Control: user debian-rele...@lists.debian.org Control: usertag -1 +bsp-2018-12-ch-bern Control: clone -1 -2 Control: retitle -2 ruby-eventmachine: B-D against libssl1.0-dev Control: severity -2 important Control: tags -2 +help +upstream Control: tags -1 +pending
Le jeudi, 4 octobre 2018, 15.38:39 h CET peter green a écrit :
> It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and
> key, I tried replacing this with a 4096 bit one but the testsuite still
> failed, I then tried replacing the client cert in the test with one signed
> by the new CA but that didn't fix things either.
I've taken another look, and your patch gets rid of the first error; but then
other errors trigger:
```
TestSslVerify:
test_accept_server: /build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:
64: warning: global variable `$cert_from_server' not initialized
F
```
This seems to indicate that the `ssl_verify_peer` method from the test Servers
are just not called. If I comment these lines out, then the error becomes:
```
TestSslVerify:
test_accept_server: F
===============================================================================
Failure: test_accept_server(TestSslVerify): <false> is not true.
/build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:66:in
`test_accept_server'
63:
64: #assert_equal($cert_from_file, $cert_from_server)
65: assert($client_handshake_completed)
=> 66: assert($server_handshake_completed)
67: end
68:
69: def test_deny_server
===============================================================================
: (0.029365)
```
So it's really not working, even with bigger keys; deactivating the test is
only going to hide the fact that SSL verification is broken.
I have also tried to build the current status of the VCS repository from
https://salsa.debian.org/ruby-team/ruby-eventmachine but many other tests fail
with that version too.
Finally, I have tried backporting various patches from upstream without luck;
I felt mostly stabbing ghosts in the dark.
In Debian, the package seems very old (2015) and not maintained very actively;
it should be updated or removed (but has too many reverse dependencies).
That said, the situation upstream doesn't look very bright either; upstream
doesn't seem to test against OpenSSL 1.1 either:
https://travis-ci.org/eventmachine/eventmachine/jobs/414199579
But… One not too horrible way to fix this bug is to let ruby-eventmachine
Build-Depend against libssl1.0-dev; thereby letting it build in unstable
again, and documenting in its Build-Depends that it only builds against
openssl << 1.1.
debdiff attached, package uploaded!
Cheers,
OdyXdiff -Nru ruby-eventmachine-1.0.7/debian/changelog ruby-eventmachine-1.0.7/debian/changelog
--- ruby-eventmachine-1.0.7/debian/changelog 2017-01-23 01:36:45.000000000 +0100
+++ ruby-eventmachine-1.0.7/debian/changelog 2018-12-02 13:44:21.000000000 +0100
@@ -1,3 +1,11 @@
+ruby-eventmachine (1.0.7-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Build-Depend against libssl1.0-dev; aka OpenSSL << 1.1
+ (Closes: #900160)
+
+ -- Didier Raboud <o...@debian.org> Sun, 02 Dec 2018 13:44:21 +0100
+
ruby-eventmachine (1.0.7-4) unstable; urgency=medium
* Team upload.
diff -Nru ruby-eventmachine-1.0.7/debian/control ruby-eventmachine-1.0.7/debian/control
--- ruby-eventmachine-1.0.7/debian/control 2017-01-23 01:36:45.000000000 +0100
+++ ruby-eventmachine-1.0.7/debian/control 2018-12-02 13:31:53.000000000 +0100
@@ -9,7 +9,7 @@
Per Andersson <avtob...@gmail.com>
Build-Depends: debhelper (>= 9~),
gem2deb,
- libssl-dev,
+ libssl1.0-dev,
rake,
ruby-test-unit
Standards-Version: 3.9.8
signature.asc
Description: This is a digitally signed message part.
