitrary metadata through Gem::Specification#metadata</li>
<li><code class="language-plaintext highlighter-rouge">gem search</code> now defaults to –remote and is anchored like gem list. Fixes #166</li>
<li>Added –document to replace –rdoc and –ri. Use –no-document to disable documentation, –document=rdoc to only generate rdoc.</li>
<li>Only ri-format documentation is generated by default.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> uses RDoc::Servlet from RDoc 4.0 to generate HTML documentation.</li>
<li>Add ability to install gems directly from a compatible gemdep file (Gemfile, Isolate, gem.deps.rb) <code class="language-plaintext highlighter-rouge">gem install --file path</code></li>
<li>Add ability to load gem activation information from a gemdeps file (Gemfile, Isolate, gem.deps.rb). Set RUBYGEMS_GEMDEPS=path to have it loaded. Use - as the path to autodetect (current and parent directories are searched).</li>
</ul>
<p><em>Minor enhancements:</em></p>
<ul>
<li>Added <code class="language-plaintext highlighter-rouge">gem check --doctor</code> to clean up after failed uninstallation. Bug #419 by Erik Hollensbe</li>
<li>RubyGems no longer defaults to uninstalling gems if a dependency would be broken. Now you must manually say “yes”. Pull Request #406 by Shannon Skipper.</li>
<li>Gem::DependencyInstaller now passes build_args down to the installer. Pull Request #412 by Sam Rawlins.</li>
<li>Added a cmake builder. Pull request #265 by Allan Espinosa.</li>
<li>Removed rubyforge page from gem list output</li>
<li>Added –only-executables option to <code class="language-plaintext highlighter-rouge">gem pristine</code>. Fixes #326</li>
<li>Added -I flag for ‘gem query’ to exclude installed items</li>
<li>Added Gem.install(name, version=default) for interactive sessions</li>
<li>Added Gem::FilePermissionError#directory</li>
<li>Added Gem::rubygems_version which is like Gem::ruby_version</li>
<li>Added RUBYGEMS_HOST documentation to <code class="language-plaintext highlighter-rouge">gem env</code></li>
<li>Added a post_installs hook that runs after Gem::DependencyInstaller finishes installing a set of gems</li>
<li>Added a usage method for Gem::Commands::OwnerCommand. (ffmike)</li>
<li>Added an optional type parameter to Gem::Specification#doc_dir.</li>
<li>Added announcements url and clarified how to file tickets</li>
<li>Added guidance for how to use rdoc and ri in setup command. (jjb)</li>
<li>Attempting to install multiple gems with –version is now an error. You can specify per-gem versions like <code>rake:0.9.5</code></li>
<li>Clarified Gem::CommandManager example code to avoid multi load problems. (baroquebobcat)</li>
<li>Corrupt or bad cached specs are now re-downloaded. (cookrn)</li>
<li>Extension build arguments are saved from install and reused for pristine</li>
<li>If the OS allows it, documentation is built in a forked background process. (alexch)</li>
<li>Imported gem yank from the gemcutter gem. Fixes #177, #343</li>
<li>Packaged gems now contain and verify SHA1 checksums</li>
<li>Removed commas from gem update summary so you can paste it back to cleanup. (amatsuda)</li>
<li>RubyGems will now warn when building gems with prerelease dependencies. Fixes #255</li>
<li>The RUBYGEMS_HOST environment variable is used to determine appropriate API key for pushing or yanking gems</li>
<li>Uninstall is now performed in reverse topological order.</li>
<li>Users are told what to type when they try to uninstall a gem outside GEM_HOME</li>
<li>When building gems with non-world-readable files a warning is shown.</li>
</ul>
<p><em>Bug fixes:</em></p>
<ul>
<li>Gem.refresh now maintains the active gem list. Clearing the list would cause double-loads which would cause other bugs. Pull Request #427 by Jeremy Evans</li>
<li>RubyGems now refuses to read the gem push credentials file if it has insecure permissions. Pull Request #438 by Shannon Skipper</li>
<li>RubyGems now requires a local gem name to end in ‘.gem’. Issue #407 by Santiago Pastorino.</li>
<li>Do not allow old-format gems to be installed with a security policy that verifies data.</li>
<li>Gem installation will fail if RubyGems cannot load the specification from the gem. Bug #419 by Erik Hollensbe</li>
<li>RubyGems tests now run in FIPS mode. Issue #365 by Vít Ondruch</li>
<li>Only update the spec cache when we have permission. Ruby Bug #7509</li>
<li>gem install now ignores directories and non .gem files that match the gem to install. Bug #407 by Santiago Pastorino.</li>
<li>Added PID to setup bin_file while installing RubyGems to protect against errors. Fixes #328 by ConradIrwin</li>
<li>Added missing require in Gem::Uninstaller when format_executable is set. (sakuro)</li>
<li>Exact gem command name matches are now chosen even if a longer command overlaps the exact name</li>
<li>Fixed Gem.loaded_path? with a Pathname instance. (mattetti)</li>
<li>Fixed Gem::Dependency.new mismatch with rubygems.org checks</li>
<li>Fixed SecurityError in Gem::Specification.load when $SAFE=1. (ged)</li>
<li>Fixed SystemStackError with “gem list -r -a” on 1.9 (cldwalker)</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem owners</code> command so that exceptions don’t stop the rest of the command from completing</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem unpack uninstalled_gem</code> default version picker.</li>
<li>Fixed defunct rubyforge urls in gem command line help</li>
<li>Fixed documentation for the various hooks collections</li>
<li>Fixed documentation generation on setup when the gem directory does not exist. Fixes #253</li>
<li>Fixed documentation to reflect where defaults overrides are loaded from. (ferrous26)</li>
<li>Fixed editing of a Makefile with 8-bit characters. Fixes #181</li>
<li>Fixed gem loading issue caused by dependencies not resolving.</li>
<li>Fixed independent testing of test_gem_package_tar_output. Ruby Bug #4686 by Shota Fukumori</li>
<li>Fixed typo in uninstall message. (sandal)</li>
<li>Gem::Requirement#<=> returns nil on non-requirement arg.</li>
<li>Gem::Requirement.satisfied_by? raises ArgumentError if given a non-version argument</li>
<li>Gem::Version#initialize no longer modifies its parameter. (miaout17)</li>
<li>Group-writable permissions are now allowed for gem repositories. (ctcherry)</li>
<li>Memoized values in Gem::Specification are now reset the version or platform changes. Fixes #78</li>
<li>More specific errors are raised for bad requirements. (arsduo)</li>
<li>Removed reference to ‘sources’ gem in documentation</li>
<li>Removed unused block arguments to avoid creating Proc objects. (k-tsj)</li>
<li>RubyGems now asks before overwriting executable wrappers. Ruby Bug #1800</li>
<li>The bindir is now created with mkdir_p during install. (voxik)</li>
<li>URI scheme matching is no longer case-sensitive. Fixes #322</li>
<li>ext/builder now checks $MAKE as well as $make (okkez)</li>
</ul>
<p>Changes since RubyGems 2.0.0.rc.1:</p>
<p><em>Bug fixes:</em></p>
<ul>
<li>Fixed signature verification of gems which was broken only on master. Thanks to Brian Buchanan.</li>
<li>Proper exceptions are raised when verifying an unsigned gem. Thanks to André Arko.</li>
</ul>
Data Verification2013-01-31T00:00:00+00:00http://blog.rubygems.org/2013/01/31/data-verification<p><strong>TL;DR:</strong> We were able to verify that all gems served by rubygems.org are tamper-free.</p>
<h3 id="the-incident">The Incident</h3>
<p>As most people are aware, on January 30th rubygems.org was hit with a rogue code execution vulnerability. Much has been written (and will be written) about why the bug existed and how we’re going to be dealing with making sure it never happens again.</p>
<h3 id="data-verification">Data Verification</h3>
<p>Right now, I want to let everyone know about the state of all the gem files. The biggest worry with a compromise like this is that an attacker could tamper with gem files and infect anyone who installed a gem. This was our biggest worry and we spent the majority of the last 36 hours working to try and detect any gems that were tampered with.</p>
<h3 id="exploits-and-checksums">Exploits and Checksums</h3>
<p>To begin with, Mark Imbriaco (@markimbriaco) pulled down 100% of the gems from Amazon S3, where we store all the gems. He then performed 2 actions on all the gems:</p>
<ul>
<li>Audit the gem metadata to detect any other gems using the vulnerability.</li>
<li>Generate a SHA512 checksums of the gem file.</li>
</ul>
<p>Mark did not detect any other gems using the vulnerability, which was our first bit of good news.</p>
<p>He then posted all the checksums which became our checksum set 1 (CS1).</p>
<h3 id="mirrors">Mirrors</h3>
<p>Mirrors provide us with our best validation mechanism. A number of people run rubygems.org mirrors for various reasons and they offered up data to help us verify the gem data.</p>
<p>Eric Hodel (@drbrain) as well as others churned through their data and checked the data against CB1. Upon finishing this step, we had validated 95% of the gems against multiple sources. We then subtracted out the gems that had been yanked but were still available in CB1 (but because of being yanked, wouldn’t be in the mirrors). Finally, we subtracted out the gems that been added to S3 in the last 20 days as validated by the S3 log files.</p>
<h3 id="results">Results</h3>
<p>The result of all this checking and double checking is that we resulted in only 80 prerelease gems that we could not verify against a secondary source. We then opt’d to yank these gems and are in process of contacting the authors so they can push a new version.</p>
<p>Through the hard work of all our volunteers, we are able to confidently report that the gems available from rubygems.org have not been tampered with.</p>
<h3 id="data-and-tools">Data and Tools</h3>
<p>We have posted the checksums and tools used to verify them at the <a href="https://github.com/rubygems/rubygems-verification">rubygems-verification github repository</a> to allow you to double-check our work.</p>
<h3 id="thanks">Thanks</h3>
<p>So many people helped with this effort in the #rubygems-verification channel on irc.freenode.net. I want to thank all of you for your time and say that your help was instrumental in making sure rubygems.org was able to continue to operate.</p>
Rubygems 2.0.0.preview22012-12-03T00:00:00+00:00http://blog.rubygems.org/2012/12/03/2.0.0-preview2<p>The Rubygems team is proud to announce the availability of 2.0.0.preview2. This version has been merged into ruby 2.0.0-preview2 as well, in preperation for Rubygems 2.0.0 final to be included in ruby 2.0.0 final.</p>
<h3 id="breaking-changes">Breaking changes</h3>
<p>There are a number of changes in 2.0.0 that may break code expecting deprecated features of Rubygems. Most major libraries that use the internal Rubygems APIs have been updated, but there are bound to be a number that have not.</p>
<ul>
<li>Deprecated Gem.unresolved_deps in favor of Gem::Specification.unresolved_deps</li>
<li>Merged Gem::Builder into Gem::Package. Use Gem::Package.build(spec) instead of Gem::Builder.new(spec).build</li>
<li>Merged Gem::Format into Gem::Package. Use Gem::Package.new instead of Gem::Format.from_file_by_path</li>
<li>Moved Gem::OldFormat to Gem::Package::Old. Gem::Package will automatically detect old gems for you, so there is no need to refer to it.</li>
<li>Removed Gem::DocManager, replaced by Gem::RDoc and done_installing hook</li>
<li>Removed Gem::Package::TarInput in favor of Gem::Package</li>
<li>Removed Gem::Package::TarOutput in favor of Gem::Package</li>
<li>Removed Gem::RemoteFetcher#open_uri_or_path. (steveklabnik)</li>
<li>Removed Gem::SSL in favor of using OpenSSL directly</li>
<li>Removed Gem.loaded_path</li>
<li>Removed RSS generation from the gem indexer</li>
<li>Removed benchmark option from .gemrc</li>
<li>Removed broken YAML gemspec support in <code class="language-plaintext highlighter-rouge">gem build</code></li>
<li>Removed support for Ruby 1.9.1</li>
<li>Removed many deprecated methods</li>
</ul>
<h3 id="major-enhancements">Major enhancements</h3>
<p>As is the point of most 2.0s, Rubygems continues a number of enhancements.</p>
<ul>
<li>Improved support for default gems shipping with ruby 2.0.0+. The default gems now are properly loaded as more important that the standard library, which was the intent.</li>
<li>A gem can have arbitrary metadata through Gem::Specification#metadata. This feature allows users to embed their own data inside a gem easily and retrieve it. It’s possible to use this to store information about native packages needed, commit inforation, or any other structure data.</li>
<li><code class="language-plaintext highlighter-rouge">gem search</code> now defaults to –remote and is anchored like gem list. Fixes #166</li>
<li>Added –document to replace –rdoc and –ri. Use –no-document to disable documentation, –document=rdoc to only generate rdoc.</li>
<li>Only ri-format documentation is generated by default with HTML being automatically generated by <code class="language-plaintext highlighter-rouge">gem server</code>. This will speed up install time.</li>
<li>Add <em>gemdeps</em> file support. A gemdeps format file is a Gemfile, Isolate, or gem.deps.rb file. This files contain information about which gems and versions are needed to run a particular application. Rubygems now has a subset of functionality provided by bundler builtin to provide easy usage of these files.</li>
<li>Add ability to install gems directly from a compatible gemdep file (Gemfile, Isolate, gem.deps.rb) <code>gem install --file path</code></li>
<li>Add ability to load gem activation information from a gemdeps file (Gemfile, Isolate, gem.deps.rb). Set RUBYGEMS_GEMDEPS=path to have it loaded. Use - as the path to autodetect (current and parent directories are searched).</li>
</ul>
<h3 id="minor-enhancements">Minor enhancements</h3>
<p>Additionally, there are innumerable small enhancements. Here is a nice sampling.</p>
<ul>
<li>Added –only-executables option to <code class="language-plaintext highlighter-rouge">gem pristine</code>. Fixes #326</li>
<li>Added -I flag for ‘gem query’ to exclude installed items</li>
<li>Added Gem.install(name, version=default) for interactive sessions</li>
<li>Added Gem::FilePermissionError#directory</li>
<li>Added Gem::rubygems_version which is like Gem::ruby_version</li>
<li>Added RUBYGEMS_HOST documentation to <code class="language-plaintext highlighter-rouge">gem env</code></li>
<li>Added a post_installs hook that runs after Gem::DependencyInstaller
finishes installing a set of gems</li>
<li>Added a usage method for Gem::Commands::OwnerCommand. (ffmike)</li>
<li>Added an optional type parameter to Gem::Specification#doc_dir.</li>
<li>Added announcements url and clarified how to file tickets</li>
<li>Added guidance for how to use rdoc and ri in setup command. (jjb)</li>
<li>Attempting to install multiple gems with –version is now an error. You
can specify per-gem versions like <code>rake:0.9.5</code></li>
<li>Clarified Gem::CommandManager example code to avoid multi load problems.
(baroquebobcat)</li>
<li>Corrupt or bad cached specs are now re-downloaded. (cookrn)</li>
<li>Extension build arguments are saved from install and reused for pristine</li>
<li>If the OS allows it, documentation is built in a forked background
process. (alexch)</li>
<li>Imported gem yank from the gemcutter gem. Fixes #177, #343</li>
<li>Packaged gems now contain and verify SHA1 checksums</li>
<li>Removed commas from gem update summary so you can paste it back to
cleanup. (amatsuda)</li>
<li>RubyGems will now warn when building gems with prerelease dependencies.
Fixes #255</li>
<li>The RUBYGEMS_HOST environment variable is used to determine appropriate
API key for pushing or yanking gems</li>
<li>Uninstall is now performed in reverse topological order.</li>
<li>Users are told what to type when they try to uninstall a gem outside
GEM_HOME</li>
<li>When building gems with non-world-readable files a warning is shown.</li>
</ul>
<h3 id="bug-fixes">Bug fixes</h3>
<p>And lastly, lots and lots of bugfixes. Here is a short memoriam of those bugs we’ve lost this release.</p>
<ul>
<li>Added PID to setup bin_file while installing RubyGems to protect against
errors. Fixes #328 by ConradIrwin</li>
<li>Added missing require in Gem::Uninstaller when format_executable is set.
(sakuro)</li>
<li>Exact gem command name matches are now chosen even if a longer command
overlaps the exact name</li>
<li>Fixed Gem.loaded_path? with a Pathname instance. (mattetti)</li>
<li>Fixed Gem::Dependency.new mismatch with rubygems.org checks</li>
<li>Fixed SecurityError in Gem::Specification.load when $SAFE=1. (ged)</li>
<li>Fixed SystemStackError with “gem list -r -a” on 1.9 (cldwalker)</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem owners</code> command so that exceptions don’t stop the rest of the
command from completing</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem unpack uninstalled\_gem</code> default version picker.</li>
<li>Fixed defunct rubyforge urls in gem command line help</li>
<li>Fixed documentation for the various hooks collections</li>
<li>Fixed documentation generation on setup when the gem directory does not
exist. Fixes #253</li>
<li>Fixed documentation to reflect where defaults overrides are loaded from.
(ferrous26)</li>
<li>Fixed editing of a Makefile with 8-bit characters. Fixes #181</li>
<li>Fixed gem loading issue caused by dependencies not resolving.</li>
<li>Fixed independent testing of test_gem_package_tar_output. Ruby Bug #4686
by Shota Fukumori</li>
<li>Fixed typo in uninstall message. (sandal)</li>
<li>Gem::Requirement#<=> returns nil on non-requirement arg.</li>
<li>Gem::Requirement.satisfied_by? raises ArgumentError if given a non-version
argument</li>
<li>Gem::Version#initialize no longer modifies its parameter. (miaout17)</li>
<li>Group-writable permissions are now allowed for gem repositories. (ctcherry)</li>
<li>Memoized values in Gem::Specification are now reset the version or
platform changes. Fixes #78</li>
<li>More specific errors are raised for bad requirements. (arsduo)</li>
<li>Removed reference to ‘sources’ gem in documentation</li>
<li>Removed unused block arguments to avoid creating Proc objects. (k-tsj)</li>
<li>RubyGems now asks before overwriting executable wrappers. Ruby Bug #1800</li>
<li>The bindir is now created with mkdir_p during install. (voxik)</li>
<li>URI scheme matching is no longer case-sensitive. Fixes #322</li>
<li>ext/builder now checks $MAKE as well as $make (okkez)</li>
</ul>
Rubyconf / Rubygems Hackfest2012-11-05T00:00:00+00:00http://blog.rubygems.org/2012/11/05/the-rubygems-hackfest-at-rubyconf<p>If you followed the twitter feed for Rubyconf this past week, you
probably noticed that this years conference was the host of the first, of
hopefully many more, Rubygems.org hackfests. The hackfest started at
6:30 PM, after Matz’s chat with Evan wrapped up, and went until almost
11:00 PM, when we had scheduled to wrap up around 8:30.</p>
<p>I am personally blown away by the amazing turnout we had, and especially
floored that in addition to commenting and closing many issues which
were no longer valid, almost every single attendee of the hackfest
opened a pull request to fix either an outstanding bug, or add a new
feature.</p>
<p>Some photos from the event:</p>
<p><img src="https://pbs.twimg.com/media/A61IcDFCUAEImDl.jpg:medium" alt="Hacking at the bar!" />
<img src="https://pbs.twimg.com/media/A60S2muCYAEJrdq.jpg:medium" alt="Hacking!" />
<img src="https://pbs.twimg.com/media/A61InubCEAAtGP5.jpg:medium" alt="More Hacking!" />
<img src="https://pbs.twimg.com/media/A60RvRxCYAEhg0Z.jpg:medium" alt="Holy Hacking!" /></p>
<p>I’m still in the process of working through the open pull requests and
issues which need further commenting, but I wanted to provide some of
the highlights, and welcome some of the soon-to-be Rubygems.org committers.</p>
<p>Please let me know if I missed you, or something you worked on in the list.
It was amazing to see developers of all kinds, from companies such
as Yardstick, New Relic and Bluebox step up to assist in helping build
and maintain a community resource.</p>
<p><a href="https://github.com/markbennett">Mark Bennett</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/issues/261">List number of gems pushed on Profile page.</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/478">Add pushed gems count to profiles</a></li>
</ul>
<p><a href="https://github.com/adkron">Amos King</a> and
<a href="https://github.com/sandersch">Charlie Sanders</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/issues/406">Block gems that are yanked from being queried through the API</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/476">Requires gem names to have at least one alpha character</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/426">Gem name restrictions might be wrong</a></li>
</ul>
<p><a href="https://github.com/jaredonline">Jared McFarland</a> and
<a href="https://github.com/mildmojo">Tim Knowlton</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/474">Issue #438</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/485">Fixes tests: resets current directory in gemcutter After block.</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/438">Testing race condition</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/477">Fixes download test for count/day over month boundary.</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/465">Tests fail on the first of the month</a></li>
</ul>
<p><a href="https://github.com/amateurhuman">Chris Kelly</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/479">Add per gem rss feed</a></li>
</ul>
<p><a href="https://github.com/coffeencoke">Matt Simpson</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/451">Disallow gem names with CAPS for users AND TESTS</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/481">Disallow gem names with caps</a></li>
</ul>
<p><a href="https://github.com/darkhelmet">Daniel Huckstep</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/473">Replace memcached with dalli</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/pull/483">Add test for bad characters in description/summary</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/275">Strange characters in description causes gem push to blow up</a></li>
</ul>
<p><a href="https://github.com/jfoy">Jack Foy</a> and
<a href="https://github.com/fnichol">Fletcher Nichol</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/482">Returns 404 on /api/v1/gems#show for unknown gem with all formats types</a></li>
<li><a href="https://github.com/rubygems/rubygems.org/issues/443">404 or 406 returned depending on format</a></li>
</ul>
<p><a href="https://github.com/Skipants">Clyde Law</a> and
<a href="https://github.com/Umofomia">Andrew Szczepanski</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/480">Remove librato.yml containing API credentials</a></li>
</ul>
<p><a href="https://github.com/gnarg">Jon Guymon</a></p>
<ul>
<li><a href="https://github.com/rubygems/rubygems.org/pull/484">Add size to versions</a></li>
</ul>
1.8.19 Released2012-03-14T00:00:00+00:00http://blog.rubygems.org/2012/03/14/1.8.19-released<p><em>3 bug fixes:</em></p>
<ul>
<li>Handle loading psych vs syck properly. Fixes #298</li>
<li>Make sure Date objects don’t leak in via Marshal</li>
<li>Perform Date => Time coercion on yaml loading. Fixes #266</li>
</ul>
1.8.16 Released2012-02-10T00:00:00+00:00http://blog.rubygems.org/2012/02/10/1.8.16-released<p><em>3 bug fixes:</em></p>
<ul>
<li>Fix gem specification loading when encoding is not UTF-8. #146</li>
<li>Allow group writable if umask allows it already.</li>
<li>Uniquify the spec list based on directory order priority</li>
</ul>
Shaving a YAML Yak2011-08-31T00:00:00+00:00http://blog.rubygems.org/2011/08/31/shaving-the-yaml-yak<p>Have you ever seen this error?</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gem install rails --pre
ERROR: While executing gem ... (NameError)
uninitialized constant Psych::Syck
$
</code></pre></div></div>
<p>Yes, I have too. Today we’re going to discuss the source of this error, and what we need to do to fix it.</p>
<h2 id="tldr">TL;DR</h2>
<p>Upgrade rubygems to make this error go away. However, the long term solution is to fix rubygems.org.</p>
<h3 id="gemspecs-and-yaml">Gemspecs and YAML</h3>
<p>When you package your gem, the resulting <code class="language-plaintext highlighter-rouge">.gem</code> file contains a YAML representation of your gemspec. The YAML representation of your gemspec contains everything your gemspec contains, including author information and dependency information.</p>
<p>The generated gem file is just a tar file:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gem fetch rails
Fetching: rails-3.1.0.gem (100%)
Downloaded rails-3.1.0
$ file rails-3.1.0.gem
rails-3.1.0.gem: POSIX tar archive
</code></pre></div></div>
<p>The tar file contains two gzipped files. One is the actual contents of your gem, the rb files, etc. The other gz file is metadata about your gem:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ tar xvf rails-3.1.0.gem
x data.tar.gz
x metadata.gz
</code></pre></div></div>
<p>The metadata is your gemspec in YAML format. We can easily examine the YAML data by using the <code class="language-plaintext highlighter-rouge">gzcat</code> command:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gzcat metadata.gz
--- !ruby/object:Gem::Specification
name: rails
version: !ruby/object:Gem::Version
hash: 3
prerelease:
segments:
- 3
- 1
- 0
version: 3.1.0
platform: ruby
...
</code></pre></div></div>
<h3 id="yaml-and-rubys-standard-library">YAML and Ruby’s standard library</h3>
<p>Ruby has shipped with a YAML parsing library for quite a long time. The library (called “syck”) is a <em>custom</em> YAML 1.0 parser, and has been part of Ruby since 1.8. Unfortunately, the library was abandoned.</p>
<p>YAML parsing is important for Ruby, so rather than removing Syck, it is being replaced with a new library called Psych. Psych is a YAML 1.1 parser, but is powered by <a href="http://pyyaml.org/wiki/LibYAML">libyaml</a>. libyaml is developed by the team that writes the YAML spec, and is considered to be the canonical implementation.</p>
<p>Unfortunately, this transition can cause subtle but annoying problems.</p>
<h3 id="dealing-with-">Dealing with <code class="language-plaintext highlighter-rouge">=</code></h3>
<p>The problem we see when downloading from rubygems.org is due to round tripping issues between Syck and Psych. Let’s compare how Syck and Psych serialize the <code class="language-plaintext highlighter-rouge">=</code> sign:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>> RUBY_VERSION
=> "1.8.7"
>> require 'yaml'
=> true
>> YAML.dump ['=']
=> "--- \n- \"=\"\n"
>>
</code></pre></div></div>
<p>In the example above, we’re using Syck to dump an equals sign. Notice this double quotes surrounding the equals sign. Now let’s try the same thing with Psych:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>irb(main):001:0> RUBY_VERSION
=> "1.9.4"
irb(main):002:0> require 'yaml'
=> true
irb(main):003:0> YAML.dump ['=']
=> "---\n- =\n"
irb(main):004:0>
</code></pre></div></div>
<p>Notice in this example the lack of double quotes surrounding the equals sign. Both of these are valid YAML documents. Let’s see what happens when we feed the YAML from Psych in to Syck:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>> RUBY_VERSION
=> "1.8.7"
>> yaml = "---\n- =\n"
=> "---\n- =\n"
>> YAML.load yaml
=> [#<YAML::Syck::DefaultKey:0x1026d0210>]
>>
</code></pre></div></div>
<p>There we have it! We can get Syck to return a strange object even when given a valid YAML document. But how does this relate to gemspecs and rubygems.org?</p>
<h3 id="gemspec-revisited">Gemspec revisited</h3>
<p>Recall that gemspecs are dumped to YAML when the gem is packaged. It’s possible (and not unheard of) for our gemspecs to contain an equals sign. Consider the defining dependencies in your gemspec:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Gem::Specification.new do |s|
...
s.add_dependency('activesupport', '= 3.1.0')
..
end
</code></pre></div></div>
<p>Those dependencies are serialized to the generated YAML file. If we package this using Psych and examine the generated yaml, we can find the section where the dependency is declared:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gzcat metadata.gz
...
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
requirement: &70133834330380 !ruby/object:Gem::Requirement
none: false
requirements:
- - =
- !ruby/object:Gem::Version
version: 3.1.0
...
</code></pre></div></div>
<p>Notice the unquoted equals sign in the metadata.</p>
<h3 id="rubygemsorg">rubygems.org</h3>
<p>The trouble with the spec we saw above is that rubygems.org still uses syck as it’s YAML parser. When the server parses the gem YAML file, it turns the equals sign in to a Syck DefaultKey.</p>
<p>You can see this problem manifest itself on the rubygems.org website if you look at the Runtime Dependencies for some gems:</p>
<p><img src="https://img.skitch.com/20110901-dcmqkfy9eyu69dp1xfbqyfe9wg.jpg" alt="runtime deps screenshot" /></p>
<p>A simple <a href="https://www.google.com/search?hl=en&safe=off&q=defaultkey+site%3Arubygems.org&oq=defaultkey+site%3Arubygems.org&aq=f&aqi=&aql=&gs_sm=e&gs_upl=2623l8510l0l8586l57l29l0l12l0l3l348l2937l0.1.7.3l12l0">google search</a> will show that this is not an uncommon problem.</p>
<h3 id="command-line-errors">Command line errors</h3>
<p>When downloading gem information, rubygems.org will send dependency information in marshall format. Gems that have the DefaultKey object in their dependencies will have that object marshalled and sent down to the client. If the client does not use Syck (which is default for 1.9.2+ when libyaml is available), then the Syck constant cannot be found and the “uninitialized constant” error will appear.</p>
<h3 id="how-can-we-fix-this">How can we fix this?</h3>
<p>We have two ways to deal with this issue. The first way to deal with this issue is to upgrade rubygems. Rubygems contains code to <em>work around</em> the issue when installing gems. But it does not <em>fix</em> the issue.</p>
<p>The only way we can fix this error for all users is to upgrade rubygems.org to use psych as the YAML parser. Upgrading rubygems.org will prevent the strange objects from entering marshal data sent to users.</p>
<p>We’re working on this upgrade, but we can use your help! Specifically, we need to get <a href="https://github.com/collectiveidea/delayed_job/commit/cbb4060">delayed job</a> to be compatible with Psych. Once we overcome that hurdle, I think it will be easy to get rubygems.org upgraded.</p>
<p>Thanks for listening!</p>
<p><3<3<3</p>
1.8.10 Released2011-08-25T00:00:00+00:00http://blog.rubygems.org/2011/08/25/1.8.10-released<p>RubyGems 1.8.10 contains a security fix that prevents malicious gems from
executing code when their specification is loaded. See
https://github.com/rubygems/rubygems/pull/165 for details.</p>
<ul>
<li>
<p>5 bug fixes:</p>
<ul>
<li>RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
and %q to prevent code injection. Issue #165 by Postmodern</li>
<li>RubyGems attempt to activate the psych gem now to obtain bugfixes from
psych.</li>
<li>Gem.dir has been restored to the front of Gem.path. Fixes remaining
problem with Issue #115</li>
<li>Fixed Syck DefaultKey infecting ruby-format specifications.</li>
<li><code class="language-plaintext highlighter-rouge">gem uninstall a b</code> no longer stops if gem “a” is not installed.</li>
</ul>
</li>
</ul>
1.8.9 Released2011-08-23T00:00:00+00:00http://blog.rubygems.org/2011/08/23/1.8.9-released<ul>
<li>
<p>Bug fixes:</p>
<ul>
<li>Fixed uninstalling multiple gems using <code class="language-plaintext highlighter-rouge">gem uninstall</code></li>
<li>Gem.use_paths splatted to take multiple paths! Issue #148</li>
</ul>
</li>
</ul>
1.8.8 Released2011-08-11T00:00:00+00:00http://blog.rubygems.org/2011/08/11/1.8.8-released<ul>
<li>
<p>Bug fix:</p>
<ul>
<li>The encoding of a gem’s YAML spec is now UTF-8. Issue #149</li>
</ul>
</li>
</ul>
1.8.7 Released2011-08-02T00:00:00+00:00http://blog.rubygems.org/2011/08/02/1.8.7-released<ul>
<li>5 bug fixes:
<ul>
<li>Added missing require for <code class="language-plaintext highlighter-rouge">gem uninstall --format-executable</code></li>
<li>The correct name of the executable being uninstalled is now displayed with
–format-executable</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem unpack uninstalled_gem</code> default version picker</li>
<li>RubyGems no longer claims a nonexistent gem can be uninstalled</li>
<li><code class="language-plaintext highlighter-rouge">gem which</code> no longer claims directories are requirable files</li>
</ul>
</li>
</ul>
1.8.6 Released2011-07-25T00:00:00+00:00http://blog.rubygems.org/2011/07/25/1.8.6-released<ul>
<li>
<p>1 minor enhancement:</p>
<ul>
<li>Add autorequires and delay startup of RubyGems until require is called.
See Ruby bug #4962</li>
</ul>
</li>
<li>
<p>9 bug fixes:</p>
<ul>
<li>Restore behavior of Gem::Specification#loaded? Ruby Bug #5032</li>
<li>Clean up SourceIndex.add_specs to not be so damn noisy. (tadman)</li>
<li>Added missing APPLE_GEM_HOME in paths.</li>
<li>Extend YAML::Syck::DefaultKey fixing to <code class="language-plaintext highlighter-rouge">marshal_dump</code> as well.</li>
<li>Fix #29216: check correct bin_dir in check_that_user_bin_dir_is_in_path.</li>
<li>Revert Gem.latest_load_paths to working order (PathSupport revert).</li>
<li>Restore normalization of GEM_HOME.</li>
<li>Handle the Syck DefaultKey problem once and for all.</li>
<li>Fix SystemStackError occurring with “gem list -r -a” on 1.9.</li>
</ul>
</li>
</ul>
1.8.5 Released2011-05-31T00:00:00+00:00http://blog.rubygems.org/2011/05/31/1.8.5-released<ul>
<li>
<p>2 minor enhancement:</p>
<ul>
<li>The -u option to ‘update local source cache’ is official deprecated.</li>
<li>Remove has_rdoc deprecations from Specification.</li>
</ul>
</li>
<li>
<p>2 bug fixes:</p>
<ul>
<li>Handle bad specs more gracefully.</li>
<li>Reset any Gem paths changed in the installer.</li>
</ul>
</li>
</ul>
1.8.4 Released2011-05-25T00:00:00+00:00http://blog.rubygems.org/2011/05/25/1.8.4-released<ul>
<li>
<p>1 minor enhancement:</p>
<ul>
<li>Removed default_executable deprecations from Specification.</li>
</ul>
</li>
</ul>
1.8.3 Released2011-05-19T00:00:00+00:00http://blog.rubygems.org/2011/05/19/1.8.3-released<ul>
<li>
<p>4 bug fixes:</p>
<ul>
<li>Fix independent testing of test_gem_package_tar_output. Ruby Bug #4686 by
Shota Fukumori</li>
<li>Fix test failures for systems with separate ruby versions. Ruby Bug #3808
by Jeremy Evans</li>
<li>Fixed some bad calls left behind after rolling out some refactorings.</li>
<li>Syck has a parse error on (good) times output from Psych. (dazuma, et al)</li>
</ul>
</li>
</ul>
1.8.2 Released2011-05-11T00:00:00+00:00http://blog.rubygems.org/2011/05/11/1.8.2-released<ul>
<li>
<p>2 minor enhancements:</p>
<ul>
<li>Moved #outdated from OutdatedCommand to Specification (for Isolate).</li>
<li>Print out a warning about missing executables.</li>
</ul>
</li>
<li>
<p>3 bug fixes:</p>
<ul>
<li>Added missing requires to fix various upgrade issues.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> respects multiple gem repositories.</li>
<li>setup.rb now execs with –disable-gems when possible</li>
</ul>
</li>
</ul>
1.8.1 Released2011-05-05T00:00:00+00:00http://blog.rubygems.org/2011/05/05/1.8.1-released<ul>
<li>
<p>1 minor enhancement:</p>
<ul>
<li>Added Gem::Requirement#specific? and Gem::Dependency#specific?</li>
</ul>
</li>
<li>
<p>4 bug fixes:</p>
<ul>
<li>Typo on Indexer rendered it useless on Windows</li>
<li>gem dep can fetch remote dependencies for non-latest gems again.</li>
<li>gem uninstall with multiple versions no longer crashes with ArgumentError</li>
<li>Always use binary mode for File.open to keep Windows happy</li>
</ul>
</li>
</ul>
1.8.0 Released2011-05-01T00:00:00+00:00http://blog.rubygems.org/2011/05/01/1.8.0-released<p>This release focused on properly encapsulating functionality. Most of this
work focused on moving functionality out of Gem::SourceIndex and
Gem::GemPathSearcher into Gem::Specification where it belongs.</p>
<p>After installing RubyGems 1.8.0 you will see deprecations when loading your
exsting gems. Run <code class="language-plaintext highlighter-rouge">gem pristine --all --no-extensions</code> to regenerate your
gem specifications safely.</p>
<p>Currently RubyGems does not save the build arguments used to build gems with
extensions. You will need to run <code class="language-plaintext highlighter-rouge">gem pristine gem_with_extension --
--build-arg</code> to regenerate a gem with an extension where it requires special
build arguments.</p>
<ul>
<li>
<p>24(+) Deprecations (WOOT!):</p>
<ul>
<li>DependencyList.from_source_index deprecated the source_index argument.</li>
<li>Deprecated Dependency.new(/regex/).</li>
<li>Deprecated Gem.searcher.</li>
<li>Deprecated Gem.source_index and Gem.available?</li>
<li>Deprecated Gem: activate_dep, activate_spec, activate,
report_activate_error, and required_location.</li>
<li>Deprecated Gem::all_partials</li>
<li>Deprecated Gem::cache_dir</li>
<li>Deprecated Gem::cache_gem</li>
<li>Deprecated Gem::default_system_source_cache_dir</li>
<li>Deprecated Gem::default_user_source_cache_dir</li>
<li>Deprecated Platform#empty?</li>
<li>Deprecated Specification.cache_gem</li>
<li>Deprecated Specification.installation_path</li>
<li>Deprecated Specification.loaded, loaded?, and loaded=</li>
<li>Deprecated all of Gem::SourceIndex.</li>
<li>Deprecated all of Gem::GemPathSearcher.</li>
<li>Deprecated Gem::Specification#default_executable.</li>
</ul>
</li>
<li>
<p>2 major enhancements:</p>
<ul>
<li>Gem::SourceIndex functionality has been moved to Gem::Specification.
Gem::SourceIndex is completely disconnected from Gem::Specification</li>
<li>Refactored GemPathSearcher entirely out. RIPMF</li>
</ul>
</li>
<li>
<p>41 minor enhancements:</p>
<ul>
<li>Added CommandManager#unregister_command</li>
<li>Added Dependency#matching_specs + to_specs.</li>
<li>Added Dependency#to_spec</li>
<li>Added Gem.pre_reset_hook/s and post_reset_hook/s.</li>
<li>Added GemCommand.reset to reinitialize the singleton</li>
<li>Added Specification#activate.</li>
<li>Added Specification#activated, activated=, and activated?</li>
<li>Added Specification#base_dir.</li>
<li>Added Specification#bin_dir and bin_file.</li>
<li>Added Specification#cache_dir and cache_file. Aliased cache_gem.</li>
<li>Added Specification#doc_dir and ri_dir.</li>
<li>Added Specification#find(name_or_dep, *requirements).</li>
<li>Added Specification#gem_dir and gems_dir.</li>
<li>Added Specification#spec_dir and spec_file.</li>
<li>Added Specification.add_spec, add_specs, and remove_spec.</li>
<li>Added Specification.all=. If you use this, we will light you on fire.</li>
<li>Added Specification.all_names.</li>
<li>Added Specification.dirs and dirs=. dirs= resets.</li>
<li>Added Specification.find_all_by_name(name, *reqs)</li>
<li>Added Specification.latest_specs. SO TINY!</li>
<li>Added TestCase#all_spec_names to help clean up tests</li>
<li>Added TestCase#assert_path_exists and refute_path_exists. Will move to
minitest.</li>
<li>Gem.sources no longer tries to load sources gem. Only uses default_sources.</li>
<li>Installer no longer accepts a source_index option.</li>
<li>More low-level integration.</li>
<li>Removed Gem::FileOperations since it is a dummy class</li>
<li>Removed a comment because I am dumb</li>
<li>Removed pkgs/sources/lib/sources.rb</li>
<li>Revamped indexer to mostly not use SourceIndex (legacy index requires it).</li>
<li>Rewrote our last functional test suite to be happy and fast</li>
<li>RubyGems is now under the Ruby License or the MIT license</li>
<li>Specification#== now only checks name, version, and platform.</li>
<li>Specification#authors= now forcefully flattens contents (bad rspec! no
cookie!)</li>
<li>Specification#eql? checks all fields.</li>
<li>Specification#installation_path no longer raises if it hasn’t been
activated.</li>
<li>Specification#validate now ensures that authors is not empty.</li>
<li>TestCase.util_setup_spec_fetcher no longer returns a SourceIndex.</li>
<li>Uninstaller no longer passes around SourceIndex instances</li>
<li>Warn on loading bad spec array values (ntlm-http gem has nil in its cert
chain)</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> now accepts –no-executables to skip restoring gems with
extensions.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> can now restore multiple gems.</li>
</ul>
</li>
<li>
<p>6 bug fixes:</p>
<ul>
<li>DependencyInstaller passed around a source_index instance but used
Gem.source_index.</li>
<li>Fixed Platform#== and #hash so instances may be used as hash keys.</li>
<li>Fixed broken Specification#original_platform. It should never be nil.</li>
<li>Gem::Text#format_text now strips trailing whitespace</li>
<li>Normalize LOAD_PATH with File.expand_path</li>
<li><code class="language-plaintext highlighter-rouge">gem build</code> errors should exit 1.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> can now restore non-latest gems where the cached gem was
removed.</li>
</ul>
</li>
</ul>
1.7.1 Released2011-03-28T00:00:00+00:00http://blog.rubygems.org/2011/03/28/1.7.1-released<ul>
<li>1 bug fix:
<ul>
<li>Fixed missing file in Manifest.txt. (Also a bug in hoe was fixed where
<code class="language-plaintext highlighter-rouge">rake check_manifest</code> showing a diff would not exit with an error.)</li>
</ul>
</li>
</ul>
1.7.0 Released2011-03-28T00:00:00+00:00http://blog.rubygems.org/2011/03/28/1.7.0-released<ul>
<li>16 Deprecations (woot!)
<ul>
<li>Deprecated Gem.all_load_paths, latest_load_paths, promote_load_path, and
cache.</li>
<li>Deprecated RemoteFetcher#open_uri_or_path.</li>
<li>Deprecated SourceIndex#all_gems.</li>
<li>Deprecated SourceIndex#initialize(hash_of_specs).</li>
<li>Deprecated SourceIndex.from_installed_gems, from_gems_in, and
load_specification.</li>
<li>Deprecated Specification#has_rdoc, default_executable, and
test_suite_file(=).</li>
<li>Deprecated Specification#has_rdoc= and default_executable=</li>
</ul>
</li>
<li>26 minor enhancements:
<ul>
<li>Added stupid simple deprecation module.</li>
<li>Added –spec option to <code class="language-plaintext highlighter-rouge">gem unpack</code> to output a gem’s original metadata</li>
<li>Added packaging option to Specification#validate</li>
<li>Gem.bin_path requires the exec_name argument.</li>
<li>Read from cached specs if fetch fails for some reason</li>
<li>Refactored Specification#assign_defaults into #initialize.</li>
<li>RemoteFetcher#fetch_path now dispatches dynamically to ‘fetch_[uri.schema]’</li>
<li>Removed Specification @@gather.</li>
<li>Removed Specification.attribute.</li>
<li>Removed Specification.attribute_alias_singular.</li>
<li>Removed Specification.attribute_defaults.</li>
<li>Removed Specification.attributes</li>
<li>Removed Specification.overwrite_accessor.</li>
<li>Removed Specification.read_only.</li>
<li>Removed Specification.required_attribute.</li>
<li>Removed Specification::SPECIFICATION_VERSION_HISTORY and turned into rdoc</li>
<li>Removed blanket rescue in default_executable. Hope it doesn’t blow up! :P</li>
<li>Removed nearly all metaprogramming from Specification. Yay for
attr_accessor!</li>
<li>SourceIndex#initialize changed to prefer an array of spec dirs, defaulting
to none.</li>
<li>SourceIndex.new is now the preferred way to create SourceIndex instances.
<em>gasp</em></li>
<li>Specification#validate now checks that array attribs are indeed arrays.</li>
<li>Specification.default_value is now an instance method.</li>
<li>Switched Specification::TODAY to be proper midnight @ UTC</li>
<li>Update Gem::RemoteFetcher's User-Agent to handle RUBY_ENGINE and
RUBY_REVISION when patchlevel is -1</li>
<li>UpdateCommand#gems_to_update now returns (name, version) pairs.</li>
<li>UpdateCommand#which_to_update now takes an optional system argument.</li>
</ul>
</li>
<li>11 bug fixes:
<ul>
<li>Added missing remote fetcher require to pristine command (aarnell)</li>
<li>Building gems now checks to ensure all required fields are non-nil</li>
<li>Fix option parser when summary is nil.</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem contents</code> to work with the lightweight specifications</li>
<li>Fixed <code class="language-plaintext highlighter-rouge">gem update --system x.y.z</code> where x.y.z == latest version. (MGPalmer)</li>
<li>Fixed gem contents sorting and tests. (MGPalmer)</li>
<li>Fixed intermittant problem in <code class="language-plaintext highlighter-rouge">gem fetch</code> with –platform specified (quix)</li>
<li>Fixed lightweight specifications so <code class="language-plaintext highlighter-rouge">gem rdoc</code> will generate proper
documentation</li>
<li>MockGemUI#terminate_interaction should not raise Gem::SystemExitException.
(MGPalmer)</li>
<li>RubyGems now raises a better error for broken .gem files. Bug #29067 by
Elias Baixas</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> now uniq’s command line arguments.</li>
</ul>
</li>
</ul>
1.6.2 Released2011-03-08T00:00:00+00:00http://blog.rubygems.org/2011/03/08/1.6.2-released<p>Bug Fixes:</p>
<ul>
<li>require of an activated gem could cause activation conflicts. Fixes
Bug #29056 by Dave Verwer.</li>
<li><code class="language-plaintext highlighter-rouge">gem outdated</code> now works with up-to-date prerelease gems.</li>
</ul>
1.6.1 Released2011-03-03T00:00:00+00:00http://blog.rubygems.org/2011/03/03/1.6.1-released<p>Bug Fixes:</p>
<ul>
<li>Installation no longer fails when a dependency from a version that won’t be
installed is unsatisfied.</li>
<li>README.rdoc now shows how to file tickets and get help. Pull Request #40 by
Aaron Patterson.</li>
<li>Gem files are cached correctly again. Patch #29051 by Mamoru Tasaka.</li>
<li>Tests now pass with non-022 umask. Patch #29050 by Mamoru Tasaka.</li>
</ul>
1.6.0 Released2011-03-01T00:00:00+00:00http://blog.rubygems.org/2011/03/01/1.6.0-released<p>4 Deprecations:</p>
<ul>
<li>RubyGems no longer requires ‘thread’. Rails < 3 will need to add require
‘thread’ to their applications.</li>
<li>Gem.cache is deprecated. Use Gem.source_index.</li>
<li>RbConfig.datadir is deprecated. Use Gem.datadir.</li>
<li>Gem::LoadError#version_requirements has been removed. Use
Gem::LoadError#requirement.</li>
</ul>
<p>2 Major Enhancements:</p>
<ul>
<li>Rewrote how Gem::activate (gem and require) resolves dependencies.</li>
<li>Gem::LoadError#version_requirement has been removed. Use
Gem::LoadError#requirement.</li>
</ul>
<p>17 Minor Enhancments:</p>
<ul>
<li>Added –key to <code class="language-plaintext highlighter-rouge">gem push</code> for setting alternate API keys.</li>
<li>Added –format-executable support to gem uninstall.</li>
<li>Added Gem::DependencyList#clear.</li>
<li>Added Gem::DependencyList#remove_specs_unsatisfied_by</li>
<li>Added Gem.latest_spec_for, latest_version_for, and latest_rubygems_version.</li>
<li>Added Gem::Dependency#merge which merges requirements for two
dependencies.</li>
<li>Added Gem::TestCase#util_spec for faster tests.</li>
<li>Added Gem::Specification#dependent_specs.</li>
<li>Added Gem::TestCase#new_spec and Gem::TestCase#install_specs.</li>
<li>Added flag to include prerelease gems in Gem::SourceIndex#latest_specs.</li>
<li>Gem.cache_dir always references the proper cache dir.
Pass true to support a user path.</li>
<li>Gem.cache_gem, given a filename always references the cache gem.
Pass true to support a user path.</li>
<li>Added Gem::Specification#conflicts</li>
<li>Removed rdoc gem/require from test_case.rb.</li>
<li>Rubygems will no longer let you push if you’re using beta or unreleased
rubygems.</li>
<li>Save RAM / GC churn by removing spec.files and rdoc options from
locally cached gem specifications.</li>
<li>SpecFetcher.fetch_spec can now take a string source_uri.</li>
</ul>
<p>10 Bug Fixes:</p>
<ul>
<li>Added missing require of Gem::RemoteFetcher to the unpack command.</li>
<li>RubyGems now completely removes a previous install when reinstalling.</li>
<li>Fixed Gem::Installer#generate_bin to only chmod files that exist.</li>
<li>Fixed handling of Windows style file:/// uris.</li>
<li>Fixed requires in tests. (shota)</li>
<li>Fixed script generation on Windows.</li>
<li>Fixed test issues if you have older rubygems installed.</li>
<li>Gem::DependencyInstaller tests use Gem::Security, add the missing require.</li>
<li>Gem::Security used FileUtils but didn’t require it. Reported by Elia Schito.</li>
<li>Gem::Uninstaller now respects –format-executable.</li>
</ul>
1.5.3 Released2011-02-26T00:00:00+00:00http://blog.rubygems.org/2011/02/26/1.5.3-released<p>Bug Fixes:</p>
<ul>
<li>Fix for a bug in Syck which causes install failures for gems packaged with
Psych. Bug #28965 by Aaron Patterson.</li>
</ul>
1.5.2 Released2011-02-10T00:00:00+00:00http://blog.rubygems.org/2011/02/10/1.5.2-released<p>Bug Fixes:</p>
<ul>
<li>Fixed <tt>gem update –system</tt>. RubyGems can now update itself again.</li>
</ul>
1.5.1 Released2011-02-09T00:00:00+00:00http://blog.rubygems.org/2011/02/09/1.5.1-released<h4 id="note-gem-update---system-is-broken-see-upgradingrdoc">NOTE: <code class="language-plaintext highlighter-rouge">gem update --system</code> is broken. See UPGRADING.rdoc.</h4>
<p>Minor Enhancement:</p>
<ul>
<li>Added ability to do gem update –system X.Y.Z.</li>
</ul>
<p>Bug Fixes:</p>
<ul>
<li>Scrub !!null YAML from 1.9.2 (install and build).</li>
<li>Added missing requires for user_interaction.</li>
<li>Wrote option processing tests for gem update.</li>
<li>Updated upgrading doco for new gem update –system option.</li>
<li>Fixed SilentUI for cygwin; try /dev/null first then fall back to NUL.</li>
<li>RubyGems now enforces ruby 1.8.7 or newer.</li>
</ul>
1.5.0 Released2011-01-31T00:00:00+00:00http://blog.rubygems.org/2011/01/31/1.5.0-released<h4 id="note-gem-update---system-is-broken-see-upgradingrdoc">NOTE: <code class="language-plaintext highlighter-rouge">gem update --system</code> is broken. See UPGRADING.rdoc.</h4>
<p>Major Enhancements:</p>
<ul>
<li>Finally fixed all known 1.9.x issues. Upgrading is now possible!</li>
<li>Merged huge 1.3.7/ruby-core changes to master.</li>
</ul>
<p>Minor Enhancements:</p>
<ul>
<li>Added UPGRADING.rdoc to help deal with 1.9 issues.</li>
<li>Gem::Format now gives better errors for corrupt gem files and includes paths</li>
<li>Pre-install hooks can now abort gem installation by returning false</li>
<li>Move shareable TestCase classes to lib/ to help plugin authors with tests.</li>
<li>Add post-build hooks that can cancel the gem install</li>
<li>Always require custom_require now that require_gem is gone</li>
<li>Added GemInstaller accessors for @options so plugins can reference them.</li>
<li>Optimized Gem.find_files. ~10% faster than 1.4.2. ~40% faster than ruby 1.9.</li>
<li>Gem::SilentUI now behaves like Gem::StreamUI for asking questions. Patch by
Erik Hollensbe.</li>
</ul>
<p>Bug Fixes:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem update</code> was implicitly doing –system.</li>
<li>1.9.3: Fixed encoding errors causing gem installs to die during rdoc phase.</li>
<li>Add RubyForge URL to README. Closes #28825</li>
<li>1.9.3: Use chdir {} when building extensions to prevent warnings. Fixes #4337</li>
<li>1.9.2: Fix circular require warning.</li>
<li>Make requiring openssl even lazier at request of NaHi</li>
<li><code class="language-plaintext highlighter-rouge">gem unpack</code> will now download the gem if it is not in the cache. Patch by
Erik Hollensbe.</li>
<li>rubygems-update lists its development dependencies again</li>
</ul>
1.4.2 Released2011-01-06T00:00:00+00:00http://blog.rubygems.org/2011/01/06/1.4.2-released<p>Bug fixes:</p>
<ul>
<li>Gem::Versions: “1.b1” != “1.b.1”, but “1.b1” eql? “1.b.1”. Fixes gem indexing.</li>
<li>Fixed Gem.find_files.</li>
<li>Removed otherwise unused #find_all_dot_rb. Only 6 days old and hella buggy.</li>
</ul>
1.4.1 Released2010-12-31T00:00:00+00:00http://blog.rubygems.org/2010/12/31/1.4.1-released<p>Since apparently nobody reads my emails, blog posts or the README:</p>
<p>DO NOT UPDATE RUBYGEMS ON RUBY 1.9! See UPGRADING.rdoc for details.</p>
<p>Bug fix:</p>
<ul>
<li>Specification#load was untainting a frozen string (via <code class="language-plaintext highlighter-rouge">gem build *.spec</code>)</li>
</ul>
1.4.0 Released2010-12-30T00:00:00+00:00http://blog.rubygems.org/2010/12/30/1.4.0-released<p>NOTE: In order to better maintain rubygems and to get it in sync with
the world (eg, 1.9’s 1.3.7 is different from our 1.3.7), rubygems is
switching to a 4-6 week release schedule. This release is the
precursor to that process and as such may be a bit on the wild side!
You have been warned!</p>
<p>NOTE: We’ve switched to git/github. See README.rdoc for details.</p>
<p>New features:</p>
<ul>
<li>Added –launch option to <code class="language-plaintext highlighter-rouge">gem server</code>. (gthiesfeld)</li>
<li>Added fuzzy name matching on install failures. (gstark/presidentbeef)</li>
<li>Allow searching w/ file extensions: gem which fileutils.rb</li>
<li>Progress indicator during download (Ryan Melton)</li>
<li>Speed up Gem::Version#<=> by 2-3x in common cases. (raggi)</li>
<li>–source is now additive with your current sources.
Use –clear-sources first to maintain previous behavior.</li>
</ul>
<p>Bug fixes:</p>
<ul>
<li>Dependency “~>”s now respect lower-bound prerelease versions.</li>
<li>Ensure the gem directories exist on download.</li>
<li>Expand Windows user home candidates for Ruby 1.8. Bug #28371 & #28494</li>
<li>Fix find_files to order by version.</li>
<li>Fix ivar typo. [Josh Peek]</li>
<li>Normalized requires and made many of them lazy.
Do not depend on rubygems to require stdlib stuff for you. (raggi/tmm1)</li>
<li>Treat 1.0.a10 like 1.0.a.10 for sorting, etc. Fixes #27903. (dchelimsky)</li>
</ul>
1.3.7 Released2010-05-13T00:00:00+00:00http://blog.rubygems.org/2010/05/13/1.3.7-released<p>NOTE:</p>
<p>http://rubygems.org is now the default source for downloading gems.</p>
<p>You may have sources set via ~/.gemrc, so you should replace
http://gems.rubyforge.org with http://rubygems.org</p>
<p>http://gems.rubyforge.org will continue to work for the forseeable future.</p>
<p>New features:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem</code> commands
<ul>
<li><code class="language-plaintext highlighter-rouge">gem install</code> and <code class="language-plaintext highlighter-rouge">gem fetch</code> now report alternate platforms when a
matching one couldn’t be found.</li>
<li><code class="language-plaintext highlighter-rouge">gem contents</code> –prefix is now the default as specified in –help. Bug
#27211 by Mamoru Tasaka.</li>
<li><code class="language-plaintext highlighter-rouge">gem fetch</code> can fetch of old versions again. Bug #27960 by Eric Hankins.</li>
<li><code class="language-plaintext highlighter-rouge">gem query</code> and friends output now lists platforms. Bug #27856 by Greg
Hazel.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> now allows specification of multiple gem dirs for
documentation. Bug #27573 by Yuki Sonoda.</li>
<li><code class="language-plaintext highlighter-rouge">gem unpack</code> can unpack gems again. Bug #27872 by Timothy Jones.</li>
<li><code class="language-plaintext highlighter-rouge">gem unpack</code> now unpacks remote gems.</li>
<li>–user-install is no longer the default. If you really liked it, see
Gem::ConfigFile to learn how to set it by default. (This change was made
in 1.3.6)</li>
</ul>
</li>
<li>RubyGems now has platform support for IronRuby. Patch #27951 by Will Green.</li>
</ul>
<p>Bug fixes:</p>
<ul>
<li>Require rubygems/custom_require if –disable-gem was set. Bug #27700 by
Roger Pack.</li>
<li>RubyGems now protects against exceptions being raised by plugins.</li>
<li>rubygems/builder now requires user_interaction. Ruby Bug #1040 by Phillip
Toland.</li>
<li>Gem::Dependency support #version_requirements= with a warning. Fix for old
Rails versions. Bug #27868 by Wei Jen Lu.</li>
<li>Gem::PackageTask depends on the package dir like the other rake package
tasks so dependencies can be hooked up correctly.</li>
</ul>
1.3.6 Released2010-02-17T00:00:00+00:00http://blog.rubygems.org/2010/02/17/1.3.6-released<p>New features:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem</code> commands
<ul>
<li>Added <code class="language-plaintext highlighter-rouge">gem push</code> and <code class="language-plaintext highlighter-rouge">gem owner</code> for interacting with modern/Gemcutter
sources</li>
<li><code class="language-plaintext highlighter-rouge">gem dep</code> now supports –prerelease.</li>
<li><code class="language-plaintext highlighter-rouge">gem fetch</code> now supports –prerelease.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> now supports –bind. Patch #27357 by Bruno Michel.</li>
<li><code class="language-plaintext highlighter-rouge">gem rdoc</code> no longer overwrites built documentation. Use –overwrite
force rebuilding. Patch #25982 by Akinori MUSHA.</li>
</ul>
</li>
<li>Captial letters are now allowed in prerelease versions.</li>
</ul>
<p>Bug fixes:</p>
<ul>
<li>Development deps are no longer added to rubygems-update gem so older
versions can update sucessfully.</li>
<li>Installer bugs:
<ul>
<li>Prerelease gems can now depend on non-prerelease gems.</li>
<li>Development dependencies are ignored unless explicitly needed. Bug #27608
by Roger Pack.</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">gem</code> commands
<ul>
<li><code class="language-plaintext highlighter-rouge">gem which</code> now fails if no paths were found. Adapted patch #27681 by
Caio Chassot.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> no longer has invalid markup. Bug #27045 by Eric Young.</li>
<li><code class="language-plaintext highlighter-rouge">gem list</code> and friends show both prerelease and regular gems when
–prerelease –all is given</li>
</ul>
</li>
<li>Gem::Format no longer crashes on empty files. Bug #27292 by Ian Ragsdale.</li>
<li>Gem::GemPathSearcher handles nil require_paths. Patch #27334 by Roger Pack.</li>
<li>Gem::RemoteFetcher no longer copies the file if it is where we want it.
Patch #27409 by Jakub Šťastný.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>lib/rubygems/timer.rb has been removed.</li>
<li>Gem::Dependency#version_requirements is deprecated and will be removed on or
after August 2010.</li>
<li>Bulk index update is no longer supported.</li>
<li>Gem::manage_gems was removed in 1.3.3.</li>
<li>Time::today was removed in 1.3.3.</li>
</ul>
1.3.5 Released2009-07-21T00:00:00+00:00http://blog.rubygems.org/2009/07/21/1.3.5-released<p>Bug fixes:</p>
<ul>
<li>Fix use of prerelease gems.</li>
<li>Gem.bin_path no longer escapes path with spaces. Bug #25935 and #26458.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Bulk index update is no longer supported (the code currently remains, but not
the tests)</li>
<li>Gem::manage_gems was removed in 1.3.3.</li>
<li>Time::today was removed in 1.3.3.</li>
</ul>
1.3.3 Released2009-05-04T00:00:00+00:00http://blog.rubygems.org/2009/05/04/1.3.3-released<p>New Features:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem server</code> allows port names (from /etc/services) with –port.</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code> now has search that jumps to RDoc. Patch #22959 by Vladimir
Dobriakov.</li>
<li><code class="language-plaintext highlighter-rouge">gem spec</code> can retrieve single fields from a spec (like <code class="language-plaintext highlighter-rouge">gem spec rake
authors</code>).</li>
<li>Gem::Specification#has_rdoc= is deprecated and ignored (defaults to true)</li>
<li>RDoc is now generated regardless of Gem::Specification#has_rdoc?</li>
</ul>
<p>Bug Fixes:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem clean</code> now cleans up –user-install gems. Bug #25516 by Brett
Eisenberg.</li>
<li>Gem.bin_path now escapes paths with spaces.</li>
<li>Rake extension builder uses explicit correctly loads rubygems when invoking
rake.</li>
<li>Prerelease versions now match “~>” correctly. Patch #25759 by Yossef
Mendelssohn.</li>
<li>Check bindir for executables, not root when validating. Bug reported by
David Chelimsky.</li>
<li>Remove Time.today, no way to override it before RubyGems loads. Bug #25564
by Emanuele Vicentini</li>
<li>Raise Gem::Exception for #installation_path when not installed. Bug #25741
by Daniel Berger.</li>
<li>Don’t raise in Gem::Specification#validate when homepage is nil. Bug #25677
by Mike Burrows.</li>
<li>Uninstall executables from the correct directory. Bug #25555 by Brett
Eisenberg.</li>
<li>Raise Gem::LoadError if Kernel#gem fails due to previously-loaded gem. Bug
reported by Alf Mikula.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Gem::manage_gems has been removed.</li>
<li>Time::today has been removed early. There was no way to make it warn and be
easy to override with user code.</li>
</ul>
1.3.4 Released2009-05-03T00:00:00+00:00http://blog.rubygems.org/2009/05/03/1.3.4-released<p>Bug Fixes:</p>
<ul>
<li>Fixed various warnings</li>
<li>Gem::ruby_version works correctly for 1.8 branch and trunk</li>
<li>Prerelease gems now show up in <code class="language-plaintext highlighter-rouge">gem list</code> and can be used</li>
<li>Fixed option name for <code class="language-plaintext highlighter-rouge">gem setup --format-executable</code></li>
<li>RubyGems now matches Ruby > 1.9.1 gem paths</li>
<li>Gem::RemoteFetcher#download now works for explicit Windows paths across
drives. Bug #25882 by Lars Christensen</li>
<li>Fix typo in Gem::Requirement#parse. Bug #26000 by Mike Gunderloy.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Bulk index update is no longer supported (the code currently remains, but not
the tests)</li>
<li>Gem::manage_gems was removed in 1.3.3.</li>
<li>Time::today was removed in 1.3.3.</li>
</ul>
1.3.2 Released2009-04-15T00:00:00+00:00http://blog.rubygems.org/2009/04/15/1.3.2-released<p>Select New Features:</p>
<ul>
<li>RubyGems now loads plugins from rubygems_plugin.rb in installed gems.
This can be used to add commands (See Gem::CommandManager) or add
install/uninstall hooks (See Gem::Installer and Gem::Uninstaller).</li>
<li>Gem::Version now understands prerelease versions using letters. (eg.
‘1.2.1.b’) Thanks to Josh Susser, Alex Vollmer and Phil Hagelberg.</li>
<li>RubyGems now includes a Rake task for creating gems which replaces rake’s
Rake::GemPackageTask. See Gem::PackageTask.</li>
<li>Gem::find_files now returns paths in $LOAD_PATH.</li>
<li>Added Gem::promote_load_path for use with Gem::find_files</li>
<li>Added Gem::bin_path to make finding executables easier. Patch #24114 by
James Tucker.</li>
<li>Various improvements to build arguments for installing gems.</li>
<li><code class="language-plaintext highlighter-rouge">gem contents</code> added –all and –no-prefix.</li>
<li>Gem::Specification
<ul>
<li>#validate strips directories and errors on not-files.</li>
<li>#description no longer removes newlines.</li>
<li>#name must be a String.</li>
<li>FIXME and TODO are no longer allowed in various fields.</li>
<li>Added support for a license attribute. Feature #11041 (partial).</li>
<li>Removed Gem::Specification::list, too much process growth. Bug #23668 by
Steve Purcell.</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">gem generate_index</code>
<ul>
<li>Can now generate an RSS feed.</li>
<li>Modern indicies can now be updated incrementally.</li>
<li>Legacy indicies can be updated separately from modern.</li>
</ul>
</li>
</ul>
<p>Select Bugs Fixed:</p>
<ul>
<li>Better gem activation error message. Patch #23082.</li>
<li>Kernel methods are now private. Patch #20801 by James M. Lawrence.</li>
<li>Fixed various usability issues with <code class="language-plaintext highlighter-rouge">gem check</code>.</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> now rescues InstallError and continues. Bug #19268 by Gabriel
Wilkins.</li>
<li>Allow ‘https’, ‘file’ as a valid schemes for –source. Patch #22485.</li>
<li><code class="language-plaintext highlighter-rouge">gem install</code>
<ul>
<li>Now removes existing path before installing. Bug #22837.</li>
<li>Uses Gem::bin_path in executable stubs to work around Kernel#load bug in
1.9.</li>
<li>Correctly handle build args (after –) via the API. Bug #23210.</li>
</ul>
</li>
<li>–user-install
<ul>
<li><code class="language-plaintext highlighter-rouge">gem install --no-user-install</code> now works. Patch #23573 by Alf Mikula.</li>
<li><code class="language-plaintext highlighter-rouge">gem uninstall</code> can now uninstall from ~/.gem. Bug #23760 by Roger Pack.</li>
</ul>
</li>
<li>setup.rb
<ul>
<li>Clarify RubyGems RDoc installation location. Bug #22656 by Gian Marco
Gherardi.</li>
<li>Allow setup to run from read-only location. Patch #21862 by Luis Herrera.</li>
<li>Fixed overwriting ruby executable when BASERUBY was not set. Bug #24958
by Michael Soulier.</li>
<li>Ensure we’re in a RubyGems dir when installing.</li>
<li>Deal with extraneous quotation mark when autogenerating .bat file on MS
Windows. Bug #22712.</li>
</ul>
</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Gem::manage_gems has been removed.</li>
<li>Time::today will be removed in RubyGems 1.4.</li>
</ul>
<p>Special thanks to Chad Wooley for backwards compatibility testing and Luis
Lavena and Daniel Berger for continuing windows support.</p>
1.3.1 Released2008-10-28T00:00:00+00:00http://blog.rubygems.org/2008/10/28/1.3.1-released<p>Bugs fixed:</p>
<ul>
<li>Disregard ownership of ~ under Windows while creating ~/.gem. Fixes
issues related to no uid support under Windows.</li>
<li>Fix requires for Gem::inflate, Gem::deflate, etc.</li>
<li>Make Gem.dir respect :gemhome value from config. (Note: this feature may be
removed since it is hard to implement on 1.9.)</li>
<li>Kernel methods are now private. Patch #20801 by James M. Lawrence.</li>
<li>Gem::location_of_caller now behaves on Windows. Patch by Daniel Berger.</li>
<li>Silence PATH warning.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Gem::manage_gems will be removed on or after March 2009.</li>
</ul>
1.3.0 Released2008-09-25T00:00:00+00:00http://blog.rubygems.org/2008/09/25/1.3.0-released<p>New features:</p>
<ul>
<li>RubyGems doesn’t print LOCAL/REMOTE titles for <code class="language-plaintext highlighter-rouge">gem query</code> and friends if
stdout is not a TTY, except with –both.</li>
<li>Added Gem.find_files, allows a gem to discover features provided by other
gems.</li>
<li>Added pre/post (un)install hooks for packagers of RubyGems. (Not for gems
themselves).</li>
<li>RubyGems now installs gems into ~/.gem if GEM_HOME is not writable. Use
–no-user-install command-line switch to disable this behavior.</li>
<li>Fetching specs for update now uses If-Modified-Since requests.</li>
<li>RubyGems now updates the ri cache when the rdoc gem is installed and
documentation is generated.</li>
</ul>
<p>Deprecation Notices:</p>
<ul>
<li>Gem::manage_gems now warns when called. It will be removed on or after March
2009.</li>
</ul>
<p>Bugs Fixed:</p>
<ul>
<li>RubyGems 1.3.0+ now updates when no previous rubygems-update is installed.
Bug #20775 by Hemant Kumar.</li>
<li>RubyGems now uses the regexp we already have for <code class="language-plaintext highlighter-rouge">gem list --installed</code>. Bug
#20876 by Nick Hoffman.</li>
<li>Platform is now forced to Gem::Platform::RUBY when nil or blank in the
indexer. Fixes various uninstallable gems.</li>
<li>Handle EINVAL on seek. Based on patch in bug #20791 by Neil Wilson.</li>
<li>Fix HTTPS support. Patch #21072 by Alex Arnell.</li>
<li>RubyGems now loads all cache files even if latest has been loaded. Bug
#20776 by Uwe Kubosch.</li>
<li>RubyGems checks for support of development dependencies for #to_ruby. Bug
#20778 by Evan Weaver.</li>
<li>Now specifications from the future can be loaded.</li>
<li>Binary script uninstallation fixed. Bug #21234 by Neil Wilson.</li>
<li>Uninstallation with -i fixed. Bug #20812 by John Clayton.</li>
<li>Gem::Uninstaller#remove_all now calls Gem::Uninstaller#uninstall_gem so hooks
get called. Bug #21242 by Neil Wilson.</li>
<li>Gem.ruby now properly escaped on windows. Fixes problem with extension
compilation.</li>
<li><code class="language-plaintext highlighter-rouge">gem lock --strict</code> works again. Patch #21814 by Sven Engelhardt.</li>
<li>Platform detection for Solaris was improved. Patch #21911 by Bob Remeika.</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">gem help install</code> now describes <em>version</em> argument to executable stubs</li>
<li><code class="language-plaintext highlighter-rouge">gem help environment</code> describes environment variables and ~/.gemrc and
/etc/gemrc</li>
<li>On-disk gemspecs are now read in UTF-8 and written with a UTF-8 magic comment</li>
<li>Rakefile
<ul>
<li>If the SETUP_OPTIONS environment variable is set, pass its contents as
arguments to setup.rb</li>
</ul>
</li>
<li>lib/rubygems/platform.rb
<ul>
<li>Remove deprecated constant warnings and really deprecate them. (WIN32,
etc).</li>
</ul>
</li>
<li>lib/rubygems/remote_fetcher.rb
<ul>
<li>Now uses ~/.gem/cache if the cache dir in GEM_HOME is not writable.</li>
</ul>
</li>
<li>lib/rubygems/source_index.rb
<ul>
<li>Deprecate options to ‘search’ other than Gem::Dependency instances and
issue warning until November 2008.</li>
</ul>
</li>
<li>setup.rb
<ul>
<li>–destdir folder structure now built using Pathname, so it works for
Windows platforms.</li>
</ul>
</li>
<li>test/*
<ul>
<li>Fixes to run tests when under test/rubygems/. Patch by Yusuke ENDOH
[ruby-core:17353].</li>
</ul>
</li>
<li>test/test_ext_configure_builder.rb
<ul>
<li>Locale-free patch by Yusuke Endoh [ruby-core:17444].</li>
</ul>
</li>
</ul>
1.2.0 Released2008-06-21T00:00:00+00:00http://blog.rubygems.org/2008/06/21/1.2.0-released<p>New features:</p>
<ul>
<li>RubyGems no longer performs bulk updates and instead only fetches the gemspec
files it needs. Alternate sources will need to upgrade to RubyGems 1.2 to
allow RubyGems to take advantage of the new metadata updater. If a pre 1.2
remote source is in the sources list, RubyGems will revert to the bulk update
code for compatibility.</li>
<li>RubyGems now has runtime and development dependency types. Use
<code class="language-plaintext highlighter-rouge">#add_development_dependency</code> and <code class="language-plaintext highlighter-rouge">#add_runtime_dependency</code>. All typeless
dependencies are considered to be runtime dependencies.</li>
<li>RubyGems will now require <code class="language-plaintext highlighter-rouge">rubygems/defaults/operating_system.rb</code> and
<code class="language-plaintext highlighter-rouge">rubygems/defaults/#{RBX_ENGINE}.rb</code> if they exist. This allows packagers and
ruby implementers to add custom behavior to RubyGems via these files. (If
the RubyGems API is insufficient, please suggest improvements via the
RubyGems list.)</li>
<li>/etc/gemrc (and windows equivalent) for global settings</li>
<li>setup.rb now handles –vendor and –destdir for packagers</li>
<li><code class="language-plaintext highlighter-rouge">gem stale</code> command that lists gems by last access time</li>
</ul>
<p>Bugs Fixed:</p>
<ul>
<li>File modes from gems are now honored, patch #19737</li>
<li>Marshal Gem::Specification objects from the future can now be loaded.</li>
<li>A trailing / is now added to remote sources when missing, bug #20134</li>
<li>Gems with legacy platforms will now be correctly uninstalled, patch #19877</li>
<li><code class="language-plaintext highlighter-rouge">gem install --no-wrappers</code> followed by <code class="language-plaintext highlighter-rouge">gem install --wrappers</code> no longer
overwrites executables</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> now forces reinstallation of gems, bug #20387</li>
<li>RubyGems gracefully handles ^C while loading .gemspec files from disk, bug
#20523</li>
<li>Paths are expanded in more places, bug #19317, bug #19896</li>
<li>Gem::DependencyInstaller resets installed gems every install, bug #19444</li>
<li>Gem.default_path is now honored if GEM_PATH is not set, patch #19502</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li>setup.rb
<ul>
<li>stub files created by RubyGems 0.7.x and older are no longer removed. When
upgrading from these ancient versions, upgrade to 1.1.x first to clean up
stubs.</li>
<li>RDoc is no longer required until necessary, patch #20414</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">gem server</code>
<ul>
<li>Now completely matches the output of <code class="language-plaintext highlighter-rouge">gem generate_index</code> and
has correct content types</li>
<li>Refreshes from source directories for every hit. The server will no longer
need to be restarted after installing gems.</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">gem query --details</code> and friends now display author, homepage, rubyforge url
and installed location</li>
<li><code class="language-plaintext highlighter-rouge">gem install</code> without -i no longer reinstalls dependencies if they are in
GEM_PATH but not in GEM_HOME</li>
<li>Gem::RemoteFetcher now performs persistent connections for HEAD requests,
bug #7973</li>
</ul>
1.1.1 Released2008-04-11T00:00:00+00:00http://blog.rubygems.org/2008/04/11/1.1.1-released<p>Bugs Fixed:</p>
<ul>
<li>Gem.prefix now returns non-nil only when RubyGems was installed outside
sitelibdir or libdir.</li>
<li>The <code class="language-plaintext highlighter-rouge">gem server</code> gem list now correctly links to gem details.</li>
<li><code class="language-plaintext highlighter-rouge">gem update --system</code> now passes –no-format-executable to setup.rb.</li>
<li>Gem::SourceIndex#refresh! now works with multiple gem repositories.</li>
<li>Downloaded gems now go into –install-dir’s cache directory.</li>
<li>Various fixes to downloading gem metadata.</li>
<li><code class="language-plaintext highlighter-rouge">gem install --force</code> now ignores network errors too.</li>
<li><code class="language-plaintext highlighter-rouge">gem pristine</code> now rebuilds extensions.</li>
<li><code class="language-plaintext highlighter-rouge">gem update --system</code> now works on virgin Apple ruby.</li>
<li>Gem::RemoteFetcher handles Errno::ECONNABORTED.</li>
<li>Printing of release notes fixed.</li>
</ul>
1.1.0 Released2008-03-29T00:00:00+00:00http://blog.rubygems.org/2008/03/29/1.1.0-released<p>New features:</p>
<ul>
<li>RubyGems now uses persistent connections on index updates. Index updates are
much faster now.</li>
<li>RubyGems only updates from a latest index by default, cutting candidate gems
for updates to roughly 1/4 (at present). Index updates are even faster
still.
<ul>
<li><code class="language-plaintext highlighter-rouge">gem list -r</code> may only show the latest version of a gem, add –all to see
all gems.</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">gem spec</code> now extracts specifications from .gem files.</li>
<li><code class="language-plaintext highlighter-rouge">gem query --installed</code> to aid automation of checking for gems.</li>
</ul>
<p>Bugs Fixed:</p>
<ul>
<li>RubyGems works with both Config and RbConfig now.</li>
<li>Executables are now cleaned upon uninstall.</li>
<li>You can now uninstall from a particular directory.</li>
<li>Updating from non-default sources fixed.</li>
<li>Executable stubs now use ruby install name in shebang.</li>
<li><code class="language-plaintext highlighter-rouge">gem unpack</code> checks every directory in Gem.path now.</li>
<li><code class="language-plaintext highlighter-rouge">gem install</code> now exits with non-zero exit code when appropriate.</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> only updates gems that need updates.</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> doesn’t force remote-only updates.</li>
<li><code class="language-plaintext highlighter-rouge">gem update</code> handles dependencies properly when updating.</li>
<li>Gems are now loaded in Gem.path order.</li>
<li>Gem stub scripts on windows now work outside Gem.bindir.</li>
<li><code class="language-plaintext highlighter-rouge">gem sources -r</code> now works without network access.</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li>RubyGems now requires Ruby > 1.8.3.</li>
<li>Release notes are now printed upon installation.</li>
<li><code class="language-plaintext highlighter-rouge">gem env path</code> now prints a usable path.</li>
<li><code class="language-plaintext highlighter-rouge">gem install</code> reverts to local-only installation upon network error.</li>
<li>Tar handling code refactoring and cleanup.</li>
<li>Gem::DependencyInstaller’s API has changed.</li>
</ul>
<p>For a full list of changes to RubyGems, see the ChangeLog file.</p>
1.0.1 Released2007-12-20T00:00:00+00:00http://blog.rubygems.org/2007/12/20/1.0.1-released<p>Bugs Fixed:</p>
<ul>
<li>Installation on Ruby 1.8.3 through 1.8.5 fixed</li>
<li><code class="language-plaintext highlighter-rouge">gem build</code> on 1.8.3 fixed</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li>Since RubyGems 0.9.5, RubyGems is no longer supported on Ruby 1.8.2 or older,
this is official in RubyGems 1.0.1.</li>
</ul>
1.0.0 Released2007-12-20T00:00:00+00:00http://blog.rubygems.org/2007/12/20/1.0.0-released<p>Major New Features Include:</p>
<ul>
<li>RubyGems warns about various problems with gemspecs during gem building</li>
<li>More-consistent versioning for the RubyGems software</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li>Fixed various bugs and problems with installing gems on Windows</li>
<li>Fixed using <code class="language-plaintext highlighter-rouge">gem server</code> for installing gems</li>
<li>Various operations are even more verbose with –verbose</li>
<li>Built gems are now backwards compatible with 0.9.4</li>
<li>Improved detection of RUBYOPT loading rubygems</li>
<li><code class="language-plaintext highlighter-rouge">ruby setup.rb</code> now has a –help option</li>
<li>Gem::Specification#bindir is now respected on installation</li>
<li>Executable stubs can now be installed to match ruby’s name, so if ruby is
installed as ‘ruby18’, foo_exec will be installed as ‘foo_exec18’</li>
<li><code class="language-plaintext highlighter-rouge">gem unpack</code> can now unpack into a specific directory with –target</li>
<li>OpenSSL is no longer required by default</li>
</ul>
<p>Deprecations and Deletions:</p>
<ul>
<li>Kernel#require_gem has been removed</li>
<li>Executables without a shebang will not be wrapped in a future version, this
may cause such executables to fail to operate on installation</li>
<li>Gem::Platform constants other than RUBY and CURRENT have been removed</li>
<li>Gem::RemoteInstaller was removed</li>
<li>Gem::Specification#test_suite_file and #test_suite_file= are deprecated in
favor of #test_file and #test_file=</li>
<li>Gem::Specification#autorequire= has been deprecated</li>
<li>Time::today will be removed in a future version</li>
</ul>
0.9.5 Released2007-11-19T00:00:00+00:00http://blog.rubygems.org/2007/11/19/0.9.5-released<p>Major New Features Include:</p>
<ul>
<li>Platform support</li>
<li>Automatic installation of platform gems</li>
<li>New bandwidth and memory friendlier index file format</li>
<li>“Offline” mode (–no-update-sources)</li>
<li>Bulk update threshold can be specified (-B, –bulk-threshold)</li>
<li>New <code class="language-plaintext highlighter-rouge">gem fetch</code> command</li>
<li><code class="language-plaintext highlighter-rouge">gem</code> now has “really verbose” output when you specify -v</li>
<li>Improved stubs and <code class="language-plaintext highlighter-rouge">gem.bat</code> on mswin, including better compatiblity
with the One-Click Installer.</li>
</ul>
<p>Other Changes Include:</p>
<ul>
<li>Time::today is deprecated and will be removed at a future date</li>
<li>Gem::manage_gems is deprecated and will be removed at a future date</li>
<li><code class="language-plaintext highlighter-rouge">gem install --include-dependencies</code> (-y) is now deprecated since it is the
default, use –ignore-dependencies to turn off automatic dependency
installation</li>
<li>Multi-version diamond dependencies only are installed once</li>
<li>Processing a YAML bulk index update takes less memory</li>
<li><code class="language-plaintext highlighter-rouge">gem install -i</code> makes sure all depenencies are installed</li>
<li><code class="language-plaintext highlighter-rouge">gem update --system</code> reinstalls into the prefix it was originally installed
in</li>
<li><code class="language-plaintext highlighter-rouge">gem update --system</code> respects –no-rdoc and –no-ri flags</li>
<li>HTTP basic authentication support for proxies</li>
<li>Gem::Specification#platforms should no longer be a String, use
Gem::Platform::CURRENT when building binary gems instead</li>
<li><code class="language-plaintext highlighter-rouge">gem env</code> has more diagnostic information</li>
<li>require ‘rubygems’ loads less code</li>
<li>sources.gem is gone, RubyGems now uses built-in defaults</li>
<li><code class="language-plaintext highlighter-rouge">gem install --source</code> will no longer add –source by default, use <code class="language-plaintext highlighter-rouge">gem
sources --add</code> to make it a permanent extra source</li>
<li><code class="language-plaintext highlighter-rouge">gem query</code> (list) no longer prints details by default</li>
<li>Exact gem names are matched in various places</li>
<li>mkrf extensions are now supported</li>
<li>A gem can depend on a specific RubyGems version</li>
<li><code class="language-plaintext highlighter-rouge">gem_server</code> is now <code class="language-plaintext highlighter-rouge">gem server</code></li>
<li><code class="language-plaintext highlighter-rouge">gemlock</code> is now <code class="language-plaintext highlighter-rouge">gem lock</code></li>
<li><code class="language-plaintext highlighter-rouge">gem_mirror</code> is now <code class="language-plaintext highlighter-rouge">gem mirror</code></li>
<li><code class="language-plaintext highlighter-rouge">gemwhich</code> is now <code class="language-plaintext highlighter-rouge">gem which</code></li>
<li><code class="language-plaintext highlighter-rouge">gemri</code> is no longer included with RubyGems</li>
<li><code class="language-plaintext highlighter-rouge">index_gem_repository.rb</code> is now <code class="language-plaintext highlighter-rouge">gem generate_index</code></li>
<li><code class="language-plaintext highlighter-rouge">gem</code> performs more validation of parameters</li>
<li>Custom rdoc styles are now supported</li>
<li>Gem indexer no longer removes quick index during index creation</li>
<li>Kernel#require only rescues a LoadError for the file being required now</li>
<li><code class="language-plaintext highlighter-rouge">gem dependencies</code> can now display some information for remote gems</li>
<li>Updating RubyGems now works with RUBYOPT=-rubygems</li>
</ul>
<p>Special thanks to:</p>
<ul>
<li>Daniel Berger</li>
<li>Luis Lavena</li>
<li>Tom Copeland</li>
<li>Wilson Bilkovich</li>
</ul>
0.9.4 Released2007-05-23T00:00:00+00:00http://blog.rubygems.org/2007/05/23/0.9.4-released<p>If you are experiencing problems with the source index (e.g. strange
“No Method” errors), or problems with zlib (e.g. “Buffer Error”
messsage), we recommend upgrading to RubyGems 0.9.4.</p>
<p>Bug Fixes Include:</p>
<ul>
<li>Several people have been experiencing problems with no method errors
on the source index cache. The source index cache is now a bit more
self healing. Furthermore, if the source index cache is
irreparable, then it is automatically dropped and reloaded.</li>
<li>The source cache files may now be dropped with the “gem sources
–clear-all” command. (This command may require root is the system
source cache is in a root protected area).</li>
<li>Several sub-commands were accidently dropped from the “gem” command.
These commands have been restored.</li>
</ul>
0.9.3 Released2007-05-10T00:00:00+00:00http://blog.rubygems.org/2007/05/10/0.9.3-released<p>Bug Fixes Include:</p>
<p>The ZLib library on Windows will occasionally complains about a buffer error
when unpacking gems. The Gems software has a workaround for that problem, but
the workaround was only enabled for versions of ZLib 1.2.1 or earlier. We
have received several reports of the error occuring with ZLib 1.2.3, so we
have permanently enabled the work around on all versions.</p>
0.9.2 Released2007-02-05T00:00:00+00:00http://blog.rubygems.org/2007/02/05/0.9.2-released<p>Bug Fixes Include:</p>
<ul>
<li>The “unpack” command now works properly.</li>
<li>User name and password are now passed properly to the authenticating
proxy when downloading gems.</li>
</ul>
0.9.1 Released2007-01-16T00:00:00+00:00http://blog.rubygems.org/2007/01/16/0.9.1-released<p>See ChangeLog</p>
0.9.0 Released2006-06-28T00:00:00+00:00http://blog.rubygems.org/2006/06/28/0.9.0-released<p>Finally, the much anticipated RubyGems version 0.9.0 is now available.
This release includes a number of new features and bug fixes. The
number one change is that we can now download the gem index
incrementally. This will greatly speed up the gem command when only a
few gems are out of date.</p>
<p>Major Enhancments include:</p>
<ul>
<li>The gem index is now downloaded incrementally, only updating entries
that are out of date. If more than 50 entries are out of date, we
revert back to a bulk download.</li>
<li>Several patches related to allowing RubyGems to work with
authenticating proxies (from Danie Roux and Anatol Pomozov). Just
put the user and password in the proxy URL (e.g. -p
http://user:password@proxy.address.com:8080) or use the
HTTP_PROXY_USER and HTTP_PROXY_PASS environment variables.</li>
<li>The gem unpack command can now accept a file path rather than just a
install gem name.</li>
<li>Both RI and RDOC documents are now generated by default.</li>
<li>A gemri command is included to read gem RI docs (only needed for
Ruby 1.8.4 or earlier).</li>
</ul>
<p>Minor enhancements include:</p>
<ul>
<li>Verison 0.0.0 is now a valid gem version.</li>
<li>Better detection of missing SSL functionality.</li>
<li>SSL is not required if the security policy does not require
signature checking.</li>
<li>Rake built extensions are now supported (Tilman Sauerbeck).</li>
<li>Several autorequire bug fixes.</li>
<li>–traceback is now an alias for –backtrace (I can never remember
which one it is).</li>
<li>SAFE=1 compatibility fixes.</li>
<li>.rbw is now a supported suffix for RubyGem’s custom require.</li>
<li>Several Ruby 1.9 compatibility fixes (Eric Hodel).</li>
</ul>
<p>Bug Fixes:</p>
<ul>
<li>Added dashes to gemspecs generated in Ruby 1.8.3. This solves some
cross-Ruby version compatibility issues.</li>
<li>Fixed bug where the wrong executables could be uninstalled (Eric
Hodel).</li>
<li>Fixed bug where gem unpack occasionally unpacked the wrong gem.</li>
<li>Fixed bug where a fatal error occured when permissions on .gemrc
were too restrictive (reported by Luca Pireddu).</li>
<li>Fixed prefix handling for native expressions (patch by Aaron Patterson).</li>
<li>Fixed several Upgrade => Update typos.</li>
</ul>
0.8.11 Released2005-07-13T00:00:00+00:00http://blog.rubygems.org/2005/07/13/0.8.11-released<ul>
<li>-y is a synonym for –include-dependencies.</li>
<li>Better handling of errors in the top level rescue clause.</li>
<li>Package list command (e.g. gem inspect GEM).</li>
<li>.gemrc now allows cvsrc-like options to set defaults per subcommand.</li>
<li>The autorequire gem spec field will now accept a list.</li>
<li>Substituted Time for Date in specs, increasing performance
dramatically.</li>
<li>Fixed reported bug of gem directories ending in “-“ (reported by
Erik Hatcher).</li>
<li>Fixed but in installer that caused dependency installation to not
work.</li>
<li>Added Paul Duncan’s gem signing patch.</li>
<li>Added Mark Hubbart’s Framework patch (for better integration with OS
X).</li>
<li>Added David Glasser’s install-from-mirror patch.</li>
<li>Additional internal structural cleanup and test reorganization.</li>
</ul>
0.8.10 Released2005-03-27T00:00:00+00:00http://blog.rubygems.org/2005/03/27/0.8.10-released<ul>
<li>In multi-user environments, it is common to supply mulitple versions of gems
(for example Rails), allowing individual users to select the version of the
gem they desire. This allows a user to be insulated from updates to that
gem. RubyGems 0.8.10 fixes a problem where gems could occasionally become
confused about the current versions of libraries selected by the user.</li>
<li>The other annoying bug is that if there are any existing rubygems-update gems
installed, then the “gem update –system” command will download a new
update, but install the latest update prior to the download.</li>
</ul>
0.8.8 Released2005-03-14T00:00:00+00:00http://blog.rubygems.org/2005/03/14/0.8.8-released<ul>
<li>Moved the master definition of class Requirement back under version.
Kept the body of Requirement under Gem.</li>
</ul>
0.8.7 Released2005-03-14T00:00:00+00:00http://blog.rubygems.org/2005/03/14/0.8.7-released<p>Even though it has only been a few weeks since that last release,
there are quite a number of new features in 0.8.7. A complete list of
new features will be given below, but here is a summary of the hot
items.</p>
<ul>
<li>The bug that prevented some users from installing rails has been
squashed. A big thanks to Bill Guindon (aGorilla) for helping track
that one down.</li>
</ul>
<p>There are several new commands available on the gem command:</p>
<ul>
<li>gem cleanup GEMNAME – Cleanup (uninstall) all the old versions of
gem. If the gem name is omitted, the entire repository is cleaned.</li>
<li>gem dependency GEMNAME – Show the dependencies for the named gems.
This is really helpful when trying to figure out what gem needs what
other gem.</li>
</ul>
<p>There changes to the existing commands as well.</p>
<ul>
<li>gem uninstall is much smarter about removing gems from the
repository. Lists of gems are now uninstalled in proper dependency
order (ie. if A depends on B, A is uninstalled first). Also,
warnings about broken dependencies occur only when removing the
<em>last</em> gem that supports a dependency is removed.</li>
</ul>
<p>Both gem install and gem uninstall support some new command line
options that can reduce the amount of yes/no queries given the user.
For install we have:</p>
<ul>
<li>–ignore-dependencies – Only install requests gems, no
dependendecies are automatically installed.</li>
<li>–include-dependencies – Automatically install dependencies,
without confirmation.</li>
</ul>
<p>For gem uninstall, the new options are:</p>
<ul>
<li>–all – Uninstall all matching gems without confirmation.</li>
<li>–ignore-dependencies – Uninstall, even if dependencies are broken.</li>
<li>–executables – Remove executables without confirmation</li>
</ul>
<p>Under general cleanup, gems will not, by default, run RDoc on packages
that do not have the RDoc flag set.</p>
<p>And finally there is a new library file ‘gemconfigure’ to aid in
writing version sensitive applications (without undue dependencies on
RubyGems); and ‘gemwhich’, a short script to locate libraries in the
file system. You can read more about them here:</p>
<ul>
<li>gemconfigure: http://docs.rubygems.org/read/chapter/4#page73</li>
<li>gemwhich: http://docs.rubygems.org/read/chapter/17</li>
</ul>
0.8.6 Released2005-02-27T00:00:00+00:00http://blog.rubygems.org/2005/02/27/0.8.6-released<ul>
<li>Fixed a small bug with shebang construction</li>
</ul>
0.8.5 Released2005-02-26T00:00:00+00:00http://blog.rubygems.org/2005/02/26/0.8.5-released<p>Do you know how you used to dread getting the following message while
installing gems?</p>
<p>Updating Gem source index for: http://gems.rubyforge.org</p>
<p>It could take up to 30 seconds (on my machine, even worse on others) for
that crazy source index to update.</p>
<p>This latest release of RubyGems speeds that wait time up considerably.
The following table gives the following times for installing RedCloth
with a required source index update on three system we had available to
us. No RDoc generation was included in the following times.</p>
<p>RubyGems Linux Mac OSX Windows
0.8.4 33 secs 73 secs 58 secs
0.8.5 8 secs 14 secs 21 secs</p>
<p>The new caching code is at least 3x faster than previous versions. Woo
Hoo!</p>
0.8.4 Released2005-01-01T00:00:00+00:00http://blog.rubygems.org/2005/01/01/0.8.4-released<ul>
<li>Rubygems 0.8.3’s installer was broken unless you already had an older
version of RubyGems installed. That’s fixed.</li>
<li>Change in the way Gem::Specification internally deals with lazy attributes
and defaults, bringing (with some loadpath_manager changes) a fairly
significant increase in speed.</li>
<li>Support for lower-cased Gem file names (for you, Paul Duncan :)</li>
<li>Erik Veenstra’s patch for making Gem versions sortable.</li>
</ul>
0.8.3 Released2004-12-07T00:00:00+00:00http://blog.rubygems.org/2004/12/07/0.8.3-released<p>No real earth shattering news here, but there were a number of really
annoying issues involving other libraries that RubyGems depends upon.
0.8.3 contains some workarounds for these issues. In particular:</p>
<ul>
<li>Added workaround for the null byte in Dir string issue. (see
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/121702).
(Thanks to Mauricio Fernández for the quick response on this one).</li>
<li>Added workaround for old version of Zlib on windows that caused
Ruwiki to fail to install. (see
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/121770)</li>
<li>Added workaround for large YAML file issues. (We dynamically cut
down the size of the source index YAML file and seem to have worked
around immediate issues.</li>
</ul>
<p>There has been some minor usability enhancements and changes …</p>
<ul>
<li>A user specific source index cache can be used when the site-wide
cache is unwritable (i.e. because you are running as a non-admin).
This <em>greatly</em> speeds up gem commands run in non-admin mode when the
site-wide cache is out of date.</li>
<li>The gem command now used an HTTP HEAD command to detect if the
server’s source index needs to be downloaed.</li>
<li>gem check gemname –test will run unit tests on installed gems that
have unit tests.</li>
<li>
<p>Multiple gem names are allowed on the gem install command line.
This means you can do:</p>
<p>gem install rake rails needle postgres-pr pimki</p>
<p>(Ok, you get the idea)</p>
</li>
<li>Multiple authors my be specified in a Gem spec.</li>
<li>Switched to using setup.rb (rather than a custom install script) for
the installation of RubyGems itself. If you have installed RubyGems
before, double check the installation instructions and make sure you
use setup.rb instead of install.rb.</li>
<li>Ryan Davis has provided a patch so you can use an env variable
(GEM_SKIP), to tell loadpath_manager not to load gems of those
names. This was useful for him while testing libs that he had in
development.</li>
</ul>
0.8.1 Released2004-09-17T00:00:00+00:00http://blog.rubygems.org/2004/09/17/0.8.1-released<ul>
<li>Quick release to capture some bug fixes.</li>
</ul>
0.8.0 Released2004-09-15T00:00:00+00:00http://blog.rubygems.org/2004/09/15/0.8.0-released<ul>
<li>Remove need for library stubs. Set the RUBYOPT environment variable to
include “rrubygems”, and a normal require will find gem files. Continue to
use ‘require_gem gem_name, version’ to specify gem versions.</li>
<li>Deprecated “test_suite_file” gemspec attribute in favor of “test_files” array.</li>
<li>Generates rdoc by default on installs.</li>
<li>Adopted tar/gzip file format, thanks to Mauricio Fernandez.</li>
<li>“gem rdoc” allows generation of rdoc after gem installation (will add a “gem
test”</li>
<li>Application stubs can now accept an optional parameter of <em>VERSION</em> that will
run an arbitrary version of the application requested.</li>
<li>Various bug fixes</li>
<li>Various platform-independency improvements</li>
<li>“gem spec –all” displays spec info for all installed version of a given gem.</li>
<li>Dynamic caching of sources</li>
<li>Support for user-definable sources on the command line (thanks Assaph Mehr)</li>
<li>More intelligent support for platform-dependent gems. Use Platform::CURRENT
when building a gem to set its platform to the one you’re building on.
Installation displays a choice of platform-dependent gems, allowing the user
to pick.</li>
<li>Added “gem unpack” for “unpacking” a gem to the current directory</li>
</ul>
0.7.0 Released2004-07-09T00:00:00+00:00http://blog.rubygems.org/2004/07/09/0.7.0-released<p>See ChangeLog</p>
0.6.1 Released2004-06-08T00:00:00+00:00http://blog.rubygems.org/2004/06/08/0.6.1-released<p>See ChangeLog</p>
0.6.0 Released2004-06-08T00:00:00+00:00http://blog.rubygems.org/2004/06/08/0.6.0-released<ul>
<li>Collapse output of –search and –list (and gem_server) operations so that
each gem is listed only once, with each of its versions listed on the same
line.</li>
<li>bin/gem: new –upgrade-all option allows one to upgrade every installed gem</li>
<li>
<p>new #required_ruby_version attribute added to gem specification for
specifying a dependency on which version of ruby the gem needs. Format it
accepts is the same as the Gem::Version::Requirement format:</p>
<p>spec.required_ruby_version = “> 1.8.0”</p>
</li>
<li>–install-stub defaults to true, so library stubs are created</li>
</ul>
0.5.0 Released2004-06-06T00:00:00+00:00http://blog.rubygems.org/2004/06/06/0.5.0-released<ul>
<li>
<p>Jim added the ability to specify version constraints to avoid API
incompatibilities. This has been the subject of much debate for the past
couple of months, with many ideas and code contributed by Eivind Eklund and
Mauricio Fernandez. The following set of assertions shows how it works:</p>
<p>assert_inadequate(“1.3”, “~> 1.4”)
assert_adequate( “1.4”, “~> 1.4”)
assert_adequate( “1.5”, “~> 1.4”)
assert_inadequate(“2.0”, “~> 1.4”) # This one is key–the new operator
# disallows major version number
# differences.</p>
</li>
<li>
<p>Group gem search output when multiple versions exist for a given gem:</p>
<p>activerecord (0.7.8, 0.7.7, 0.7.6, 0.7.5)
Implements the ActiveRecord pattern for ORM.</p>
</li>
<li>Add arbitrary RDoc-able files via gemspec (not just Ruby source files) for
people who have, for example, README.rdoc in their distributions. Add to
gemspec via: spec.extra_rdoc_files = [“list”, “of”, “files”]. Ruby files are
automatically included.</li>
<li>Some small bug fixes</li>
</ul>
0.4.0 Released2004-05-30T00:00:00+00:00http://blog.rubygems.org/2004/05/30/0.4.0-released<ul>
<li>Minor bug fixes including Windows compatability issues</li>
</ul>
0.3.0 Released2004-04-30T00:00:00+00:00http://blog.rubygems.org/2004/04/30/0.3.0-released<ul>
<li>Cleanup of command-line arguments and handling. Most commands accept a
–local or –remote modifier.</li>
<li>Creation of Application Gems (packages that include executable programs).
See http://rubygems.rubyforge.org/wiki/wiki.pl?DeveloperGuide for information
on how to use it.</li>
<li>Basic functionality for installing binary gems from source (:extensions
property of gem specification holds an array of paths to extconf.rb files to
be used for compilation)</li>
<li>Install library “stub” allowing a normal ‘require’ to work (which then does
the rubygems require and ‘require_gem’</li>
<li>–run-tests runs the test suite specified by the “test_suite_file” property
of a gem specification</li>
<li>HTTP Proxy support works. Rewrite of HTTP code.</li>
<li>Unit and functional tests added (see Rakefile).</li>
<li>Prompt before remote-installing dependencies during gem installation.</li>
<li>Config file for storing preferences for ‘gem’ command usage.</li>
<li>Generally improved error messages (still more work to do)</li>
<li>Rearranged gem directory structure for cleanliness.</li>
</ul>
0.2.0 Released2004-03-14T00:00:00+00:00http://blog.rubygems.org/2004/03/14/0.2.0-released<ul>
<li>Initial public release</li>
</ul>