rbs downgraded to version 1.6.2 and debug gem not included due to build
issues.
Added ruby-bundled-gems subpackage to ship all gems bundled in Ruby
without providing independent subpackage for each.
- Fix command injection vulnerability in RDoc.
Resolves: CVE-2021-31799
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
Resolves: CVE-2021-31810
- Fix StartTLS stripping vulnerability in Net::IMAP.
Resolves: CVE-2021-32066
- Fix dependencies of gems with explicit source installed from a different
source.
Resolves: CVE-2020-36327
A result of ruby.spec file depends on how the spec file is called by rpmlint.
```
$ rpmlint ruby.spec
ruby.spec:20: E: use-of-RPM_SOURCE_DIR
..
0 packages and 1 specfiles checked; 3 errors, 4 warnings.
$ rpmlint ./ruby.spec
./ruby.spec:20: E: use-of-RPM_SOURCE_DIR
..
0 packages and 1 specfiles checked; 3 errors, 4 warnings.
```
Nothing referred and no dependency information should be no problem.
Ignore the following error.
```
ruby-libs.x86_64: E: shared-lib-without-dependency-information /usr/lib64/ruby/enc/gb2312.so
```
The `chroot` in the `dir.c` is just used as a Ruby binding `Dir.chroot`
for the function.
Ignore the following error.
```
ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.3.0.1
```
The FTBFS has started to happen with rpm-4.16.90-0.git15395.2.fc35.
root.log
```
DEBUG util.py:444: error: line 116: Unknown tag: /chroot_tmpdir/srpm_unpacked/SOURCES/macros.ruby
```
As the `%{?load:...}` is undocumented, it is gone.
https://github.com/rpm-software-management/rpm/issues/1669
Ignore the false positive errors and warnings by the
`rpmlint --file ruby.rpmlintrc`, that is executed by Zuul CI.
You can run the command on your local like this.
```
$ rpmlint --file ruby.rpmlintrc ruby.spec /var/lib/mock/fedora-rawhide-x86_64/result/*.rpm
```
The `rpmlint` without `--file` option shows the original result.
Symlinks to StdLib provided to preserve `--disable-gems` functionality
together with `require_relative` cause double loading issues [1], e.g.:
~~~
$ ruby --disable-gems -e 'require "openssl"; require "openssl/digest"'
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD4
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD4 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD5
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD5 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::RIPEMD160
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of RIPEMD160 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA1
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA1 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA224
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA224 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA256
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA256 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA384
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA384 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA512
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA512 was here
/usr/share/ruby/openssl/digest.rb:52:in `<class:Digest>': superclass mismatch for class Digest (TypeError)
from /usr/share/ruby/openssl/digest.rb:16:in `<module:OpenSSL>'
from /usr/share/ruby/openssl/digest.rb:15:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
~~~
We could maintain a downstream patch reverting the `require_relative`,
but given that how much troubles the extracted gems cause, it'll be
better to keep them bundled. This will provide similar experience to
upstream and prevent similar issues.
[1]: https://bugs.ruby-lang.org/issues/16978#note-11
