Bug#826039: liblwp-protocol-https-perl: Two versions of https.pm (6.06) have different contents and one always checks certificates

Adrian Edwards ae_mrs at yahoo.co.uk
Wed Jun 1 19:27:10 UTC 2016 

Package: liblwp-protocol-https-perl
Version: 6.06-2
Severity: grave
Tags: newcomer patch
Justification: renders package unusable

Dear Maintainer,


   * What led up to the situation?

Trying to use $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; within perl script to prevent verification of a self
signed certificate, the script worked sometimes and not others on different Debian 8 installs. Did a bunch
of installs of minimal system, added packages and modules (apt-get and CPAN) and the module ALWAYS wanted
to verify the cert and didn't honour the environment variable to ignore the check.

After a huge amount of wasted time I discovered there are two version of the protocol module, both have
the same version number 6.06 but the contents of the files are different.

	/usr/local/share/perl/5.20.2/LWP/Protocol/https.pm    Correct/Works
	/usr/share/perl5/LWP/Protocol/https.pm    In Error / Always fails the check

apt-get package liblwp-protocol-https-perl

cpan module LWP::Protocol::https

A discovery that eventually led me to identify the above...
https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/1408331  post 6

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Updated the code in the second file listed above with the code from the web reference above and it works.

   * What was the outcome of this action?

The env variable now recognised by the module and cert check skipped.

   * What outcome did you expect instead?

I tried updating with apt-get / cpan in various combinations to no avail. Not sure why the two files are
different even though the version numbers are the same, and not sure which comes via cpan / apt-get, but
clearly there is a version control problem of some sort here with two conflicting versions being installed
and success or failure is probably determined by a PATH variable of some sort, hence why it worked on some
of my installs and not on others, or maybe only the /usr/local copy was installed on some.


-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblwp-protocol-https-perl depends on:
ii  ca-certificates        20141019+deb8u1
ii  libio-socket-ssl-perl  2.002-2+deb8u1
ii  libnet-http-perl       6.07-1
ii  libwww-perl            6.08-1
ii  perl                   5.20.2-3+deb8u4

liblwp-protocol-https-perl recommends no packages.

Versions of packages liblwp-protocol-https-perl suggests:
ii  libcrypt-ssleay-perl  0.58-1+b2

-- no debconf information

More information about the pkg-perl-maintainers mailing list