OpenSSL::SSL::SSLContext#cert_store= uses SSL_CTX_set_cert_store(). The
store is used for verifying peer certificates and for building
certificate chains to be sent to the peer if there is no chain
explicitly provided by SSLContext#extra_chain_cert=.
Do not specify it in the common test helper start_server, as most
callers do not require either function. Instead, update individual test
cases that use client certificates to explicitly specify it in ctx_proc.
A more direct test case is added to verify the latter function.
https://github.com/ruby/openssl/commit/9daecee615
This function replaces the internal rb_obj_gc_flags API. rb_gc_object_metadata
returns an array of name and value pairs, with the last element having
0 for the name.
If the TZ environment variable is not set, the time zone names
retrieved from the system are localized for UI display and may vary
across editions and language packs for the same time zone.
Use the time zone IDs that are invariant across environments instead.
we had been using a stub weak definition of `mprotect` in wasm/missing.c
so far, but wasi-sdk 23 added mprotect emulation to wasi-libc[^1], so the
emulation is now linked instead. However, the emulation doesn't support
PROT_NONE and fails with ENOSYS, so we need to avoid calling mprotect
completely on WASI.
[^1]: 7528b13170
Unfortunately this requires reverting a previous enhancement of
reinstalling gems if they incorrectly ship with an empty installation
dir.
However, there's no way to distinguish this kind of bad state from a gem
that's empty for real, for example, sorbet-static-and-runtime.
This reverts commit https://github.com/rubygems/rubygems/commit/9720a9b980d2, and adds a
spec to make sure empty gems are not reinstalled every time.
https://github.com/rubygems/rubygems/commit/7c102394af
We should skip reference updating for entries in too complex generic ivars
that are special constants. This fixes the following crash:
MAX_SHAPES = 0x80000
MAX_SHAPES.times do |i|
o = []
o.instance_variable_set(:"@foo#{i}", 1)
end
o = []
o.instance_variable_set(:"@a", 123)
GC.compact
Sometimes security reports believe they have found a vulnerability
because they find a domain we don't own being used in the rubygems
repository. Though there is nothing vulnerable about using 'fake'
domains in tests when they are never hit, it nonetheless reduces
confusion for everyone if we constrain our test domains to domains
we actually own and control.
https://github.com/rubygems/rubygems/commit/e77ebbe2fc
There's no reason to call `converge_specs` when adding additional
lower bound requirements to prevent downgrades, and it actually causes
the extra requirements to be missed sometimes.
Loop over the originally locked specs directly, adding the additional
precaution of not adding the requirement if the Gemfile dependency has
changed and it no longer matches the locked spec.
https://github.com/rubygems/rubygems/commit/5154506912
Resolver had internal logic to prioritize locked versions when sorting
versions, however part of it was not being actually hit because of how
unlocking worked in the resolver: a package was allow to be unlocked
when that was explicit requested or when the list of unlocks was empty.
That did not make a lot of sense and other cases were working because
the explicit list of unlocks was getting "artificially filled".
Now we consider a package unlocked when explicitly requested (`bundle
update <package>`), or when everything is being unlocked (`bundle
install` with no lockfile or `bundle update`).
This makes things simpler and gets the edge case added as a test case
working as expected.
https://github.com/rubygems/rubygems/commit/b8e55087f0
