Fixes a number of CVEs:
- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
* Manage patches in git
* Fixes the hook invocation to be more safe. Thanks @Mic92
* Install gems as user by default
* Install gem binaries with the /usr/bin/env shebang
* Fixes a bug where the passthru.libPath and passthru.gemPath would
point to the wrong directory
* Overhaul ruby version heuristics
In the tarball job:
````
checking find-tarballs.nix
error: while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:6:1, called from undefined position:
while evaluating ‘operator’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:27:16, called from undefined position:
while evaluating ‘immediateDependenciesOf’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:39:29, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:27:44:
while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/attrsets.nix:224:10, called from undefined position:
while evaluating anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:40:37, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/attrsets.nix:224:16:
while evaluating ‘derivationsIn’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:42:19, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:40:40:
while evaluating ‘optional’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/lists.nix:175:20, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:44:33:
while evaluating ‘canEval’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:48:13, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/maintainers/scripts/find-tarballs.nix:44:43:
while evaluating the attribute ‘pkgs’ of the derivation ‘ruby-dev-2.3.1-p0’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/build-support/trivial-builders.nix:10:14:
while evaluating ‘override’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:60:22, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/development/interpreters/ruby/dev.nix:10:13:
while evaluating ‘makeOverridable’ at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:54:24, called from /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:60:31:
anonymous function at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/pkgs/development/ruby-modules/bundix/default.nix:1:1 called with unexpected argument ‘ruby’, at /tmp/nix-build-nixpkgs-tarball-16.09pre1234.abcdef.drv-0/nixpkgs/lib/customisation.nix:56:12
````
Setting the GEM_PATH after ruby is started is not reliable enough. In
some cases rubygems would have already loaded and ignore these settings.
Fixes#14048
After ruby initializes, rubygems no longer reads the GEM_PATH. Before,
we have the following scenario:
Gem.path # => ["a"]
ENV['GEM_PATH'] = ["b"]
Gem.path # => ["a"] # Still returns the same
Gem.use_paths is the documented way to create isolated environments as
documented in [1].
[1] http://www.rubydoc.info/github/rubygems/rubygems/Gem.use_paths
The idea is to bundle ruby, bundler and bundix together. I was
having issues where bundler was installed with ruby 2.3.0 and I wanted to use
ruby 2.0.0.
With this change all the developer has to do is install `ruby_2_0_0.dev`
either in his environment or in a nix-shell.
Having a separate rubygems package can lead to split-brain scenarios.
Since rubygems is designed to replace himself on a ruby installation,
let's do that.