[Rubygems-developers] Problems with OpenSSL requirement in RubyGems 0.9.5 and JRuby
Charles Oliver Nutter
charles.nutter at sun.com
Tue Dec 4 00:37:13 EST 2007
Actually I think this was introduced with signed gem support, but JRuby
hasn't updated since spring.
So here's the deal. With the new security policy stuff, OpenSSL has
gotten pulled in as a requirement to handle certificates, signing, all
that jazz. While I intensely dislike the OpenSSL extension (because it's
little more than a thin wrapper around the C API, which makes it
particularly difficult to emulate on non-C implementations) we could
probably live with this in JRuby because we have an OpenSSL extension
look-alike gem.
The problem, however, is that at some point between 0.9.1 and 0.9.5,
RubyGems started requiring that OpenSSL extension be present for *all*
gem installs:
~/NetBeansProjects/rubygems $ jruby -S gem install jruby-openssl
Bulk updating Gem source index for: http://gems.rubyforge.org
ERROR: While executing gem ... (Gem::Exception)
SSL is not installed on this system
This is a bit of a chicken-and-egg problem. We need to install a gem to
enable OpenSSL support in JRuby. We need OpenSSL to install gems.
As far as I understand it, when installing non-signed gems there should
be no need for RubyGems to pull in OpenSSL, correct? I poked around the
source a bit, and discovered a few places where Gem.ensure_ssl_available
is being called. Almost all of them look like this:
if security_policy then
Gem.ensure_ssl_available
So the expectation is that if security_policy (usually retrieved from
options[:security_policy]) is nil, SSL will not be required and the
additional code will not be run.
However, I also found this in dependency_installer.rb:
DEFAULT_OPTIONS = {
:env_shebang => false,
:domain => :both, # HACK dup
:force => false,
:ignore_dependencies => false,
:security_policy => Gem::Security::NoSecurity, # HACK AlmostNo? Low?
:wrappers => true
}
If I'm understanding right, this means that for dependency-sensitive
installs (which would be basically all of them) security_policy will
*never* be nil, and OpenSSL will be required all the time.
This is a little problematic for implementations that don't have
out-of-the-box OpenSSL implementations like JRuby, Rubinius, Ruby.NET,
XRuby, and IronRuby.
I tried the naive fixes of commenting out the default security policy
and adding a != NoSecurity check into the places that call
ensure_ssl_available, but in each case I got errors like this:
ERROR: While executing gem ... (TypeError)
can't convert NilClass into nil
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:22:in
`<=>'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:19:in
`call'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:124:in
`satisfy?'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`satisfied_by?'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`all?'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`each'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`all?'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`satisfied_by?'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/requirement.rb:117:in
`install'
/Users/headius/NetBeansProjects/rubygems/lib/rubygems/dependency_installer.rb:225:in
`install'
So I'm hoping those of you more familiar with RubyGems code can help me
out here:
1. Is it intended that OpenSSL will be required all the time, regardless
of whether it will be used?
2. Shouldn't the code that's checking for security_policy != nil also
check that it is != NoSecurity, avoiding OpenSSL requirement?
3. Perhaps security_policy is intended to never be nil, and so the check
for != nil is already useless?
- Charlie
More information about the Rubygems-developers
mailing list