-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mark old ca-certs as unavailable (test cases fail on modern Linux systems) #24462
Conversation
It looks like only the tests fail. Shouldn’t only the tests be removed in that case? What is the underlying reason for the failures? |
The underlying reason is how the package and the tests are achieved:
now, different OS add and remove trust anchors, the world moves forward, google replaces their certificate chain, etc. and it turns out that more and more Linux distributions do not support the certificate chains google presented in 2020 ;) Looking at the library ca-certs and its commits, I do not see much value in keeping old versions thereof alive/installable. But of course, if you insist to "remove the tests", I'm happy to obey. Should such a removal be guarded by specific distributions, or entirely? |
A much better test would be to use network access and test whether "using the current trust anchors, can we establish TLS connections to various endpoints" -- but here the opam sandbox avoids from doing that. |
The only possible problem with making them unavailable is that packages that formerly compiled with an old OCaml (e.g. 4.07) will no longer compile as the newer version has newer dependencies. If the problem is just the tests failing, as opposed to the builds failing, another option is to mark them with an |
True. I'm sorry for those stuck on such an old compiler. My lifetime is limited, and I won't deal with such an old compiler anyways.
Does
If you have an old compiler or want to install old software, why not use an old checkout of opam-repository. I honestly don't see the value of that. |
So far we decided to stick with the current policy and keep the old package available, to clean the CI I have disabled the opam tests (they can still be run manually of course) |
as observed in #24461 they fail on alpine and debian 12 systems. better mark them unavailable -- 0.2.3 is still present and works fine on these systems :)