Ruby 2.3 Update OpenSSL 1.0.2q to 1.0.2u #1
Conversation
* As distributions don't provide old openssl anymore or is inconvenient because it's needed to remove newer openssl to install ruby.
|
Thank you for the PR. I think it would be better to send this PR to https://github.com/rbenv/ruby-build and update all mentions of 1.0.2q. Could you do that? Then I can rebase my branch which enables building OpenSSL on Linux. |
|
Yes, I'll do a PR for ruby-build. Speaking of EOL, maybe add something to use-ruby-actions README like the following: Older Rubies and the packages they are built with may be EOL. In particular, Ubuntu & macOS 2.3.x and Windows 2.4 are built with OpenSSL 1.0.2. OpenSSL 1.0.2 is EOL and should not be used in applications where it is depended on for secure communications. |
|
In https://github.com/eregon/use-ruby-action/#supported-versions there is already:
I didn't know RubyInstaller2 Ruby 2.4 binaries are built with OpenSSL 1.0.2, that's surprising since Ruby 2.4 supports OpenSSL 1.1.x. Can you double-check? Then I'll mention that in the README too. |
Yes, 2.4.9 is 1.0.2t. OpenSSL 1.1.1 was released on 2018-09-11. Ruby 2.4.0 was released 2016-12. Also, I may have mentioned that MSYS2 was slow to make a 1.1.1 package available. Lastly, the openssl stdlib included in 2.4 was released before 1.1.1 existed. It was probably tested against 1.1.0, which 1.1.1 should be compatible with... |
|
Thanks for checking, I'll add a note to the README. That sounds like it could be worth to have newer builds of Ruby 2.4 in Ruby Installer 2, cc @larskanis. |
|
Feel free to look my PR (review, approve, etc): I split into two commits, one with the OpenSSL 1.0.2u changes, one with the cert code (which I just took from your original commit). All built and showed the correct OpenSSL version. |
|
I forgot a bit about this, sorry. Would you like me to update to OpenSSL 1.0.2u for 2.3.x builds of https://github.com/eregon/use-ruby-action ? |
I (and I doubt others) are losing sleep over it, but I thought sometime...
I've had the same thoughts re getting Ruby master on Actions. I've meant to try it by checking out the following PR, but haven't had a chance... |
|
That PR first delete the asset, so it's not atomic, there can be a time where there won't be any asset for that name. The GitHub API doesn't allow to directly either it seems. @larskanis I'm not sure how files are updated for https://github.com/oneclick/rubyinstaller2/releases/tag/rubyinstaller-head but I guess there is also the same issue that there may be some time where the asset file is deleted and not re-added yet? |
|
@eregon Yes, release files are first deleted then uploaded again. So there are some seconds every day, where each file is not available. Upload code is here: https://github.com/oneclick/rubyinstaller2/blob/master/lib/ruby_installer/build/release.rb#L107-L116
I'll update from OpenSSL-1.0.2t to 1.0.2u with the next release of RubyInstaller-2.4. |
eregon
force-pushed
the
ruby23-openssl-linux
branch
from
2dbaab0 to
7c24dbc
Compare
|
This is done now, I rebuilt Ruby 2.3.x releases on Ubuntu & macOS using OpenSSL 1.0.2u: FWIW I used a script to copy other release files: https://github.com/eregon/ruby-install-builder/blob/dceb96622a882df37d35819f9282390e49da8d08/generate-copy-yml.rb |
I meant to update from OpenSSL 1.0.2t to OpenSSL 1.1.1, since OpenSSL 1.0.2 is end-of-life. Essentially I'd like to remove this warning in the README:
|
No - RubyInstaller-2.4 will stay on OpenSSL-1.0.2 since ruby's OpenSSL API is not fully compatible to the API when compiled against OpenSSL-1.1 (see here). I don't think 4 months difference in EOL time justifies an API break. |
|
@larskanis Understood and fair enough. |
Built in forks, the OpenSSL test passed. I also added:
to the workflow yaml in ruby-install-builder in my fork. Outputs the version info, both were:
which is a lot better than
JFYI, Windows builds have generally always used the most recent MSYS2 package. But, since they have quite a few packages built with OpenSSL, they 'froze' at 1.0.2 and didn't update until 1.1.1 was released. Hence, some experience with 1.0.2 LTS, and never saw a release break anything...