• Bug#1078643: rubygems: will FTBFS during trixie support period

    From Lucas Nussbaum@21:1/5 to Santiago Vila on Wed Apr 9 14:10:01 2025
    Control: retitle 1078643 rubygems: could FTBFS during trixie support period due to invalid SSL certificates at public rubygems.org services
    Control: severity 1078643 normal

    Hi,

    On 13/08/24 at 20:15 +0200, Santiago Vila wrote:
    Package: src:rubygems
    Version: 3.4.20-1
    User: debian-qa@lists.debian.org
    Usertags: ftbfs-during-trixie-support-period
    Tags: ftbfs

    Dear maintainer:

    During a rebuild of all packages in unstable in the year 2028, your package failed to build:

    The four failing tests are:

    =============================================================================== Failure: test_accessing_new_index(TestGemBundledCA): index.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:400::483]:443 state=error: certificate verify failed (certificate has
    expired).
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https' /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:59:in `test_accessing_new_index'
    56: end
    57:
    58: def test_accessing_new_index
    => 59: assert_https("index.rubygems.org")
    60: end
    61: end if Gem::HAVE_OPENSSL =============================================================================== F =============================================================================== Failure: test_accessing_rubygems(TestGemBundledCA): rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:200::483]:443 state=error: certificate verify failed (certificate has
    expired).
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https' /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:47:in `test_accessing_rubygems'
    44: end
    45:
    46: def test_accessing_rubygems
    => 47: assert_https("rubygems.org")
    48: end
    49:
    50: def test_accessing_www_rubygems =============================================================================== F =============================================================================== Failure: test_accessing_staging(TestGemBundledCA): staging.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42:600::483]:443 state=error: certificate verify failed (certificate has
    expired).
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https' /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:55:in `test_accessing_staging'
    52: end
    53:
    54: def test_accessing_staging
    => 55: assert_https("staging.rubygems.org")
    56: end
    57:
    58: def test_accessing_new_index =============================================================================== F =============================================================================== Failure: test_accessing_www_rubygems(TestGemBundledCA): www.rubygems.org is not verifiable using the included certificates. Error was: SSL_connect returned=1 errno=0 peeraddr=[2a04:4e42::483]:443 state=error: certificate verify failed (certificate has
    expired).
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:41:in `rescue in assert_https'
    /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:29:in `assert_https' /<<PKGBUILDDIR>>/test/rubygems/test_bundled_ca.rb:51:in `test_accessing_www_rubygems'
    48: end
    49:
    50: def test_accessing_www_rubygems
    => 51: assert_https("www.rubygems.org")
    52: end
    53:
    54: def test_accessing_staging ===============================================================================


    And the relevant test code is:

    def assert_https(host)
    assert true
    http = Gem::Net::HTTP.new(host, 443)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.cert_store = bundled_certificate_store
    http.get("/")
    rescue Errno::ENOENT, Errno::ETIMEDOUT, SocketError, Gem::Net::OpenTimeout
    pend "#{host} seems offline, I can't tell whether ssl would work."
    rescue OpenSSL::SSL::SSLError => e
    # Only fail for certificate verification errors
    if e.message.include?("certificate verify failed")
    flunk "#{host} is not verifiable using the included certificates. Error was: #{e.message}"
    end
    raise
    end

    def test_accessing_rubygems
    assert_https("rubygems.org")
    end

    def test_accessing_www_rubygems
    assert_https("www.rubygems.org")
    end

    def test_accessing_staging
    assert_https("staging.rubygems.org")
    end

    def test_accessing_new_index
    assert_https("index.rubygems.org")
    end


    I think that this issue causes no risk to supporting rubygems for the
    trixie lifetime:
    - it is unlikely that the SSL certificates for those public services
    will not be renewed on time
    - even it if was the case, the issue could be worked around by building
    without network available (then we would hit the first 'rescue', which
    is non-fatal), or by ignoring the error in assert_https(), or by
    disabling those tests.

    I'm thus downgrading severity, but please let me know if you disagree.

    Lucas

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)