[Lockfile] Store each rubygems remote separately

.travis.yml

@@ -5,15 +5,7 @@ before_script: travis_retry rake spec:travis:deps
 branches:
   only:
     - master
-    - 1-9-stable
-    - 1-8-stable
-    - 1-7-stable
-    - 1-6-stable
-    - 1-5-stable
-    - 1-3-stable
-    - 1-2-stable
-    - 1-1-stable
-    - 1-0-stable
+    - 2-0-dev
 
 notifications:
   email:

UPGRADING.md

@@ -0,0 +1,19 @@
+## Bundler 1 to Bundler 2
+
+In the transition from Bundler 1 to Bundler 2, we've made some changes that break backwards compatibility. Each of those changes was carefully selected to make working with Bundler easier to understand, easier to use, and faster. This list will help you get up to speed on the changes, and you'll be back to using Bundler in no time.
+
+### Start with Bundler 1.99
+
+If you're running Bundler 1.x right now, we've created a release specifically to help you migrate to Bundler 2.0. Install Bundler 1.99 and use it. We'll print warnings for anything that's going to change or be removed, so you can get ready for it in advance. Once you're using Bundler 1.99 without any warnings, you should be able to switch to 2.0 and have things just keep working.
+
+#### Changed: Remembered config flags
+
+The way that running `bundle install` with options causes those options to be remembered for all future runs of Bundler has caused a lot of confusion. It's "easy", but it's not the way that any other programs work, and it causes lots of problems when people forget that they once ran Bundler with an option weeks or months before.
+
+In Bundler 2, options passed as flags will not be remembered. This means that if you want to set the `path` option or the `without` option to be remembered, you'll need to do it by running `bundle config path my_path` or `bundle config without production`.
+
+This change is not expected to impact production deployment scripts, because those scripts pass all the options they want to set every time they run `bundle install`.
+
+#### Removed: Deployment helpers
+
+The `bundler/capistrano` and `bundler/vlad` deployment helper files have been removed. Capistrano 3 has built-in Bundler integration in the form of the `capistrano-bundler` gem, and everyone using Capistrano 3 should be using that instead. If for some reason, you are still using Capistrano 2, feel free to copy the Capistrano tasks out of the Bundler 1 file `bundler/deployment.rb` and put them into your app.

lib/bundler/cli.rb

@@ -130,8 +130,8 @@ def check
       "Specify the number of jobs to run in parallel"
     method_option "local", :type => :boolean, :banner =>
       "Do not attempt to fetch gems remotely and use the gem cache instead"
-    method_option "no-cache", :type => :boolean, :banner =>
-      "Don't update the existing gem cache."
+    method_option "cache", :type => :boolean, :banner =>
+      "Update the existing gem cache."
     method_option "force", :type => :boolean, :banner =>
       "Force downloading every gem."
     method_option "no-prune", :type => :boolean, :banner =>

lib/bundler/cli/install.rb

@@ -104,7 +104,7 @@ def run
       definition = Bundler.definition
       definition.validate_ruby!
       Installer.install(Bundler.root, definition, options)
-      Bundler.load.cache if Bundler.app_cache.exist? && !options["no-cache"] && !Bundler.settings[:frozen]
+      Bundler.load.cache if Bundler.app_cache.exist? && options["cache"] && !Bundler.settings[:frozen]
 
       Bundler.ui.confirm "Bundle complete! #{dependencies_count_for(definition)}, #{gems_installed_for(definition)}."
       confirm_without_groups

lib/bundler/definition.rb

@@ -338,8 +338,8 @@ def ensure_equivalent_gemfile_and_lockfile(explicit_flag = false)
 
       gemfile_sources = sources.lock_sources
       if @locked_sources != gemfile_sources
-        new_sources = gemfile_sources - @locked_sources
-        deleted_sources = @locked_sources - gemfile_sources
+        new_sources = gemfile_sources - @locked_sources - [sources.rubygems_aggregate]
+        deleted_sources = @locked_sources - gemfile_sources - [sources.rubygems_aggregate]
 
         if new_sources.any?
           added.concat new_sources.map { |source| "* source: #{source}" }

lib/bundler/deployment.rb

@@ -1,3 +1,7 @@
+$stderr.puts "DEPRECATION: Bundler no longer integrates with " \
+  "Capistrano, but Capistrano provides its own integration with " \
+  "Bundler via the capistrano-bundler gem. Use it instead."
+
 module Bundler
   class Deployment
     def self.define_task(context, task_method = :task, opts = {})

lib/bundler/dsl.rb

@@ -206,12 +206,24 @@ def method_missing(name, *args)
     def add_git_sources
       git_source(:github) do |repo_name|
         repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
-        "git://github.com/#{repo_name}.git"
+        # TODO 2.0 upgrade this setting to the default
+        if Bundler.settings["github.https"]
+          "https://github.com/#{repo_name}.git"
+        else
+          warn_github_source_change(repo_name)
+          "git://github.com/#{repo_name}.git"
+        end
       end
 
-      git_source(:gist){ |repo_name| "https://gist.github.com/#{repo_name}.git" }
+      # TODO 2.0 remove this deprecated git source
+      git_source(:gist) do |repo_name|
+        warn_deprecated_git_source(:gist, 'https://gist.github.com/#{repo_name}.git')
+        "https://gist.github.com/#{repo_name}.git"
+      end
 
+      # TODO 2.0 remove this deprecated git source
       git_source(:bitbucket) do |repo_name|
+        warn_deprecated_git_source(:bitbucket, 'https://#{user_name}@bitbucket.org/#{user_name}/#{repo_name}.git')
         user_name, repo_name = repo_name.split '/'
         repo_name ||= user_name
         "https://#{user_name}@bitbucket.org/#{user_name}/#{repo_name}.git"
@@ -343,21 +355,37 @@ def normalize_source(source)
     def check_primary_source_safety(source)
       return unless source.rubygems_primary_remotes.any?
 
+      # TODO 2.0 upgrade from setting to default
       if Bundler.settings[:disable_multisource]
         raise GemspecError, "Warning: this Gemfile contains multiple primary sources. " \
           "Each source after the first must include a block to indicate which gems " \
-          "should come from that source. To downgrade this error to a warning, run " \
-          "`bundle config --delete disable_multisource`."
+          "should come from that source."
       else
-        Bundler.ui.warn "Warning: this Gemfile contains multiple primary sources. " \
+        Bundler.ui.deprecate "Your Gemfile contains multiple primary sources. " \
           "Using `source` more than once without a block is a security risk, and " \
           "may result in installing unexpected gems. To resolve this warning, use " \
           "a block to indicate which gems should come from the secondary source. " \
-          "To upgrade this warning to an error, run `bundle config " \
-          "disable_multisource true`."
+          "It will be an error to have multiple primary sources in Bundler 2.0. " \
+          "To enable that error now, run `bundle config disable_multisource true`."
       end
     end
 
+    def warn_github_source_change(repo_name)
+      # TODO 2.0 remove deprecation
+      Bundler.ui.deprecate "The :github option uses the git: protocol, which is not secure. " \
+        "Bundler 2.0 will use the https: protcol, which is secure. Enable this change now by " \
+        "running `bundle config github.https true`."
+    end
+
+    def warn_deprecated_git_source(name, repo_string)
+      # TODO 2.0 remove deprecation
+      Bundler.ui.deprecate "The :#{name} git source is deprecated, and will be removed " \
+        "in Bundler 2.0. Add this code to your Gemfile to ensure it continues to work:\n" \
+        "    git_source(:#{name}) do |repo_name|\n" \
+        "      #{repo_string}\n" \
+        "    end", true
+    end
+
     class DSLError < GemfileError
       # @return [String] the description that should be presented to the user.
       #

lib/bundler/lockfile_parser.rb

@@ -101,10 +101,13 @@ def parse_source(line)
             @sources << @current_source
           end
         when GEM
-          Array(@opts["remote"]).each do |url|
-            @rubygems_aggregate.add_remote(url)
+          @current_source = TYPES[@type].from_lock(@opts)
+          # Strip out duplicate rubygems sections
+          if @sources.include?(@current_source)
+            @current_source = @sources.find { |s| s == @current_source }
+          else
+            @sources << @current_source
           end
-          @current_source = @rubygems_aggregate
         end
       when OPTIONS
         value = $2

lib/bundler/setup.rb

@@ -7,10 +7,10 @@
     begin
       Bundler.setup
     rescue Bundler::BundlerError => e
-      puts "\e[31m#{e.message}\e[0m"
-      puts e.backtrace.join("\n") if ENV["DEBUG"]
+      $stderr.puts "\e[31m#{e.message}\e[0m"
+      $stderr.puts e.backtrace.join("\n") if ENV["DEBUG"]
       if e.is_a?(Bundler::GemNotFound)
-        puts "\e[33mRun `bundle install` to install missing gems.\e[0m"
+        $stderr.puts "\e[33mRun `bundle install` to install missing gems.\e[0m"
       end
       exit e.status_code
     end

lib/bundler/shared_helpers.rb

@@ -21,6 +21,7 @@ module SharedHelpers
 
     def default_gemfile
       gemfile = find_gemfile
+      deprecate_gemfile(gemfile)
       raise GemfileNotFound, "Could not locate Gemfile" unless gemfile
       Pathname.new(gemfile)
     end
@@ -97,7 +98,6 @@ def set_bundle_environment
     def find_gemfile
       given = ENV['BUNDLE_GEMFILE']
       return given if given && !given.empty?
-
       find_file('Gemfile', 'gems.rb')
     end
 
@@ -147,6 +147,16 @@ def clean_load_path
       end
     end
 
+    def deprecate_gemfile(gemfile)
+      if gemfile && File.basename(gemfile) == "Gemfile"
+        Bundler.respond_to?(:ui) && Bundler.ui.deprecate(
+          "Gemfile and Gemfile.lock are " \
+          "deprecated and will be replaced with gems.rb and " \
+          "gems.locked in Bundler 2.0.\n"
+        )
+      end
+    end
+
     extend self
   end
 end

lib/bundler/source/rubygems.rb

@@ -43,12 +43,10 @@ def eql?(o)
 
       alias == eql?
 
-      def include?(o)
-        o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
-      end
-
       def can_lock?(spec)
-        spec.source.is_a?(Rubygems)
+        return false unless spec.source.is_a?(Rubygems)
+
+        !(spec.source.credless_remotes - credless_remotes).empty?
       end
 
       def options
@@ -229,6 +227,8 @@ def remotes_for_spec(spec)
         end
       end
 
+    private
+
       def loaded_from(spec)
         "#{Bundler.rubygems.gem_dir}/specifications/#{spec.full_name}.gemspec"
       end

lib/bundler/source_list.rb

@@ -1,7 +1,8 @@
 module Bundler
   class SourceList
     attr_reader :path_sources,
-                :git_sources
+                :git_sources,
+                :rubygems_aggregate
 
     def initialize
       @path_sources       = []
@@ -15,7 +16,9 @@ def add_path_source(options = {})
     end
 
     def add_git_source(options = {})
-      add_source_to_list Source::Git.new(options), git_sources
+      source = add_source_to_list(Source::Git.new(options), git_sources)
+      warn_on_git_protocol(source)
+      source
     end
 
     def add_rubygems_source(options = {})
@@ -44,8 +47,7 @@ def get(source)
     end
 
     def lock_sources
-      lock_sources = (path_sources + git_sources).sort_by(&:to_s)
-      lock_sources << combine_rubygems_sources
+      all_sources.sort_by(&:to_s)
     end
 
     def replace_sources!(replacement_sources)
@@ -94,8 +96,16 @@ def source_list_for(source)
       end
     end
 
-    def combine_rubygems_sources
-      Source::Rubygems.new("remotes" => rubygems_remotes)
+    def warn_on_git_protocol(source)
+      return if Bundler.settings["git.allow_insecure"]
+
+      if source.uri =~ %r{^git\:}
+        Bundler.ui.warn "The git source `#{source.uri}` uses the `git` protocol, " \
+          "which transmits data without encryption. Disable this warning with " \
+          "`bundle config git.allow_insecure true`, or switch to the `https` " \
+          "protocol to keep your data secure."
+      end
     end
+
   end
 end

lib/bundler/templates/newgem/newgem.gemspec.tt

@@ -1,7 +1,4 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require '<%=config[:namespaced_path]%>/version'
+require './lib/<%=config[:namespaced_path]%>/version'
 
 Gem::Specification.new do |spec|
   spec.name          = <%=config[:name].inspect%>