[DRE-maint] Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1

Didier 'OdyX' Raboud odyx at debian.org
Sun Dec 2 12:46:43 GMT 2018 

Control: user debian-release at lists.debian.org
Control: usertag -1 +bsp-2018-12-ch-bern
Control: clone -1 -2
Control: retitle -2 ruby-eventmachine: B-D against libssl1.0-dev
Control: severity -2 important
Control: tags -2 +help +upstream
Control: tags -1 +pending

Le jeudi, 4 octobre 2018, 15.38:39 h CET peter green a écrit :
> It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and
> key, I tried replacing this with a 4096 bit one but the testsuite still
> failed, I then tried replacing the client cert in the test with one signed
> by the new CA but that didn't fix things either.

I've taken another look, and your patch gets rid of the first error; but then 
other errors trigger:

```
TestSslVerify: 
  test_accept_server: /build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:
64: warning: global variable `$cert_from_server' not initialized
F
```

This seems to indicate that the `ssl_verify_peer` method from the test Servers 
are just not called. If I comment these lines out, then the error becomes:

```
TestSslVerify: 
  test_accept_server:                                   F
===============================================================================
Failure: test_accept_server(TestSslVerify): <false> is not true.
/build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:66:in 
`test_accept_server'
     63: 
     64:     #assert_equal($cert_from_file, $cert_from_server)
     65:     assert($client_handshake_completed)
  => 66:     assert($server_handshake_completed)
     67:   end
     68: 
     69:   def test_deny_server
===============================================================================
: (0.029365)
```

So it's really not working, even with bigger keys; deactivating the test is 
only going to hide the fact that SSL verification is broken.

I have also tried to build the current status of the VCS repository from 
https://salsa.debian.org/ruby-team/ruby-eventmachine but many other tests fail 
with that version too.

Finally, I have tried backporting various patches from upstream without luck; 
I felt mostly stabbing ghosts in the dark.

In Debian, the package seems very old (2015) and not maintained very actively; 
it should be updated or removed (but has too many reverse dependencies).

That said, the situation upstream doesn't look very bright either; upstream 
doesn't seem to test against OpenSSL 1.1 either:
	https://travis-ci.org/eventmachine/eventmachine/jobs/414199579

But… One not too horrible way to fix this bug is to let ruby-eventmachine 
Build-Depend against libssl1.0-dev; thereby letting it build in unstable 
again, and documenting in its Build-Depends that it only builds against 
openssl << 1.1.

debdiff attached, package uploaded!

Cheers,
    OdyX
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-eventmachine_1.0.7-4.1.debdiff
Type: text/x-patch
Size: 1095 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20181202/2001fae0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20181202/2001fae0/attachment.sig>

More information about the Pkg-ruby-extras-maintainers mailing list