On Wed, May 20, 2020 at 11:02:20PM +0100, Dominic Hargreaves wrote: > Hello everyone, I just caught up with this. (Side note - please don't > assume I will see a message sent to a random pkg-perl bug report[1].) > > On Sun, May 17, 2020 at 06:39:34PM +0300, Damyan Ivanov wrote: > > -=| gregor herrmann, 15.05.2020 21:14:35 +0200 |=- > > > On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote: > > > > > > > > > But to fully measure the impact, it would be nice to have the > > > > > > number > > > > > > of failing packages built with a patched HTTP::Tiny. > > > > > I have one small concern: As the change is about checking remote SSL > > > > > certs, and tests don't/can't/must not call out to the internet, is it > > > > > possible that we won't really catch all potential issues? > > > > Noted. The test rebuilds should be done without the usual isolation > > > > from the Internet. > > > > I guess a closer inspection of the affected packages is needed. > > > > > > Hi Dam and all, > > > > > > did you or anyone else get to look into this rebuild effort? > > > > I haven't. I am still at the stage of "(re-)invent an easy way to > > rebuild a list of packages with a crafted chroot". I don't see this > > changing soon, so please Dom, anybody, feel free to take the job. > > > > > If not, Dom said that he could also try the rebuilds on > > > perl.debian.net. > > > > > > Notes: > > > - HTTP::Tiny is in perl core and in libhttp-tiny-perl; > > > - The required change looks like a one-character-patch: > > > lib/HTTP/Tiny.pm: verify_SSL => $args{verify_SSL} || > > > $args{verify_ssl} || 0, # no verification by default > > > - The tests should be run with internet enabled as much as possible. > > I am happy to do this, but I want to add a large caution: I do not > think that a clean bill of health from rebuild testing by itself > will allow us to draw any meaningful conclusions. It'd tell us that > the unit tests were correctly disabling SSL verification in their test > suites, or their test suites don't test SSL-related functionality, or > their test suites (inappropriately) rely on external servers with > correct SSL setups. > > But what's much more important here, surely, is what effect such a > change will have on our users in the real world, who will be using > this module to talk to the internet, and not to mention their own > internal services. I don't really see a way to know the scale of > breakage this will cause without trying it and seeing how much noise > there is from our (unstable) users. > > Note that this is not a reason to avoid making the change. I just want > to make sure we're going into this with our eyes open.
I rebuilt perl with the patch at [1] and rebuild perl dependencies against it, and did not see any related failures [2]. NB: probably perl should grow a suggestion (at least) on on libnet-ssleay-perl and libio-ssl-socket-perl which are required to use HTTP::Tiny with https URLs. So, what are people's thoughts? Do we want to take this position and change the default in Debian? Extending distribution to debian-perl for wider visibility. Cheers Dominic [1] <https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92> [2] <http://perl.debian.net/rebuild-logs/experimental/report.html>