Fixes a number of CVEs:
- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
* Manage patches in git
* Fixes the hook invocation to be more safe. Thanks @Mic92
* Install gems as user by default
* Install gem binaries with the /usr/bin/env shebang
* Fixes a bug where the passthru.libPath and passthru.gemPath would
point to the wrong directory
* Overhaul ruby version heuristics
In the tarball job:
````
checking find-tarballs.nix
error: while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:6:1, called from undefined position:
while evaluating ‘operator’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:27:16, called from undefined position:
while evaluating ‘immediateDependenciesOf’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:39:29, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:27:44:
while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/attrsets.nix:224:10, called from undefined position:
while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:40:37, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/attrsets.nix:224:16:
while evaluating ‘derivationsIn’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:42:19, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:40:40:
while evaluating ‘optional’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/lists.nix:175:20, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:44:33:
while evaluating ‘canEval’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:48:13, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:44:43:
while evaluating the attribute ‘pkgs’ of the derivation ‘ruby-dev-2.3.1-p0’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/build-support/trivial-builders.nix:10:14:
while evaluating ‘override’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:60:22, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/development/interpreters/ruby/dev.nix:10:13:
while evaluating ‘makeOverridable’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:54:24, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:60:31:
anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/development/ruby-modules/bundix/default.nix:1:1 called with unexpected argument ‘ruby’, at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:56:12
````
Setting the GEM_PATH after ruby is started is not reliable enough. In
some cases rubygems would have already loaded and ignore these settings.
Fixes#14048
After ruby initializes, rubygems no longer reads the GEM_PATH. Before,
we have the following scenario:
Gem.path # => ["a"]
ENV['GEM_PATH'] = ["b"]
Gem.path # => ["a"] # Still returns the same
Gem.use_paths is the documented way to create isolated environments as
documented in [1].
[1] http://www.rubydoc.info/github/rubygems/rubygems/Gem.use_paths
The idea is to bundle ruby, bundler and bundix together. I was
having issues where bundler was installed with ruby 2.3.0 and I wanted to use
ruby 2.0.0.
With this change all the developer has to do is install `ruby_2_0_0.dev`
either in his environment or in a nix-shell.
Having a separate rubygems package can lead to split-brain scenarios.
Since rubygems is designed to replace himself on a ruby installation,
let's do that.
This was preventing any ruby gem with a c extension to build.
mkmf would fail with a misleading error:
/nix/store/dmkcai8fnv21qxiasx628nim3mq4r4wg-ruby-2.2.3-p0/lib/ruby/2.2.0/mkmf.rb:456:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
You have to install development tools first.
generate_stub doesn't exist and the output is not used in the code so I just
removed the line.
This was preventing the binstubs from generating properly.
This improves our Bundler integration (i.e. `bundlerEnv`).
Before describing the implementation differences, I'd like to point a
breaking change: buildRubyGem now expects `gemName` and `version` as
arguments, rather than a `name` attribute in the form of
"<gem-name>-<version>".
Now for the differences in implementation.
The previous implementation installed all gems at once in a single
derivation. This was made possible by using a set of monkey-patches to
prevent Bundler from downloading gems impurely, and to help Bundler
find and activate all required gems prior to installation. This had
several downsides:
* The patches were really hard to understand, and required subtle
interaction with the rest of the build environment.
* A single install failure would cause the entire derivation to fail.
The new implementation takes a different approach: we install gems into
separate derivations, and then present Bundler with a symlink forest
thereof. This has a couple benefits over the existing approach:
* Fewer patches are required, with less interplay with the rest of the
build environment.
* Changes to one gem no longer cause a rebuild of the entire dependency
graph.
* Builds take 20% less time (using gitlab as a reference).
It's unfortunate that we still have to muck with Bundler's internals,
though it's unavoidable with the way that Bundler is currently designed.
There are a number improvements that could be made in Bundler that would
simplify our packaging story:
* Bundler requires all installed gems reside within the same prefix
(GEM_HOME), unlike RubyGems which allows for multiple prefixes to
be specified through GEM_PATH. It would be ideal if Bundler allowed
for packages to be installed and sourced from multiple prefixes.
* Bundler installs git sources very differently from how RubyGems
installs gem packages, and, unlike RubyGems, it doesn't provide a
public interface (CLI or programmatic) to guide the installation of a
single gem. We are presented with the options of either
reimplementing a considerable portion Bundler, or patch and use parts
of its internals; I choose the latter. Ideally, there would be a way
to install gems from git sources in a manner similar to how we drive
`gem` to install gem packages.
* When a bundled program is executed (via `bundle exec` or a
binstub that does `require 'bundler/setup'`), the setup process reads
the Gemfile.lock, activates the dependencies, re-serializes the lock
file it read earlier, and then attempts to overwrite the Gemfile.lock
if the contents aren't bit-identical. I think the reasoning is that
by merely running an application with a newer version of Bundler, you'll
automatically keep the Gemfile.lock up-to-date with any changes in the
format. Unfortunately, that doesn't play well with any form of
packaging, because bundler will immediately cause the application to
abort when it attempts to write to the read-only Gemfile.lock in the
store. We work around this by normalizing the Gemfile.lock with the
version of Bundler that we'll use at runtime before we copy it into
the store. This feels fragile, but it's the best we can do without
changes upstream, or resorting to more delicate hacks.
With all of the challenges in using Bundler, one might wonder why we
can't just cut Bundler out of the picture and use RubyGems. After all,
Nix provides most of the isolation that Bundler is used for anyway.
The problem, however, is that almost every Rails application calls
`Bundler::require` at startup (by way of the default project templates).
Because bundler will then, by default, `require` each gem listed in the
Gemfile, Rails applications are almost always written such that none of
the source files explicitly require their dependencies. That leaves us
with two options: support and use Bundler, or maintain massive patches
for every Rails application that we package.
Closes#8612
Previously the gems defaulted to "ruby" as the name and
"${ruby-version}-${gem-name}-${gem-version}" as the version,
which was just insane.
https://github.com/NixOS/nixpkgs/issues/9771#issuecomment-141041414
Noone is reacting so it's high time to take at least some action.
/cc @cstrahan.
According to @zimbatm, he got the SHA256 hashes via nix-prefetch-git.
However, fetchFromGitHub doesn't use Git to fetch the sources but uses
fetchzip under the hood, so we get plain source directories in the Nix
store, which in turn are hashed.
Tested by:
nix-build --no-out-link -E 'map (x:
(builtins.getAttr x (import ./. {})).src
) [ "ruby_1_9_3" "ruby_2_0_0" "ruby_2_1_0" "ruby_2_1_1" "ruby_2_1_2"
"ruby_2_1_3" "ruby_2_1_6" "ruby_2_1_7" "ruby_2_2_0" "ruby_2_2_2"
"ruby_2_2_3"
]'
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We were using HEAD for unreleased features. These features are now in
release builds so we should go back to using those. This also means we
won't have to deal with hash mismatches for all ruby packages.
Fixes#9044, close#9667. Thanks to @taku0 for suggesting this solution.
Now we have no modes starting with `/` or `+`.
Rewrite the `-perm` parameters of find:
- completely safe: rewrite `/0100` and `+100` to `-0100`,
- slightly semantics-changing: rewrite `+111` to `-0100`.
I cross-verified the `find` manual pages for Linux, Darwin, FreeBSD.
Many (less easily automatically converted) old-style strings
remain.
Where there was any possible ambiguity about the exact version or
variant intended, nothing was changed. IANAL, nor a search robot.
Use `with stdenv.lib` wherever it makes sense.