[Rubygems-developers] Problems with OpenSSL requirement in RubyGems 0.9.5 and JRuby

Charles Oliver Nutter charles.nutter at sun.com
Tue Dec 4 00:37:13 EST 2007


Actually I think this was introduced with signed gem support, but JRuby 
hasn't updated since spring.

So here's the deal. With the new security policy stuff, OpenSSL has 
gotten pulled in as a requirement to handle certificates, signing, all 
that jazz. While I intensely dislike the OpenSSL extension (because it's 
little more than a thin wrapper around the C API, which makes it 
particularly difficult to emulate on non-C implementations) we could 
probably live with this in JRuby because we have an OpenSSL extension 
look-alike gem.

The problem, however, is that at some point between 0.9.1 and 0.9.5, 
RubyGems started requiring that OpenSSL extension be present for *all* 
gem installs:

~/NetBeansProjects/rubygems $ jruby -S gem install jruby-openssl
Bulk updating Gem source index for: http://gems.rubyforge.org
ERROR:  While executing gem ... (Gem::Exception)
     SSL is not installed on this system

This is a bit of a chicken-and-egg problem. We need to install a gem to 
enable OpenSSL support in JRuby. We need OpenSSL to install gems.

As far as I understand it, when installing non-signed gems there should 
be no need for RubyGems to pull in OpenSSL, correct? I poked around the 
source a bit, and discovered a few places where Gem.ensure_ssl_available 
is being called. Almost all of them look like this:

       if security_policy then
         Gem.ensure_ssl_available

So the expectation is that if security_policy (usually retrieved from 
options[:security_policy]) is nil, SSL will not be required and the 
additional code will not be run.

However, I also found this in dependency_installer.rb:

   DEFAULT_OPTIONS = {
     :env_shebang => false,
     :domain => :both, # HACK dup
     :force => false,
     :ignore_dependencies => false,
     :security_policy => Gem::Security::NoSecurity, # HACK AlmostNo? Low?
     :wrappers => true
   }

If I'm understanding right, this means that for dependency-sensitive 
installs (which would be basically all of them) security_policy will 
*never* be nil, and OpenSSL will be required all the time.

This is a little problematic for implementations that don't have 
out-of-the-box OpenSSL implementations like JRuby, Rubinius, Ruby.NET, 
XRuby, and IronRuby.

I tried the naive fixes of commenting out the default security policy 
and adding a != NoSecurity check into the places that call 
ensure_ssl_available, but in each case I got errors like this:

ERROR:  While executing gem ... (TypeError)
     can't convert NilClass into nil
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:22:in 
`<=>'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:19:in 
`call'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:124:in 
`satisfy?'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`satisfied_by?'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`all?'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`each'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`all?'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`satisfied_by?'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in 
`install'
 
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/dependency_installer.rb:225:in 
`install'

So I'm hoping those of you more familiar with RubyGems code can help me 
out here:

1. Is it intended that OpenSSL will be required all the time, regardless 
of whether it will be used?
2. Shouldn't the code that's checking for security_policy != nil also 
check that it is != NoSecurity, avoiding OpenSSL requirement?
3. Perhaps security_policy is intended to never be nil, and so the check 
for != nil is already useless?

- Charlie


More information about the Rubygems-developers mailing list