[DRE-maint] Bug#911259: ruby-httpclient: Please use the system ca-certificates instead of bundling one

Vincent Tondellier tonton+dbug at team1664.org
Wed Oct 17 19:05:19 BST 2018 

Package: ruby-httpclient
Version: 2.8.3-1
Severity: normal

Dear Maintainer,

ruby-httpclient bundles a copy of the root certificate authorities:

$ dpkg -L ruby-httpclient | grep pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert1024.pem
...

Thus, the local CAs configured by the local system administrator (by adding
a .crt file in /usr/local/share/ca-certificates/) are ignored, the 
explicitly
untrusted CAs are still valid, etc ...

Test (with ca-cacert installed):
$ ruby -rhttpclient -e 'p HTTPClient.get("https://www.cacert.org")'
...
/usr/lib/ruby/vendor_ruby/httpclient/ssl_socket.rb:103:in `connect': 
SSL_connect returned=1 errno=0 state=error: certificate verify failed 
(unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

Expected:
$ curl https://www.cacert.org
<!DOCTYPE ...
...
</html>

Please find attached a debdiff to use the system CA bundle instead.
Some comments:
- the file "cacert1024.pem" is not used by the code: removed
- the ca-certificates package is already pulled by rubygems-integration,
  but a direct dependency may be better


Thanks.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ruby-httpclient depends on:
ii  ruby                        1:2.5.1
ii  ruby-http-cookie            1.0.2-1
ii  ruby2.1 [ruby-interpreter]  2.1.5-4
ii  ruby2.2 [ruby-interpreter]  2.2.4-1

ruby-httpclient recommends no packages.

ruby-httpclient suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-httpclient-unbundle-ca.patch
Type: text/x-patch
Size: 1433 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20181017/45fe7fe7/attachment.bin>

More information about the Pkg-ruby-extras-maintainers mailing list