Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl

Salvatore Bonaccorso carnil at debian.org
Tue Jul 31 23:21:47 UTC 2012 

Hey Jakub

On Tue, Jul 31, 2012 at 10:28:16AM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <carnil at debian.org>, 2012-07-31, 08:38:
> >>libcrypt-ssleay-perl -> liblwp-protocol-https-perl ->
> >>libio-socket-ssl-perl -> libnet-ssleay-perl
> >
> >Could you help me here? I don't get it yet. libcrypt-ssleay-perl
> >and libnet-ssleay-perl are from two different source packages.
> 
> Bah, you're right. I can't read. :)

Okay thanks. I was not sure if I miss something else :)

I had a bit a look at the issue you mentioned:

The manpage for Crypt::SSLeay has:

       The "Crypt::SSLeay" package provides "Net::SSL", which is loaded by "LWP::Protocol::https" for https
       requests and provides the necessary SSL glue.

But: we had the missing the dependency for LWP::Protocol::https until
0.58-1. The above seems not clear.

Looking at the dependencies for liblwp-protocol-https-perl I see there
is libnet-http-perl in the Depends. In Net::HTTPS then the following:

----cut---------cut---------cut---------cut---------cut---------cut-----
 52 sub http_connect {
 53     my($self, $cnf) = @_;
 54     if ($self->isa("Net::SSL")) {
 55     if ($cnf->{SSL_verify_mode}) {
 56         if (my $f = $cnf->{SSL_ca_file}) {
 57         $ENV{HTTPS_CA_FILE} = $f;
 58         }
 59         if (my $f = $cnf->{SSL_ca_path}) {
 60         $ENV{HTTPS_CA_DIR} = $f;
 61         }
 62     }
 63     if ($cnf->{SSL_verifycn_scheme}) {
 64         $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment     variable to 0";
 65         return undef;
 66     }
 67     }
 68     $self->SUPER::configure($cnf);
 69 }
----cut---------cut---------cut---------cut---------cut---------cut-----

Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
Furthermore Net::HTTPS itself prefers IO::Socket::SSL over Net::SSL if
it is available.

At this point now I'm confused and I'm thinking libcrypt-ssleay-perl
does not need the dependency on liblwp-protocol-https-perl.

checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
turn depends on libnet-http-perl. libnet-http-perl has according the
above a *Recommends* on libio-socket-ssl-perl to have hostname
verification working. Btw, this was added in [1].

 [1]: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libnet-http-perl.git;a=commitdiff;h=8231ef0cf6eb3c14fe55f9323077f31abf95c904

Looking at it seems okay to me to have libio-socket-ssl-perl in
Recommends for libnet-http-perl (and not Depends) at first glance.

checkgmail now uses libwww-perl which has verify_hostname set to 1 by
default:

----cut---------cut---------cut---------cut---------cut---------cut-----
=item PERL_LWP_SSL_VERIFY_HOSTNAME                                                                                                                                                  

The default C<verify_hostname> setting for C<LWP::UserAgent>.  If
not set the default will be 1.  Set it as 0 to disable hostname
verification (the default prior to libwww-perl 5.840.
----cut---------cut---------cut---------cut---------cut---------cut-----

... and this reminds me now[2].

 [2]: http://bugs.debian.org/669126

Furthermore I suspect the original bugreporter had installed
checkgmail without installing Recommends, is this correct? Furthermore
indeed reporter had libwww-perl 6.01-3 installed, so one which has set
the verify_hostname by default).

As the above is a bit confusing I try to summarize:

 1/ Adding liblwp-protocol-https-perl dependencies to
    libcrypt-ssleay-perl seems wrong.

 2/ libnet-http-perl recommends libio-socket-ssl-perl which is correct,
    as it supports both Net::SSL as IO::Socket::SSL, but if you want
    hostname verification you need IO::Socket::SSL.

 3/ libwww-perl (>= 6.01-1) sets the verify_hostname by default.

 4/ checkgmail uses implicity libwww-perl (which has verify_hostname
    set by default). But if checkgmail is now installed on a system
    which does not install recommends there is a discrepancy as
    libwww-perl set's the verification, but libnet-http-perl will not
    install libio-socket-ssl-perl.

This is what I have so far. Any comments from others?

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120801/811913bc/attachment.pgp>

More information about the pkg-perl-maintainers mailing list