What's new in RubyGems3

The Package Manager of the Ruby Language
Hiroshi SHIBATA / GMO Pepabo, Inc.
2019.3.22 Railsdm 2019
What’s new
In RubyGems3

Executive Ofﬁcer VP of Engineering
Technical Director
at GMO Pepabo, Inc. @pepabo
Hiroshi SHIBATA @hsbt
https://www.hsbt.org

self.introduce
=> {
name: “SHIBATA Hiroshi”,
nickname: “hsbt”,
organizations: [“ruby”, “rubygems”, “bundler”, “asakusarb”,
“railsgirls”, “pepabo”, …],
commit_bits: [“ruby”, “rake”, “rubygems”, “bundler”, “rdoc”,
“psych”, “json”, “ruby-build”, “railsgirls”, “railsgirls-jp”, …],
sites: [“hsbt.org”, “ruby-lang.org”, “rubyci.org”, “railsgirls.com”,
“railsgirls.jp”],
}

•The RubyGems team
•RubyGems
•RubyGems 3
•RubyGems 4
•Bundler
•RubyGems Bundler Integration
Agenda

Who are RubyGems Team member?
alumni
alumni
alumni
SRE
Dev
Dev
Dev
Dev

Speciﬁc roles
Release Manager
@hsbt: Master branch as 3.1, 3.0 and 2.7
Security Handler
@hsbt: HackerOne and Private Repository
Fulltime Commiter
@deivid-rodriguez: Supported by RubyTogether

•The package manager of Ruby libraries.
•`gem install “rails:~>5.2”`
•You can install speciﬁed version of Ruby
libraries that called `Gem`. RubyGems
handles global environment on your box.
•You could specify `gem ‘rails’, ‘~> 5.2’`
syntax without its dependency in your code.
What’s rubygems?

•The RubyGems accepts SemVer like
versioning Policy.
•Merge latest stable version into Ruby Core
•Ruby 2.6.0 bundled RubyGems 3.0
•Ruby 2.7.0 will bundle RubyGems 3.1 or
4.0(TBD)
•Ruby 3.0 will bundle RubyGems ???
The policy of RubyGems versioning

•RubyGems also have HackerOne.
•3 people handle vulnerability issues and
will release RubyGems by SemVer Policy
like “2.7.7” from “2.7.6”
•On the other hand, The Ruby core team will
back port only vulnerability ﬁxes by
independent version like “2.6.5.1”, not
“2.7.7”
Security release of RubyGems

How develop RubyGems?
• The canonical repository is https://
github.com/rubygems/rubygems.
• https://github.com/rubygems/
rubygems.org is rubygems.org. It’s not
client software.
• We use Pull-Request and
merge bot named
`@bundlerbot`

•I released RubyGems 3 at 19 Dec 2018
•https://blog.rubygems.org/
2018/12/19/3.0.0-released.html
•It says 5 major updates.
• S3 source. Pull request #1690 by Aditya Prakash.
• Download gems with threads. Pull request #1898 by André Arko.
• Update to SPDX license list 3.0. Pull request #2152 by Mike
Linksvayer.
• [GSoC] Multi-factor feature for RubyGems. Pull request #2369 by
Qiu Chaofan.
• Use bundler 1.17.2. Pull request #2521 by SHIBATA Hiroshi.
RubyGems 3 has been released

•We use the changelog generator
from commit logs.
•https://github.com/rubygems/
rubygems/blob/master/util/
update_changelog.rb
•It picked by @bundlerbot
messages.
•Because the changelog is not
structured text.
Where come from the changelog?

•https://github.com/rubygems/rubygems/
pull/1898
•It introduced `concurrent_downloads`
option at `.gemrc`. The default value is 8.
•It makes 8 times faster with `gem install`.
Download gems with threads

•https://github.com/rubygems/
rubygems/pull/2369
•It introduced the multi-factor
authentication for gem management
by CLI like `gem push`
•https://guides.rubygems.org/setting-
up-multifactor-authentication/
Multi-factor feature for RubyGems

pull/2142
•Related with https://nvd.nist.gov/vuln/
detail/CVE-2017-17405
•Given the pipe operator `|`, the attacker can
execute a malicious code.
Use File.open instead of open

pull/2207
Added coverage ability used by simplecov
~/D/g/r/rubygems (master) > rake test
Run options: --seed 2662
# Running:
...................................................................................................................
......
(snip)
...........................................................................S.......................................
.........................................
Finished in 72.010573s, 29.0513 runs/s, 90.0423 assertions/s.
2092 runs, 6484 assertions, 0 failures, 0 errors, 1 skips
You have skipped tests. Run with --verbose for details.
Coverage report generated for Unit Tests to /Users/hsbt/Documents/github.com/rubygems/rubygems/coverage. 8219 /
9194 LOC (89.4%) covered.

pull/2278
•It makes gem spec reproducible.
•https://reproducible-builds.org/specs/
source-date-epoch/
•I’m not familiar with it…
Support SOURCE_DATE_EPOCH

pull/2308
pull/2023 introduces `gem info` command.
It avoid to use `gem i`.
Add alias command ‘i’ for ‘install’
% gem i bundler
ERROR: While executing gem ... (Gem::CommandLineError)
Ambiguous command i matches [info, install]

pull/2466
•Now, RubyGems supports above options for
`gem uninstall`
Uninstall with versions
% gem i bundler:1.17.3
% gem uninstall bundler:1.17.3

•Removed deprecated methods.
•Removed to support for < Ruby 2.2.
•Removed Syck support.
•Added warnings of deprecated methods.
•Removed deprecated options.
•[CAUTION] `--ri` and `--rdoc` options
Cleanup Code-base

Added Rubocop
AllCops:
DisabledByDefault: true
Exclude:
- 'bundler/**/*'
- 'lib/rubygems/resolver/molinillo/**/*'
- 'pkg/**/*'
TargetRubyVersion: 2.3
Layout/AccessModifierIndentation:
Enabled: true
Layout/BlockAlignment:
Enabled: true
Layout/CaseIndentation:
Enabled: true
Layout/ClosingParenthesisIndentation:
Enabled: true
Layout/CommentIndentation:
Enabled: true
Layout/ElseAlignment:
Enabled: true
MultilineIfThen:
Enabled: true

•BundlerVersionFinder was introduced at
RubyGems 2.7
•It ability is the version detection by
RubyGems with Gemﬁle.lock strictly. Ex.
1.17.3 matches only 1.17.3
•We update it condition. Now, 1.17.3
matches 1.x.y, 2.0.3 also matches 2.x.y.
Update Bundler Version Finder

•It has non-compatible features.
• Make enable as default for conservative option:
https://github.com/rubygems/rubygems/pull/2233
• Make ruby gem install to user-install by default:
https://github.com/rubygems/rubygems/issues/1394
• Executables in bin folder conﬂict with their gem
versions: https://bugs.ruby-lang.org/issues/5060
• Behaviour changes with default gems installer:
https://github.com/rubygems/rubygems/pull/2166
What’s new in RubyGems4?

•We got the installation time when already
installed gems.
•To use conservative is ignore re-install
action.
Make conservative option as default
~ > gem i rails
clone http://rubyonrails.org -> /Users/hsbt/Documents/rubyonrails.org
git ls-remote http://rubyonrails.org
hg identify http://rubyonrails.org
svn info http://rubyonrails.org
error Could not find version control system: http://rubyonrails.org
exists /Users/hsbt/Documents/github.com/rails/rails
Successfully installed rails-5.2.0
1 gem installed
~ > gem i rails —conservative
~ >

•Rubygems 4 will install the all gems to
under the `~/.gem`
•Pros: Ruby in linux distribution has many of
FAQ for gem installation for using `sudo`.
This change resolve this issues.
•Cons: Ruby version manager like rbenv is
not support it. And This is big incompatible
feature.
Make `--user-install` as default

•The vendoring tool of Ruby.
•RubyGems couldn’t care dependency of
Ruby libraries and isolate version managing
with ruby process.
•Bundler can do them with `Gemﬁle`
What’s bundler?
# frozen_string_literal: true
source "https://rubygems.org"
git_source(:github) { |repo| "https://github.com/#{repo}.git" }
gemspec
# We need a newish Rake since Active Job sets its test tasks' descriptions.
gem "rake", ">= 11.1"

•We released 1.17.x and 2.0.x at last year.
•We disabled the incompatible features like
renaming `gems.rb` from `Gemﬁle`
•They no longer support under the Ruby 2.2.
What’s new in Bundler 2?

RubyGems
Bundler
Integration
6.

•We are working to integrate RubyGems and
Bundler.
•I’m working it because Bundler 2 was
released.
•RubyGems 3&4 drop to support under the
Ruby 2.2. Because Bundler 1.x still
supports Ruby 1.8 and 1.9.
RubyGems/Bundler integration

•Bundler was located rubygems repository
as git submodule
Bundler Integration(rubygems.rb)
if USE_BUNDLER_FOR_GEMDEPS
ENV["BUNDLE_GEMFILE"] ||= File.expand_path(path)
require 'rubygems/user_interaction'
Gem::DefaultUserInteraction.use_ui(ui) do
require "bundler"
@gemdeps = Bundler.setup
Bundler.ui = nil
@gemdeps.requested_specs.map(&:to_spec).sort_by(&:name)
end
else
rs = Gem::RequestSet.new
@gemdeps = rs.load_gemdeps path
rs.resolve_current.map do |s|
s.full_spec.tap(&:activate)
end
end

•RubyGems 2.x, 3.x uses Molinillo-0.5.7
•Bundler 1.16.x also uses Molinillo-0.6.4
•These are different versions and behavior of
dependency resolver.
Dependency Resolver incompatible
~/D/g/r/rubygems (master) > ls lib/rubygems/resolver/molinillo/lib/molinillo
delegates dependency_graph.rb gem_metadata.rb resolution.rb state.rb
dependency_graph errors.rb modules resolver.rb
~/D/g/b/bundler (master) > ls lib/bundler/vendor/molinillo/lib/molinillo
compatibility.rb dependency_graph errors.rb modules resolver.rb
delegates dependency_graph.rb gem_metadata.rb resolution.rb state.rb

•RubyGems and Bundler stored the
duplicated certiﬁcates in your box.
Duplicates the certiﬁcates
~/D/g/r/rubygems (master) > fd . lib/rubygems/ssl_certs/
lib/rubygems/ssl_certs/index.rubygems.org
lib/rubygems/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem
lib/rubygems/ssl_certs/rubygems.global.ssl.fastly.net
lib/rubygems/ssl_certs/rubygems.global.ssl.fastly.net/DigiCertHighAssuranceEVRootCA.pem
lib/rubygems/ssl_certs/rubygems.org
lib/rubygems/ssl_certs/rubygems.org/AddTrustExternalCARoot.pem
~/D/g/r/rubygems (master) > fd . bundler/lib/bundler/ssl_certs/
bundler/lib/bundler/ssl_certs/index.rubygems.org
bundler/lib/bundler/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem
bundler/lib/bundler/ssl_certs/rubygems.global.ssl.fastly.net
bundler/lib/bundler/ssl_certs/rubygems.global.ssl.fastly.net/DigiCertHighAssuranceEVRootCA.pem
bundler/lib/bundler/ssl_certs/rubygems.org
bundler/lib/bundler/ssl_certs/rubygems.org/AddTrustExternalCARoot.pem

•We will move the canonical repository of bundler
to rubygems org or rubygems/rubygems(TBD).
•I have a plan to integrate code-base and
command-line interface. Ex. `gem install`
fallback to `bundle install` with no arguments.
(TBD)
•After RubyKaigi 2019, the rubygems/bundler
team member will discuss about this merger
consideration in Fukuoka.
RubyGems/Bundler integration

What's new in RubyGems3

More Related Content

What's hot (20)

Similar to What's new in RubyGems3 (20)

More from Hiroshi SHIBATA (11)

Recently uploaded (20)

What's new in RubyGems3