Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
ruby-httpclient uses a vendored copy of a CA certificate bundle, and
that is a ticking time bomb. This update fixes that by removing that
vendored copy and making it use the system CA certificate bundle by
default.
[ Impact ]
The main package affected by this is apt-listbugs, which stopped being
able to download bug data information from bugs.debian.org due to the
recent expiration of the old Let's Encrypt root certificate.
[ Tests ]
The added autopkgtest test fails without the patch and passes without
it. apt-listbugs is now able to fetch bug data information again.
[ Risks ]
The changes are simple enough and this is a low risk update.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
The changes are simple enough that I feel copy-pasting from the
changelog is enough:
* Add simple autopkgtest to check a basic SSL connection
* Add patch to use the system certificate store (Closes: #995448)
* debian/rules: remove embedded CA certificate store
* Add dependency on ca-certificates
diff --git a/debian/changelog b/debian/changelog
index a164bb1..e6d96d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-httpclient (2.8.3-3+deb10u1) buster; urgency=medium
+
+ * Add simple autopkgtest to check a basic SSL connection
+ * Add patch to use the system certificate store (Closes: #995448)
+ * debian/rules: remove embedded CA certificate store
+ * Add dependency on ca-certificates
+
+ -- Antonio Terceiro Sun, 10 Oct 2021 09:24:03 -0300
+
ruby-httpclient (2.8.3-2) unstable; urgency=medium
* Team upload.
diff --git a/debian/control b/debian/control
index e50868f..e38581d 100644
--- a/debian/control
+++ b/debian/control
@@ -21,6 +21,7 @@ Architecture: all
XB-Ruby-Versions: ${ruby:Versions}
Depends: ruby | ruby-interpreter,
ruby-http-cookie (>= 1.0),
+ ca-certificates,
${misc:Depends},
${shlibs:Depends}
Description: HTTP client library for ruby
diff --git a/debian/patches/0008-Use-system-CA-certificate-store.patch b/debian/patches/0008-Use-system-CA-certificate-store.patch
new file mode 100644
index 000..3ec8820
--- /dev/null
+++ b/debian/patches/0008-Use-system-CA-certificate-store.patch
@@ -0,0 +1,33 @@
+From: Antonio Terceiro
+Date: Wed, 6 Oct 2021 10:03:32 -0300
+Subject: Use system CA certificate store
+
+---
+ lib/httpclient/ssl_config.rb | 7 +--
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/lib/httpclient/ssl_config.rb b/lib/httpclient/ssl_config.rb
+index f6e7ce9..d4e48f2 100644
+--- a/lib/httpclient/ssl_config.rb
b/lib/httpclient/ssl_config.rb
+@@ -249,7 +249,7 @@ class HTTPClient
+ # Loads default trust anchors.
+ # Calling this method resets all existing sessions.
+ def load_trust_ca
+- load_cacerts(@cert_store)
++ set_default_paths
+ change_notify
+ end
+
+@@ -413,11 +413,6 @@ class HTTPClient
+ nil
+ end
+
+-# Use 2048 bit certs trust anchor
+-def load_cacerts(cert_store)
+- file = File.join(File.dirname(__FILE__), 'cacert.pem')
+- add_trust_ca_to_store(cert_store, file)
+-end
+ end
+
+
diff --git a/debian/patches/series b/debian/patches/series
index f1a4a0e..3764163 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
0004-Add-upstream-changelog.patch
0005-tweak-test-dep-change.patch
disable-test-proxy-ssl.patch
+0008-Use-system-CA-certificate-store.patch
diff --git a/debian/rules b/debian/rules
index 118221b..bdf2c5b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,3 +6,8 @@ export LANG=C.UTF-8
%:
dh $@ --buildsystem=ruby --with ruby
+
+
+override_dh_auto_install:
+ dh_auto_install
+ rm --verbose $(CURDIR)/debian/ruby-httpclient/usr/lib/ruby/vendor_ruby/httpclient/*.pem
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 000..d5b55a2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: ssl-smoke-test
+Restrictions: needs-internet, allow-stderr
diff --git a/debian/tests/ssl-smoke-test b/debian/tests/ssl-smoke-test
new file mode 100644
index 000..ce81ca0
--- /dev/null
+++ b/debian/tests/ssl-smoke-test
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -exu
+
+httpclient get https://bugs.debian.org/
signature.asc
Description: PGP signature