Dne 09. 11. 23 v 16:41 Jun Aruga (he / him) napsal(a):
> On Thu, Nov 9, 2023 at 10:03 AM Vít Ondruch <vondruch(a)redhat.com> wrote:
>>
>> Dne 08. 11. 23 v 18:31 Jun Aruga (he / him) napsal(a):
>>> Hello folks in Ruby SIG.
>>>
>>> I just want to share that right now rpms/ruby started to fail in
>>> Fedora rawhide after the dependent openssl version was upgraded from
>>> openssl 1:3.1.1-4.fc40 to 1:3.1.4-1.fc40.
>>>
https://koschei.fedoraproject.org/package/ruby?collection=f40
>>>
>>> ```
>>> 1) Failure:
>>> OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled
>>> [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:12]:
>>> assert_separately failed with error message
>>> pid 93922 exit 1
>>> |
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `initialize': could not parse pkey (OpenSSL::PKey::DHError)
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `new'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `new'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in
>>> `<class:SSLContext>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in
>>> `<module:SSL>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in
>>> `<module:OpenSSL>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in
>>> `<top (required)>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in
>>> `require_relative'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in
>>> `<top (required)>'
>>> | from -:in `require'
>>> 2) Failure:
>>> OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set
>>> [/builddir/build/BUILD/ruby-3.2.2/test/openssl/test_fips.rb:38]:
>>> assert_separately failed with error message
>>> pid 93924 exit 1
>>> |
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `initialize': could not parse pkey (OpenSSL::PKey::DHError)
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `new'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/pkey.rb:132:in
>>> `new'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:37:in
>>> `<class:SSLContext>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:23:in
>>> `<module:SSL>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:22:in
>>> `<module:OpenSSL>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl/ssl.rb:21:in
>>> `<top (required)>'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in
>>> `require_relative'
>>> | from
/builddir/build/BUILD/ruby-3.2.2/redhat-linux-build/.ext/common/openssl.rb:21:in
>>> `<top (required)>'
>>> | from -:in `require'
>>> ```
>>>
>>> It seems that we need to apply the following patch that I applied to
>>> CentOS 9 stream and RHEL 9 into Fedora too. I will work on it to pass
>>> the tests on the current rawhide.
>>>
https://gitlab.com/redhat/centos-stream/rpms/ruby/-/commit/59242d8ce8261a...
>>
>> Thx!
>>
>>
>>> As a note, we can remove this patch after upgrading Ruby to 3.3.0.
>>
>> BTW could you also please check the patch was backported into upstream
>> Ruby 3.2 or older? That way we could eventually drop it from everywhere.
>> Thx.
> I sent the PR. I need to test it by myself. But please review.
>
https://src.fedoraproject.org/rpms/ruby/pull-request/163
>
> Yes, the patch is already upstream below. I expect that the patch is
> included in Ruby 3.3.0.
>
https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
>
But my question was if the patch was backported for Ruby 3.2 and
possibly older. That would eventually allowed us to remove the Patch
from Fedora/c9s. Checking the repo [1], it does not seems to be the
case. Not sure if there is backport request opened somewhere.
Ah, sorry I misunderstood your question. You are right. This patch and
other patches to pass the FIPS tests are not backported to ruby/ruby
ruby_3_2 branches. And there are no backport requests for that right
now.
OK. I will open the backport request ticket in the Ruby project.
--
Jun | He - Him | Timezone: UTC+1 or 2, Czech Republic
See <