Bug#996024: buster-pu: package ruby-httpclient/2.8.3-3+deb10u1

2021-12-05 Thread Antonio Terceiro 
On Sat, Dec 04, 2021 at 05:31:52PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2021-10-10 at 09:58 -0300, Antonio Terceiro wrote:
> > ruby-httpclient uses a vendored copy of a CA certificate bundle, and
> > that is a ticking time bomb. This update fixes that by removing that
> > vendored copy and making it use the system CA certificate bundle by
> > default.
> > 
> > [ Impact ]
> > The main package affected by this is apt-listbugs, which stopped
> > being
> > able to download bug data information from bugs.debian.org due to the
> > recent expiration of the old Let's Encrypt root certificate.
> > 
> 
> Please go ahead, thanks.

Uploaded.


signature.asc
Description: PGP signature

Bug#996024: buster-pu: package ruby-httpclient/2.8.3-3+deb10u1

2021-12-04 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2021-10-10 at 09:58 -0300, Antonio Terceiro wrote:
> ruby-httpclient uses a vendored copy of a CA certificate bundle, and
> that is a ticking time bomb. This update fixes that by removing that
> vendored copy and making it use the system CA certificate bundle by
> default.
> 
> [ Impact ]
> The main package affected by this is apt-listbugs, which stopped
> being
> able to download bug data information from bugs.debian.org due to the
> recent expiration of the old Let's Encrypt root certificate.
> 

Please go ahead, thanks.

Regards,

Adam

Bug#996024: buster-pu: package ruby-httpclient/2.8.3-3+deb10u1

2021-10-10 Thread Antonio Terceiro 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
ruby-httpclient uses a vendored copy of a CA certificate bundle, and
that is a ticking time bomb. This update fixes that by removing that
vendored copy and making it use the system CA certificate bundle by
default.

[ Impact ]
The main package affected by this is apt-listbugs, which stopped being
able to download bug data information from bugs.debian.org due to the
recent expiration of the old Let's Encrypt root certificate.

[ Tests ]
The added autopkgtest test fails without the patch and passes without
it. apt-listbugs is now able to fetch bug data information again.

[ Risks ]
The changes are simple enough and this is a low risk update.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]

The changes are simple enough that I feel copy-pasting from the
changelog is enough:

* Add simple autopkgtest to check a basic SSL connection
* Add patch to use the system certificate store (Closes: #995448)
* debian/rules: remove embedded CA certificate store
* Add dependency on ca-certificates
diff --git a/debian/changelog b/debian/changelog
index a164bb1..e6d96d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-httpclient (2.8.3-3+deb10u1) buster; urgency=medium
+
+  * Add simple autopkgtest to check a basic SSL connection
+  * Add patch to use the system certificate store (Closes: #995448)
+  * debian/rules: remove embedded CA certificate store
+  * Add dependency on ca-certificates
+
+ -- Antonio Terceiro   Sun, 10 Oct 2021 09:24:03 -0300
+
 ruby-httpclient (2.8.3-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/control b/debian/control
index e50868f..e38581d 100644
--- a/debian/control
+++ b/debian/control
@@ -21,6 +21,7 @@ Architecture: all
 XB-Ruby-Versions: ${ruby:Versions}
 Depends: ruby | ruby-interpreter,
  ruby-http-cookie (>= 1.0),
+ ca-certificates,
  ${misc:Depends},
  ${shlibs:Depends}
 Description: HTTP client library for ruby
diff --git a/debian/patches/0008-Use-system-CA-certificate-store.patch b/debian/patches/0008-Use-system-CA-certificate-store.patch
new file mode 100644
index 000..3ec8820
--- /dev/null
+++ b/debian/patches/0008-Use-system-CA-certificate-store.patch
@@ -0,0 +1,33 @@
+From: Antonio Terceiro 
+Date: Wed, 6 Oct 2021 10:03:32 -0300
+Subject: Use system CA certificate store
+
+---
+ lib/httpclient/ssl_config.rb | 7 +--
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/lib/httpclient/ssl_config.rb b/lib/httpclient/ssl_config.rb
+index f6e7ce9..d4e48f2 100644
+--- a/lib/httpclient/ssl_config.rb
 b/lib/httpclient/ssl_config.rb
+@@ -249,7 +249,7 @@ class HTTPClient
+ # Loads default trust anchors.
+ # Calling this method resets all existing sessions.
+ def load_trust_ca
+-  load_cacerts(@cert_store)
++  set_default_paths
+   change_notify
+ end
+ 
+@@ -413,11 +413,6 @@ class HTTPClient
+   nil
+ end
+ 
+-# Use 2048 bit certs trust anchor
+-def load_cacerts(cert_store)
+-  file = File.join(File.dirname(__FILE__), 'cacert.pem')
+-  add_trust_ca_to_store(cert_store, file)
+-end
+   end
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index f1a4a0e..3764163 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 0004-Add-upstream-changelog.patch
 0005-tweak-test-dep-change.patch
 disable-test-proxy-ssl.patch
+0008-Use-system-CA-certificate-store.patch
diff --git a/debian/rules b/debian/rules
index 118221b..bdf2c5b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,3 +6,8 @@ export LANG=C.UTF-8
 
 %:
 	dh $@ --buildsystem=ruby --with ruby
+
+
+override_dh_auto_install:
+	dh_auto_install
+	rm --verbose $(CURDIR)/debian/ruby-httpclient/usr/lib/ruby/vendor_ruby/httpclient/*.pem
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 000..d5b55a2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: ssl-smoke-test
+Restrictions: needs-internet, allow-stderr
diff --git a/debian/tests/ssl-smoke-test b/debian/tests/ssl-smoke-test
new file mode 100644
index 000..ce81ca0
--- /dev/null
+++ b/debian/tests/ssl-smoke-test
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -exu
+
+httpclient get https://bugs.debian.org/


signature.asc
Description: PGP signature