Bug 1672088 - perl-Mojolicious version clash with perl-IO-Socket-SSL
Summary: perl-Mojolicious version clash with perl-IO-Socket-SSL
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: perl-Mojolicious
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Emmanuel Seyman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-03 18:42 UTC by Jonathan Larmour
Modified: 2019-04-01 00:37 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-04-01 00:37:57 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jonathan Larmour 2019-02-03 18:42:34 UTC 
Description of problem:

The perl-Mojolicious module was updated recently from v7.67 to v7.94. As can be seen in /usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm (near the top) there is a fixed dependency there on 2.009+ of IO::Socket::SSL. However the current IO::Socket::SSL shipped in Enterprise Linux is still 1.94 (which is what perl-Mojolicious v7.67 wanted).

So either perl-Mojolicious should be downgraded (bad) or perl-IO-Socket-SSL should be upgraded (better), but at the moment the two modules are incompatible and anything using them fails instantly so something needs doing somewhere.

Version-Release number of selected component (if applicable):

perl-Mojolicious-7.94-1.el7.noarch
perl-IO-Socket-SSL-1.94-7.el7.noarch

How reproducible:

100% with anything using TLS with Mojolicious

Steps to Reproduce:

It's easiest to prove it just by looking in the files:

/usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm has this on line 29:
  return $self->emit(error => 'IO::Socket::SSL 2.009+ required for TLS support')
Comment 1 Petr Pisar 2019-02-04 10:10:18 UTC 
The only relevant change in IO::Socket::SSL 2.009 is ALPN support. Indeed Mojo/IOLoop/TLS.pm sets SSL_alpn_protocols attribute, but I cannot see a reason why Mojolicious could not work without ALPN. At the end it's only a hint to clients and Mojolicous has to check what requests clients send to it regardless what it advertised in the ALPN. Moreover a proper way of checking ALPN support is calling IO::Socket::SSL->can_alpn(), not comparing IO::Socket::SSL module version. I believe the IO::Socket::SSL version check should be removed from the Mojolious code.
Comment 2 Emmanuel Seyman 2019-02-05 07:04:29 UTC 
I pointed this bug out on Freenode/#mojo and got the following response:

12:51 < eseyman> FYI, https://bugzilla.redhat.com/show_bug.cgi?id=1672088
12:58 < kraih> hahaha, yea, good luck with that proposal!
13:01 < kraih> there's been security relevant changes in IO::Socket::SSL that we now rely on, we will never downgrade that dependency

Given that perl-IO-Socket-SSL in RHEL has several backported security fixes, I'm tempted to do what Petr suggests.
Comment 3 Fedora Update System 2019-03-03 21:05:46 UTC 
perl-Mojolicious-7.94-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
Comment 4 Fedora Update System 2019-03-04 01:50:34 UTC 
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
Comment 5 Emmanuel Seyman 2019-03-22 07:17:32 UTC 
Jonathan, I'ld really appreciate if you could give us some feedback before I push this off to stable.

Does this work for you? Are you able to use TLS with Mojolicious?
Comment 6 Fedora Update System 2019-04-01 00:37:57 UTC 
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.