Bug 1000622 - Upgrade lua-sec to support prosody 0.9
Upgrade lua-sec to support prosody 0.9
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lua-sec (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Johan Cwiklinski
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 999953
  Show dependency treegraph
 
Reported: 2013-08-23 17:13 EDT by Matěj Cepl
Modified: 2015-05-10 19:50 EDT (History)
9 users (show)

See Also:
Fixed In Version: lua-sec-0.5-3.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-18 01:50:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
suggested patch (2.28 KB, patch)
2013-08-24 18:01 EDT, Matěj Cepl
no flags Details | Diff
build.log (9.96 KB, text/plain)
2013-09-07 16:22 EDT, Matěj Cepl
no flags Details
Adapted suggested patch (2.98 KB, patch)
2013-09-08 08:30 EDT, Robert Scheck
no flags Details | Diff

  None (edit)
Description Matěj Cepl 2013-08-23 17:13:49 EDT
The situation has been described in bug 999953 comment 2 as follows:

> There is also lua-sec to think about. Upstream have forked lua-sec to support certificate authentication:
> 
> http://prosody.im/doc/depends/luasec/prosody
> 
> I haven't yet checked to see how much of their fork has been upstreamed to the original lua-sec.
> 
> After some brief testing, I'm pretty sure certificate authentication doesn't work 100% with the lua-sec in Fedora.

Which is lovely because we have to decide what should we do with lua-sec in Fedora: either to support prosody 0.9 or strictly adhere to the lua-sec upstream and break Prosody.
Comment 1 Johan Cwiklinski 2013-08-23 17:35:43 EDT
Maybe I was a bit wrong on #999953, there were some recent commits on lua-sec upstream:
https://github.com/brunoos/luasec/commits/master

I'll be happy to update the package if that is relevant... But I do not know if it is.

I cannot find if prosody changes has been proposed on lua-sec upstream, I did not have time to take a look a this for now (I should have more free time next week).

Maybe should I package the latest github lua-sec version for rawhide (probably not for now)?
I'll also try to make a diff between prosody's version and official one to see if changes were proposed or not.

It is not a good point lua-sec partially forks lua-socket, a pull request has already been proposed, waiting for upstream decision:
https://github.com/brunoos/luasec/pull/5

I can try to include that patch in the package, but as it's not yet validated upstream, I'm really not sure it would be a good idea.
Comment 2 Matthew Wild (MattJ) 2013-08-24 06:33:24 EDT
Hi, Prosody developer here.

For the record, Prosody 0.9 works absolutely fine with older LuaSec (and LuaSocket) versions, it just means the new features will not be available. You may want to add a note about this in the default config around the s2s_secure_auth (enabling which will cause issues if certificate verification is not available) if you package 0.9 without a newer LuaSec.

Bruno pulled all our changes into https://github.com/brunoos/luasec/ recently, and it enables certificate verification in Prosody 0.9 (it is also backwards-compatible with Prosody 0.8, if that helps). There has been no source release yet, neither beta nor rc. The lack of a source release and delay in merging our code was the only reason for our "fork", and I expected it to become redundant as soon as the merge and release of the official LuaSec completed.
Comment 3 Matěj Cepl 2013-08-24 09:15:47 EDT
(In reply to Matthew Wild (MattJ) from comment #2)
> Bruno pulled all our changes into https://github.com/brunoos/luasec/
> recently, and it enables certificate verification in Prosody 0.9 (it is also
> backwards-compatible with Prosody 0.8, if that helps). There has been no
> source release yet, neither beta nor rc.

There is no problem for Fedora packages to package checkout out of git. I will prepare a scratch build of such package.
Comment 4 Johan Cwiklinski 2013-08-24 12:22:48 EDT
Packaging a git snapshot is indeed not a problem.

@Matthew: thank you for the details.

@Matěj, please keep me in touch :)
Comment 5 Matěj Cepl 2013-08-24 18:01:20 EDT
Created attachment 789947 [details]
suggested patch

(In reply to Johan Cwiklinski from comment #4)
> @Matěj, please keep me in touch :)

This should work, but it doesn't (http://koji.fedoraproject.org/koji/taskinfo?taskID=5850113 and particularly http://kojipkgs.fedoraproject.org//work/tasks/113/5850113/build.log). I am afraid we are missing EC ciphers in Fedora OpenSSL packages and it shows here.

Adding an OpenSSL maintainer to the bug to help us here.
Comment 6 Tomas Mraz 2013-08-26 04:40:37 EDT
Not much to add here - lua-sec must be able to build with OpenSSL that is built without EC crypto support.
Comment 7 Matěj Cepl 2013-09-07 16:22:34 EDT
Created attachment 795220 [details]
build.log

Just so it doesn't expire together with the scratch build.
Comment 8 Robert Scheck 2013-09-08 08:30:49 EDT
Created attachment 795332 [details]
Adapted suggested patch

Handle missing EC support in Fedora's somehow more (than others) crippled OpenSSL

Even this patch solves the OpenSSL stuff, it still does not make lua-sec fully
building: "ssl.c:22:26: fatal error: luasocket/io.h: No such file or directory"
will be the next failure, which is IMHO not OpenSSL related at all.
Comment 9 Robert Scheck 2013-09-08 09:03:05 EDT
Uah! As far as I get, lua-sec bundles lua-socket on the source code level in
the directory src/luasocket. This is triggered via -DWITH_LUASOCKET in Makefile.
Comment 10 Robert Scheck 2014-04-21 14:06:01 EDT
Matěj, Johan - how is this going to continue? Any ideas regarding bundled
lua-socket?
Comment 11 Jan Kaluža 2014-05-14 09:11:22 EDT
Talked with Prosody upstream, luasec-0.5 is OK for Prosody. I'm updating to luasec-0.5 in Fedora rawhide and will update in F20 after a while too.

I'm also building lua-sec-compat package which is built against compat-lua. This will allow using lua-sec in luajit and fix Prosody in Fedora eventually :).

http://pkgs.fedoraproject.org/cgit/lua-sec.git/commit/?id=0135cebba097c9a81792aac468d4859066e965ec
Comment 12 Fedora Update System 2015-04-18 09:07:38 EDT
lua-sec-0.5-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/lua-sec-0.5-3.fc20
Comment 13 Fedora Update System 2015-05-10 19:50:51 EDT
lua-sec-0.5-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.