Package: cmake
Version: 2.8.9-1
Severity: normal

I have recently discovered that CMake support for SSL downloads is
fragile, and the Debian version does not work correctly because of
that issue.

Here is a simple script to illustrate this issue for the
Debian version of cmake.

software@raven> cat test.cmake
file(DOWNLOAD
"http://download.gnome.org/sources/glib/2.32/glib-2.32.1.tar.xz";
"${CMAKE_SOURCE_DIR}/cmake_downloaded_glib-2.32.1.tar.xz"
SHOW_PROGRESS STATUS status)
message(STATUS "Download status = ${status}")

software@raven> /usr/bin/cmake -P test.cmake
-- [download 0% complete]
-- Download status = 35;"SSL connect error"

Using these alternatives works fine to download that tarball

software@raven> wget 
http://download.gnome.org/sources/glib/2.32/glib-2.32.1.tar.xz

software@raven> curl -o curl-glib-2.32.1.tar.xz -L \
http://download.gnome.org/sources/glib/2.32/glib-2.32.1.tar.xz

If you look closer at the wget result there is a redirect through an
https URL, and that use of SSL is the cause of the above SSL connect
error.

So why does the curl executable work, but not the cmake file(DOWNLOAD
... command?  If you look closely, curl is linked to libcurl.so (which
in turn is linked to openssl).  While cmake is linked to
libcurl_gnutls.so instead which is linked to libgnutls for its SSL
support.  When I built cmake (version 2.8.10.2) against
libcurl_gnutls.so I got the same "SSL connect error" for the above
test.  Note, however, when I built cmake against libcurl.so, the
file(DOWNLOAD command of the above test succeeded without issues!

So there appears to be a basic incompatibility between cmake and
libcurl_gnutls.so, and the obvious cure (which I recommend) is to
build cmake against libcurl.so rather than libcurl_gnutls.so.

The other issue, of course, is upstream CMake should not be this
sensitive to SSL library issues.  It should either blacklist
libcurl_gnutls.so or else solve the above "SSL connect error"
incompatibility with libcurl_gnutls.so. There is an on-going thread
about the sensitivity of CMake to the SSL library on the cmake-devel
list which I have summarized today at
http://public.kitware.com/pipermail/cmake-developers/2013-July/007759.html.

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cmake depends on:
ii  cmake-data         2.8.9-1
ii  libarchive12       3.0.4-3+nmu1
ii  libc6              2.13-38
ii  libcurl3-gnutls    7.26.0-1+wheezy3
ii  libexpat1          2.1.0-1
ii  libgcc1            1:4.7.2-5
ii  libstdc++6         4.7.2-5
ii  libxmlrpc-core-c3  1.16.33-3.2
ii  procps             1:3.3.3-3
ii  zlib1g             1:1.2.7.dfsg-13

cmake recommends no packages.

Versions of packages cmake suggests:
ii  gcc   4:4.7.2-1
ii  make  3.81-8.2

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to