[DRE-maint] Bug#1078643: rubygems: will FTBFS during trixie support period

Lucas Nussbaum lucas at debian.org
Wed Apr 9 13:06:25 BST 2025 

Control: retitle 1078643 rubygems: could FTBFS during trixie support period due to invalid SSL certificates at public rubygems.org services
Control: severity 1078643 normal

Hi,

On 13/08/24 at 20:15 +0200, Santiago Vila wrote:
> Package: src:rubygems
> Version: 3.4.20-1
> User: debian-qa at lists.debian.org
> Usertags: ftbfs-during-trixie-support-period
> Tags: ftbfs
> 
> Dear maintainer:
> 
> During a rebuild of all packages in unstable in the year 2028, your package failed to build:

The four failing tests are:

===============================================================================
Failure: test_accessing_new_index(TestGemBundledCA): index.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:400::483]:443 state=error: certificate verify failed (certificate has expired).
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:59:in `test_accessing_new_index'
     56:   end
     57: 
     58:   def test_accessing_new_index
  => 59:     assert_https("index.rubygems.org")
     60:   end
     61: end if Gem::HAVE_OPENSSL
===============================================================================
F
===============================================================================
Failure: test_accessing_rubygems(TestGemBundledCA): rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:200::483]:443 state=error: certificate verify failed (certificate has expired).
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:47:in `test_accessing_rubygems'
     44:   end
     45: 
     46:   def test_accessing_rubygems
  => 47:     assert_https("rubygems.org")
     48:   end
     49: 
     50:   def test_accessing_www_rubygems
===============================================================================
F
===============================================================================
Failure: test_accessing_staging(TestGemBundledCA): staging.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:600::483]:443 state=error: certificate verify failed (certificate has expired).
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:55:in `test_accessing_staging'
     52:   end
     53: 
     54:   def test_accessing_staging
  => 55:     assert_https("staging.rubygems.org")
     56:   end
     57: 
     58:   def test_accessing_new_index
===============================================================================
F
===============================================================================
Failure: test_accessing_www_rubygems(TestGemBundledCA): www.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42::483]:443 state=error: certificate verify failed (certificate has expired).
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https'
/<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:51:in `test_accessing_www_rubygems'
     48:   end
     49: 
     50:   def test_accessing_www_rubygems
  => 51:     assert_https("www.rubygems.org")
     52:   end
     53: 
     54:   def test_accessing_staging
===============================================================================


And the relevant test code is:

  def assert_https(host)
    assert true
    http = Gem::Net::HTTP.new(host, 443)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.cert_store = bundled_certificate_store
    http.get("/")
  rescue Errno::ENOENT, Errno::ETIMEDOUT, SocketError, Gem::Net::OpenTimeout
    pend "#{host} seems offline, I can't tell whether ssl would work."
  rescue OpenSSL::SSL::SSLError => e
    # Only fail for certificate verification errors
    if e.message.include?("certificate verify failed")
      flunk "#{host} is not verifiable using the included certificates. Error was: #{e.message}"
    end
    raise
  end

  def test_accessing_rubygems
    assert_https("rubygems.org")
  end

  def test_accessing_www_rubygems
    assert_https("www.rubygems.org")
  end

  def test_accessing_staging
    assert_https("staging.rubygems.org")
  end

  def test_accessing_new_index
    assert_https("index.rubygems.org")
  end


I think that this issue causes no risk to supporting rubygems for the
trixie lifetime:
- it is unlikely that the SSL certificates for those public services
  will not be renewed on time
- even it if was the case, the issue could be worked around by building
  without network available (then we would hit the first 'rescue', which
  is non-fatal), or by ignoring the error in assert_https(), or by
  disabling those tests.

I'm thus downgrading severity, but please let me know if you disagree.

Lucas

More information about the Pkg-ruby-extras-maintainers mailing list