macOS Ruby 2.7 - built with OpenSSL 1.0.2t 10 Sep 2019
Closed this issue · 18 comments
Long story how I noticed it. As you may recall, macOS Ruby 2.4, 2.5 & 2.6 are built with 1.1.1.
On https://github.com/ruby/setup-ruby/runs/1215483945 you mean?
Compare to 2.6 using 1.1.1:
https://github.com/ruby/setup-ruby/runs/1215483918
I guess that's the OpenSSL version available on macos-latest on GHA, it's weird it changed though.
The 2.7.2 builds were done using ruby-install --no-install-deps in ruby/ruby-builder@2f5047a
so they should simply use whatever system OpenSSL is available.
ruby-install does $(brew --prefix openssl)
https://github.com/postmodern/ruby-install/blob/c339bf6ca481ec6fac7fd18ec537f46bed0d1ec5/share/ruby-install/ruby/functions.sh#L24
and that resolved to /usr/local/opt/openssl@1.0.2t/include in https://github.com/ruby/ruby-builder/runs/1200377717#step:11:1759
And unfortunately the 2.6 build log is unavailable:
https://github.com/ruby/ruby-builder/runs/549854743?check_suite_focus=true
But it seems it was 1.1.1 and we can check RbConfig::CONFIG['CPPFLAGS'] to know.
Sorry. Late last night, I forgot to trap for OpenSSL version in some debug code, and 2.7 threw an error.
I'll see if I can show the info using a repo that reports OS info on Actions.
I added openssl version to the workflow, and both macOS show 1.0.2. I just noticed that Ubuntu 16.04 is using 1.1.0.
https://github.com/MSP-Greg/actions-image-testing/actions/runs/324303731
Edit: Do you use macOS? Is 1.0.2 the default? IDK...
No, I'm not a macOS user (anymore). The system openssl is typically so broken and old that it's unusable. So people often get a decent openssl from Homebrew or macPorts.
And I suspect Homebrew changed the meaning of the openssl formula between openssl@1.0 and openssl@1.1 back and forth, or their update system messed it up, because it seems common to have this issue (not just here).
https://github.com/ruby/setup-ruby/runs/1298366745#step:8:37 and
https://github.com/ruby/setup-ruby/runs/1298366757#step:8:37
are the proof that $(brew --prefix openssl) changed (used here):
2.6.6:
"configure_args"=>
" '--prefix=/Users/runner/.rubies/ruby-2.6.6' '--with-opt-dir=/usr/local/opt/openssl@1.1:/usr/local/opt/readline:/usr/local/opt/libyaml:/usr/local/opt/gdbm' '--enable-shared' '--disable-install-doc' 'CPPFLAGS=-DENABLE_PATH_CHECK=0'",
2.7.2:
"configure_args"=>
" '--prefix=/Users/runner/.rubies/ruby-2.7.2' '--with-opt-dir=/usr/local/opt/openssl@1.0.2t:/usr/local/opt/readline:/usr/local/opt/libyaml:/usr/local/opt/gdbm' '--enable-shared' '--disable-install-doc' 'CPPFLAGS=-DENABLE_PATH_CHECK=0'",
brew's openssl should nowadays be 1.1:
https://github.com/Homebrew/homebrew-core/blob/master/Aliases/openssl
https://formulae.brew.sh/formula/openssl@1.1
But it used to be 1.0:
Homebrew/homebrew-core@0349a7c
So on GHA it went back when building 2.7?
It's still your fault.
Ok, just kidding. Problem is, most people will assume it's ruby/setup-ruby...
We should fix it, yes.
Not clear how to do that yet, since $(brew --prefix openssl) behaves unexpectedly on GHA.
I'll run that now to see what it gives today.
The macOS mess is not my fault though :p
The macOS mess is not my fault though
I know. Similar to the reason I went crazy on ruby-loco testing, because there's too many upstream things that can break it...
We should fix it, yes.
I'm pretty macOS challenged. Or, the time it would take you to fix it is probably 10% of the time it would take me...
https://github.com/eregon/setup-ruby-test/runs/1298933056?check_suite_focus=true
It seems highly inconsistent:
Run brew --prefix openssl
/usr/local/opt/openssl@1.0.2t
Run brew info openssl
openssl@1.1: stable 1.1.1h (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl/1.0.2t (1,787 files, 12.4MB)
Built from source on 2020-10-17 at 21:36:12
/usr/local/Cellar/openssl@1.1/1.1.1h (8,067 files, 18.5MB)
Poured from bottle on 2020-10-17 at 21:19:02
Run brew info openssl@1.1
openssl@1.1: stable 1.1.1h (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl/1.0.2t (1,787 files, 12.4MB)
Built from source on 2020-10-17 at 21:36:12
/usr/local/Cellar/openssl@1.1/1.1.1h (8,067 files, 18.5MB)
Poured from bottle on 2020-10-17 at 21:19:02
...
So both are installed. openssl is supposed to refer to 1.1 but brew --prefix openssl gives 1.0.2.
I think that's either a virtual environments issue, or a Homebrew issue (or both).
Related PR and issue: actions/runner-images#1808 and actions/runner-images#1745
We should probably wait from a fix from that side.
@eregon , for now we have both openssl 1.0.2 and openssl 1.1 installed on image. As you correctly mentioned, brew --prefix openssl returns 1.0.2 because it is set by default.
We are planning to remove openssl 1.0.2 from images in a couple of weeks and set 1.1 as default (actions/runner-images#1808)
During testing these changes, we have faced with an issue that Python has started to fail to install because initially Python was built under brew --prefix openssl but this PR changes it from 1.0.2 to 1.1.
So we have to rebuild all Python versions with explicit openssl 1.1 before merging the PR: https://github.com/actions/python-versions/pull/58/files#diff-789043c7be9380abcab0e813c662811c774fba8b191fe128f2f39698df13937eL43
I guess you might need something similar.
@maxim-lobanov Yes, I'll rebuild the Ruby builds on macOS once that change is done.
To avoid downtime, I think first the default should be changed to 1.1.
Then I can do the rebuilds easily.
And then later 1.0.2 can be removed.
@maxim-lobanov Yes, I'll rebuild the Ruby builds on macOS once that change is done.
To avoid downtime, I think first the default should be changed to 1.1.
Then I can do the rebuilds easily.
And then later 1.0.2 can be removed.
Sure, I think we can do that in two steps
This will be fixed by using builds from https://github.com/ruby/ruby-builder/releases/tag/toolcache, see #98 (comment)
So actually the default OpenSSL version on macOS no longer matters for ruby-builder (but it might in the future if we decide to reuse Homebrew's OpenSSL).
Good to know, thanks!
We are planning to switch default openssl 1.1 and remove 1.0.2 next week