Dne 08. 11. 23 v 18:31 Jun Aruga (he / him) napsal(a): > Hello folks in Ruby SIG. > > I just want to share that right now rpms/ruby started to fail in > Fedora rawhide after the dependent openssl version was upgraded from > openssl 1:3.1.1-4.fc40 to 1:3.1.4-1.fc40. > https://koschei.fedoraproject.org/package/ruby?collection=f40 > > ``` > 1) Failure: > OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled > [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:12]: > assert_separately failed with error message > pid 93922 exit 1 > | /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `initialize': could not parse pkey (OpenSSL::PKey::DHError) > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `new' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `new' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in > `<class:SSLContext>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in > `<module:SSL>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in > `<module:OpenSSL>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in > `<top (required)>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in > `require_relative' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in > `<top (required)>' > | from -:in `require' > 2) Failure: > OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set > [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:38]: > assert_separately failed with error message > pid 93924 exit 1 > | /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `initialize': could not parse pkey (OpenSSL::PKey::DHError) > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `new' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in > `new' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in > `<class:SSLContext>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in > `<module:SSL>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in > `<module:OpenSSL>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in > `<top (required)>' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in > `require_relative' > | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in > `<top (required)>' > | from -:in `require' > ``` > > It seems that we need to apply the following patch that I applied to > CentOS 9 stream and RHEL 9 into Fedora too. I will work on it to pass > the tests on the current rawhide. > https://gitlab.com/redhat/centos-stream/rpms/ruby/-/commit/59242d8ce8261a... Thx! > > As a note, we can remove this patch after upgrading Ruby to 3.3.0. BTW could you also please check the patch was backported into upstream Ruby 3.2 or older? That way we could eventually drop it from everywhere. Thx.

Dne 09. 11. 23 v 16:41 Jun Aruga (he / him) napsal(a): > On Thu, Nov 9, 2023 at 10:03 AM Vít Ondruch <vondruch(a)redhat.com&gt; wrote: >> >> Dne 08. 11. 23 v 18:31 Jun Aruga (he / him) napsal(a): >>> Hello folks in Ruby SIG. >>> >>> I just want to share that right now rpms/ruby started to fail in >>> Fedora rawhide after the dependent openssl version was upgraded from >>> openssl 1:3.1.1-4.fc40 to 1:3.1.4-1.fc40. >>> https://koschei.fedoraproject.org/package/ruby?collection=f40 >>> >>> ``` >>> 1) Failure: >>> OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled >>> [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:12]: >>> assert_separately failed with error message >>> pid 93922 exit 1 >>> | /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `initialize': could not parse pkey (OpenSSL::PKey::DHError) >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `new' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `new' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in >>> `<class:SSLContext>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in >>> `<module:SSL>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in >>> `<module:OpenSSL>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in >>> `<top (required)>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in >>> `require_relative' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in >>> `<top (required)>' >>> | from -:in `require' >>> 2) Failure: >>> OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set >>> [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:38]: >>> assert_separately failed with error message >>> pid 93924 exit 1 >>> | /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `initialize': could not parse pkey (OpenSSL::PKey::DHError) >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `new' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in >>> `new' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in >>> `<class:SSLContext>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in >>> `<module:SSL>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in >>> `<module:OpenSSL>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in >>> `<top (required)>' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in >>> `require_relative' >>> | from /builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in >>> `<top (required)>' >>> | from -:in `require' >>> ``` >>> >>> It seems that we need to apply the following patch that I applied to >>> CentOS 9 stream and RHEL 9 into Fedora too. I will work on it to pass >>> the tests on the current rawhide. >>> https://gitlab.com/redhat/centos-stream/rpms/ruby/-/commit/59242d8ce8261a... >> >> Thx! >> >> >>> As a note, we can remove this patch after upgrading Ruby to 3.3.0. >> >> BTW could you also please check the patch was backported into upstream >> Ruby 3.2 or older? That way we could eventually drop it from everywhere. >> Thx. > I sent the PR. I need to test it by myself. But please review. > https://src.fedoraproject.org/rpms/ruby/pull-request/163 > > Yes, the patch is already upstream below. I expect that the patch is > included in Ruby 3.3.0. > https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814 > But my question was if the patch was backported for Ruby 3.2 and possibly older. That would eventually allowed us to remove the Patch from Fedora/c9s. Checking the repo [1], it does not seems to be the case. Not sure if there is backport request opened somewhere.

The PR was merged. Now Koschei passes. https://src.fedoraproject.org/rpms/ruby/pull-request/163 > But my question was if the patch was backported for Ruby 3.2 and possibly older. I opened the backport request ticket below in the Ruby project. https://bugs.ruby-lang.org/issues/20000