Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl

Thu Aug 2 14:54:16 UTC 2012

Hi Jakub

(I'm Cc'ing the bugreport for the release-team and Philipp Kern
directly)

Thanks a lot for helping bringing some light into this issue!

I convinced now, that adding liblwp-protocol-https-perl to
(build-)dependencies for libcrypt-ssleay-perl should not be needed[1]
(we can close the request to the release team, AFAICS), and is not the
cause of this checkmail Problem.

 [1] Even if this is done upstream for Crypt::SSLeay 0.60, which has
     other reasons it is done, namely[2]:

 [2]: http://search.cpan.org/diff?from=Crypt-SSLeay-0.58&to=Crypt-SSLeay-0.59_02&w=1

On Wed, Aug 01, 2012 at 10:43:08AM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <carnil at debian.org>, 2012-08-01, 01:21:
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >52 sub http_connect {
> >53     my($self, $cnf) = @_;
> >54     if ($self->isa("Net::SSL")) {
> >55     if ($cnf->{SSL_verify_mode}) {
> >56         if (my $f = $cnf->{SSL_ca_file}) {
> >57         $ENV{HTTPS_CA_FILE} = $f;
> >58         }
> >59         if (my $f = $cnf->{SSL_ca_path}) {
> >60         $ENV{HTTPS_CA_DIR} = $f;
> >61         }
> >62     }
> >63     if ($cnf->{SSL_verifycn_scheme}) {
> >64         $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment     variable to 0";
> >65         return undef;
> >66     }
> >67     }
> >68     $self->SUPER::configure($cnf);
> >69 }
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >
> >Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
> 
> Correct. It's been always like that with Crypt::SSLeay: if you
> wanted to verify certificates you had to jump through many
> un(der)documented hops. Recently LWP added an extra one...
> 
> >Furthermore Net::HTTPS itself prefers IO::Socket::SSL over
> >Net::SSL if it is available.
> 
> Right. And that one if straight-forward to use. Ideally,
> applications should stop using Crypt::SSLeay wherever possible.

Yes right.

> >checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
> >turn depends on libnet-http-perl.
> 
> It's simpler than that. The Depends chain currently (both in wheezy
> and unstable) is:
> 
> checkgmail -> libwww-perl -> liblwp-protocol-https-perl -> libio-socket-ssl-perl
> 
> Which makes me wonder how the submitter managed to trigger the bug
> in the first place...

Yes this is strange. Wonder if PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
was set in the environment before starting checkgmail? I haven't found
another possiblity (yet) to force this error elsewise in a VM installing
checkgmail.

It doesen't work elsewise to try to reproduce the user reported
problem, as you pointed out removing libio-socket-ssl-perl will remove
checkgmail too.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120802/ff02a77f/attachment.pgp>