Red Hat Bugzilla – Bug 1000622
Upgrade lua-sec to support prosody 0.9
Last modified: 2018-04-11 03:40:29 EDT
The situation has been described in bug 999953 comment 2 as follows:
> There is also lua-sec to think about. Upstream have forked lua-sec to support certificate authentication:
> I haven't yet checked to see how much of their fork has been upstreamed to the original lua-sec.
> After some brief testing, I'm pretty sure certificate authentication doesn't work 100% with the lua-sec in Fedora.
Which is lovely because we have to decide what should we do with lua-sec in Fedora: either to support prosody 0.9 or strictly adhere to the lua-sec upstream and break Prosody.
Maybe I was a bit wrong on #999953, there were some recent commits on lua-sec upstream:
I'll be happy to update the package if that is relevant... But I do not know if it is.
I cannot find if prosody changes has been proposed on lua-sec upstream, I did not have time to take a look a this for now (I should have more free time next week).
Maybe should I package the latest github lua-sec version for rawhide (probably not for now)?
I'll also try to make a diff between prosody's version and official one to see if changes were proposed or not.
It is not a good point lua-sec partially forks lua-socket, a pull request has already been proposed, waiting for upstream decision:
I can try to include that patch in the package, but as it's not yet validated upstream, I'm really not sure it would be a good idea.
Hi, Prosody developer here.
For the record, Prosody 0.9 works absolutely fine with older LuaSec (and LuaSocket) versions, it just means the new features will not be available. You may want to add a note about this in the default config around the s2s_secure_auth (enabling which will cause issues if certificate verification is not available) if you package 0.9 without a newer LuaSec.
Bruno pulled all our changes into https://github.com/brunoos/luasec/ recently, and it enables certificate verification in Prosody 0.9 (it is also backwards-compatible with Prosody 0.8, if that helps). There has been no source release yet, neither beta nor rc. The lack of a source release and delay in merging our code was the only reason for our "fork", and I expected it to become redundant as soon as the merge and release of the official LuaSec completed.
(In reply to Matthew Wild (MattJ) from comment #2)
> Bruno pulled all our changes into https://github.com/brunoos/luasec/
> recently, and it enables certificate verification in Prosody 0.9 (it is also
> backwards-compatible with Prosody 0.8, if that helps). There has been no
> source release yet, neither beta nor rc.
There is no problem for Fedora packages to package checkout out of git. I will prepare a scratch build of such package.
Packaging a git snapshot is indeed not a problem.
@Matthew: thank you for the details.
@Matěj, please keep me in touch :)
Created attachment 789947 [details]
(In reply to Johan Cwiklinski from comment #4)
> @Matěj, please keep me in touch :)
This should work, but it doesn't (http://koji.fedoraproject.org/koji/taskinfo?taskID=5850113 and particularly http://kojipkgs.fedoraproject.org//work/tasks/113/5850113/build.log). I am afraid we are missing EC ciphers in Fedora OpenSSL packages and it shows here.
Adding an OpenSSL maintainer to the bug to help us here.
Not much to add here - lua-sec must be able to build with OpenSSL that is built without EC crypto support.
Created attachment 795220 [details]
Just so it doesn't expire together with the scratch build.
Created attachment 795332 [details]
Adapted suggested patch
Handle missing EC support in Fedora's somehow more (than others) crippled OpenSSL
Even this patch solves the OpenSSL stuff, it still does not make lua-sec fully
building: "ssl.c:22:26: fatal error: luasocket/io.h: No such file or directory"
will be the next failure, which is IMHO not OpenSSL related at all.
Uah! As far as I get, lua-sec bundles lua-socket on the source code level in
the directory src/luasocket. This is triggered via -DWITH_LUASOCKET in Makefile.
Matěj, Johan - how is this going to continue? Any ideas regarding bundled
Talked with Prosody upstream, luasec-0.5 is OK for Prosody. I'm updating to luasec-0.5 in Fedora rawhide and will update in F20 after a while too.
I'm also building lua-sec-compat package which is built against compat-lua. This will allow using lua-sec in luajit and fix Prosody in Fedora eventually :).
lua-sec-0.5-3.fc20 has been submitted as an update for Fedora 20.
lua-sec-0.5-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.